User Shell Access periodically resets to Normal Shell

Sindre

Well-Known Member
Aug 25, 2008
46
0
56
Hello,

I have observed something that concerns me on multiple of our cPanel servers (several versions including the latest). I have Tweak Settings -> Use cPanel® jailshell by default set to "On", and I only enable JailShell for any users - never Normal shell.

Nevertheless, every now and then when I go to check the Manage Shell Access I see that a lot of users suddenly have Normal Shell enabled. Some still have Jail Shell, and those who did not have Shell access are still Disabled, but quite a few have somehow been enabled with Normal Shell. All I know is I did not make this change.

Is there some bug in cPanel that resets the shell users to Normal Shell? To me this is a security concern and I would like your comments on this.

As mentioned, it happens to all our servers frequently and it has been occuring with multiple versions of cPanel. (first time I noticed is probably 1-2 years ago).

Thank you,
Sindre
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Does anyone else have root access to the server, or do you have resellers with privileges to make this change?

Thank you.
 

Sindre

Well-Known Member
Aug 25, 2008
46
0
56
No, resellers do not have access to this and only I have root access.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

Sindre

Well-Known Member
Aug 25, 2008
46
0
56
Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
Ticket created (#6190915).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
To update, our analysts advised the user to install Auditd on their system and monitor what edits the /etc/passwd file, as all indications are that no unauthorized access attempts occurred.

Thank you.