The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What threats would allowing Jailed Shell SSH access create?

Discussion in 'Security' started by Smaily, Jul 23, 2013.

  1. Smaily

    Smaily Well-Known Member

    Joined:
    Sep 19, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    If some of webserver clients are more of a developer kind and love to use SSH even though Im having second thoughts about allowing SSH access at all.

    If I would allow SSH Jailed Shell to all my webserver clients. What can actually happen?
    How to monitor them and are there any possible way to limit commands they use?

    eg. I dont want them to run gameservers on webserver. Or start Ventrilo or Teamspeak server just because they have Shell access.

    So how would it be safe to allow it?
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    This is one of those topics that's kind of a hole with no bottom for a quick answer. It's fair to say that shell access of any kind is a security risk, but whether this substantially increases your particular risk depends on how your server is configured / hardended and whether your users are already running dynamic web apps that may be exploitable / have cgi access / cron access etc. You'll notice that cron processes now run jailed in a similar fashion per

    VirtFS (Jailed Shell)

    A "traditional" (and I'm not saying right) way of looking at it is if you don't trust the particular user not to try to start a teamspeak server they shouldn't have shell access...

    You can monitor processes to an extent with lfd and if I remember rightly, the process space is destroyed when the user logs out, terminating any processes they have started.

    In terms of commands available, the setuid, gid commands won't be, so no ping etc per the above link.

    You might also want to have a look at http://forums.cpanel.net/f391/cloudlinux-vs-betterlinux-vs-jailshell-353232.html#post1420741 where the CL chap is discussing the difference between their cagefs and virtfs...
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,776
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may also be interested in the following information:

    Jail System Updates

    It lists some of the changes to jailed shell in cPanel version 11.38. Note that you may want to create a test account, grant it jailed shell access, and attempt to run/install the applications that you prefer are blocked to see the results.

    Thank you.
     
Loading...
Similar Threads - threats allowing Jailed
  1. freedominternet
    Replies:
    2
    Views:
    547

Share This Page