The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suexec Jailshell Wrapper

Discussion in 'Security' started by Fr3DBr, Feb 17, 2017.

Tags:
  1. Fr3DBr

    Fr3DBr Member

    Joined:
    Apr 6, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    Currently suexec will execute any script with system wide permissions, meaning that a perl script, cgi script, bash script or anything else executed through suexec will be able to read/write files many files inside the system, with permissions that allows this.

    Although, when using Jailshell this risk is minimized, due to the imposed "jailed environment".

    Anyone knows how we can adjust suexec in a way to execute these scripts "inside" a jailshell session ? In my opinion this is necessary to ensure a better security/safety for shared webhosting customers.
     
    #1 Fr3DBr, Feb 17, 2017
    Last edited: Feb 17, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide an example of this so we can attempt to reproduce the behavior you are reporting? What specific system files are you referring to?

    Thank you.
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    I've been saying this for at least a few months now. With PHP-FPM and the ability to chroot a user's pool into a jailed environment and being able to execute CGI in a jailexec environment, cPanel would have a rather effective CageFS alternative.

    But it doesn't appear to be something too many people are interested in. They'd rather just pay for CloudLinux and use CageFS.
     
  4. Fr3DBr

    Fr3DBr Member

    Joined:
    Apr 6, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Try to make a bash script or a perl script and then interact with the system, by doing ls, following symlinks, checking many of the system files where the permissions are at least 644, and you'll have a lot of fun with suexec, of course it will adjust the uid/gid to the user responsible for the script, but this is still not enough isolation in the system, the best would be exactly the way jailshell works (well you know it, because this is why you've made jailshell anyways) and it wouldn't require mod_ruid2 or anything like it, as long suexec is properly wrapped inside a jail. :)

    I've been trying to do it on my end, but it isn't so easy as suexec is impersonated by nobody and there's no tty to force the login of an user which the shell is currently jailshell. :)
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to install software such as CageFS from CloudLinux if you prefer to not use a combination of Mod_Ruid2 and the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell." option in "WHM >> Tweak Settings". That said, without software such as CageFS or Mod_Ruid2, you can protect against symlink attacks using one of the other solutions referenced at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Regarding access to other system files, this is discussed on threads such as:

    https://forums.cpanel.net/threads/best-way-to-secure-server-from-symlinks.592747/

    Access to files with account-specific data should be restricted.

    Thank you.
     
  6. Fr3DBr

    Fr3DBr Member

    Joined:
    Apr 6, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The symlink issue is only a "sympthom" of a non jailed environment, but I'm speaking about everything else, such as configuration files for installed applications such as apache, bind, mysql and ect... there are alot of things one can "read" which in a proper environment it wouldn't happen, and if people set wrong permissions this become even worse to their files as well.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    There's no direct equivalent to the functionality offered by CageFS or Mod_Ruid2/Jail Apache Users. I encourage you to open a feature request if you'd like to see something like that offered directly in the product:

    Submit A Feature Request

    Feature requests are the best way to provide our Development team with feedback about changes you'd like to see in the product.

    Thank you.
     
Loading...

Share This Page