[CPANEL-20490] cPanel terminal feature and CageFS
Hello,
I am writing about this to try to find the best configuration for a cPanel v72 that has the Terminal feature enabled. For this to be enabled, you have to enable it in WHM -> Feature Manager -> SSH Access & Terminal and also enable shell or jailed shell for the user in WHM -> Manage Shell Access.
I use a server with Cloudlinux + cPanel v72 + CageFS. The recommendations from the CageFS docs and Cloudlinux threads say that if a user needs SSH access (and I'm guessing also Terminal access), the shell access has to be a normal shell, not a jailed shell:
[myuser1@server1 ~]$ df -h
df: cannot read table of mounted file systems: No such file or directory
[myuser1@server1 ~]$ lsblk
-bash: lsblk: command not found
If I go to cPanel -> Terminal and issue the above commands in the Terminal windows, they produce output. I don't feel comfortable letting users see my server disk topology or anything hardware/software/system related. Also, to make matters worse, it can basically read all the files owned by root with 644 permission (meaning that the user can also read /etc/passwd and find all the other usernames on the system). Keep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell. During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has). Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found" My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access). Let me know what are your thoughts on this. Best regards, Andrei H.
If I go to cPanel -> Terminal and issue the above commands in the Terminal windows, they produce output. I don't feel comfortable letting users see my server disk topology or anything hardware/software/system related. Also, to make matters worse, it can basically read all the files owned by root with 644 permission (meaning that the user can also read /etc/passwd and find all the other usernames on the system). Keep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell. During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has). Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found" My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access). Let me know what are your thoughts on this. Best regards, Andrei H.
-
Hello Andrei, We're tentatively planning to implement new functionality in cPanel & WHM version 74 that will provide an option to allow cPanel's Terminal feature to automatically execute from within CageFS. We're tracking this as part of internal case CPANEL-20490. I'll monitor this case and update this thread with more information as it becomes available. In the meantime, we recommend disabling the Terminal feature on accounts that utilize CageFS to avoid the issues that you noted. Thank you. 0 -
Hello, To update anyone watching this thread, case CPANEL-20490 is tentatively planned for publication next week as part of new builds of versions 72 and 74. I'll update this thread again once it's published. Thank you. Update 2: Version 74.0.6 is now published to the EDGE and CURRENT release tiers: Fixed case CPANEL-20490: The cPanel Terminal feature will now use CageFS for CloudLinux users. Update 3: Version 72.0.12 is now published to the STABLE release tier and includes the above case. 0
Please sign in to leave a comment.
Comments
2 comments