Disabled shell vs Jailed Shell with mod_ruid2

sjmnc

• February 14, 2023 00:37

Trying to understand the best shell options and the difference between Disabled Shell and Jailed Shell. As per security advisor recommendation [QUOTE]Apache vhosts are not segmented or chroot()ed. Enable "mod_ruid2" in the "EasyApache 4" area, enable "Jail Apache" in the "Tweak Settings" area, and change users to jailshell in the "Manage Shell Access" area.
I've

• Enabled mod_ruid2
• Enabled EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell

However my users are already set to Disabled Shell. If I try to change them to Jailed Shell I get a Package conflict error because none of my packages have shell access enabled. It seems counterintuitive to enable shell access in the packages just so I can apply the Jailed Shell setting - will doing this offer better security than keeping them at Disabled Shell? Thanks.

• 

  cPRex Jurassic Moderator

  • February 14, 2023 16:42

  Hey there! If the shell is disabled, that's as secure as you can make it. There's some additional details about this here:

  0
• 

  sjmnc

  • February 14, 2023 22:48

  Thanks cPRex.

  0
• 

  Nathan Lyle

  • May 06, 2023 14:37

  Hey there! If the shell is disabled, that's as secure as you can make it. There's some additional details about this here: I have them disabled partially because I didn't want to enable an experimental feature on my main servers, but also because I thought it was the most secure and my clients don't typically need that access. Is this notification mostly an ad to promote CafeFS? It seems like it shouldn't be going out if I have no users set to a normal shell access.

  0
• 

  cPRex Jurassic Moderator

  • May 08, 2023 16:09

  Yes, fully separated users such as CageFS would be the ultimate security solution. It doesn't mean you *have* to make that change as it's just a recommendation.

  0

Please sign in to leave a comment.