User Shell Access periodically resets to Normal Shell

[Sindre]

Hello,

I have observed something that concerns me on multiple of our cPanel servers (several versions including the latest). I have Tweak Settings -> Use cPanel® jailshell by default set to "On", and I only enable JailShell for any users - never Normal shell.

Nevertheless, every now and then when I go to check the Manage Shell Access I see that a lot of users suddenly have Normal Shell enabled. Some still have Jail Shell, and those who did not have Shell access are still Disabled, but quite a few have somehow been enabled with Normal Shell. All I know is I did not make this change.

Is there some bug in cPanel that resets the shell users to Normal Shell? To me this is a security concern and I would like your comments on this.

As mentioned, it happens to all our servers frequently and it has been occuring with multiple versions of cPanel. (first time I noticed is probably 1-2 years ago).

Thank you,
Sindre

 

[cPanelMichael]

Hello

Does anyone else have root access to the server, or do you have resellers with privileges to make this change?

Thank you.

 

[Sindre]

No, resellers do not have access to this and only I have root access.

 

[cPanelMichael]

Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[Sindre]

Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Ticket created (#6190915).

 

[cPanelMichael]

To update, our analysts advised the user to install Auditd on their system and monitor what edits the /etc/passwd file, as all indications are that no unauthorized access attempts occurred.

Thank you.