Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

What threats would allowing Jailed Shell SSH access create?

Discussion in 'Security' started by Smaily, Jul 23, 2013.

  1. Smaily

    Smaily Well-Known Member

    Sep 19, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    If some of webserver clients are more of a developer kind and love to use SSH even though Im having second thoughts about allowing SSH access at all.

    If I would allow SSH Jailed Shell to all my webserver clients. What can actually happen?
    How to monitor them and are there any possible way to limit commands they use?

    eg. I dont want them to run gameservers on webserver. Or start Ventrilo or Teamspeak server just because they have Shell access.

    So how would it be safe to allow it?
  2. ThinIce

    ThinIce Well-Known Member

    Apr 27, 2006
    Likes Received:
    Trophy Points:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    This is one of those topics that's kind of a hole with no bottom for a quick answer. It's fair to say that shell access of any kind is a security risk, but whether this substantially increases your particular risk depends on how your server is configured / hardended and whether your users are already running dynamic web apps that may be exploitable / have cgi access / cron access etc. You'll notice that cron processes now run jailed in a similar fashion per

    VirtFS (Jailed Shell)

    A "traditional" (and I'm not saying right) way of looking at it is if you don't trust the particular user not to try to start a teamspeak server they shouldn't have shell access...

    You can monitor processes to an extent with lfd and if I remember rightly, the process space is destroyed when the user logs out, terminating any processes they have started.

    In terms of commands available, the setuid, gid commands won't be, so no ping etc per the above link.

    You might also want to have a look at where the CL chap is discussing the difference between their cagefs and virtfs...
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may also be interested in the following information:

    Jail System Updates

    It lists some of the changes to jailed shell in cPanel version 11.38. Note that you may want to create a test account, grant it jailed shell access, and attempt to run/install the applications that you prefer are blocked to see the results.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice