What threats would allowing Jailed Shell SSH access create?

Smaily

Well-Known Member
Sep 19, 2011
46
0
56
cPanel Access Level
Root Administrator
If some of webserver clients are more of a developer kind and love to use SSH even though Im having second thoughts about allowing SSH access at all.

If I would allow SSH Jailed Shell to all my webserver clients. What can actually happen?
How to monitor them and are there any possible way to limit commands they use?

eg. I dont want them to run gameservers on webserver. Or start Ventrilo or Teamspeak server just because they have Shell access.

So how would it be safe to allow it?
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
This is one of those topics that's kind of a hole with no bottom for a quick answer. It's fair to say that shell access of any kind is a security risk, but whether this substantially increases your particular risk depends on how your server is configured / hardended and whether your users are already running dynamic web apps that may be exploitable / have cgi access / cron access etc. You'll notice that cron processes now run jailed in a similar fashion per

VirtFS (Jailed Shell)

A "traditional" (and I'm not saying right) way of looking at it is if you don't trust the particular user not to try to start a teamspeak server they shouldn't have shell access...

You can monitor processes to an extent with lfd and if I remember rightly, the process space is destroyed when the user logs out, terminating any processes they have started.

In terms of commands available, the setuid, gid commands won't be, so no ping etc per the above link.

You might also want to have a look at http://forums.cpanel.net/f391/cloudlinux-vs-betterlinux-vs-jailshell-353232.html#post1420741 where the CL chap is discussing the difference between their cagefs and virtfs...
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

You may also be interested in the following information:

Jail System Updates

It lists some of the changes to jailed shell in cPanel version 11.38. Note that you may want to create a test account, grant it jailed shell access, and attempt to run/install the applications that you prefer are blocked to see the results.

Thank you.