Skip to main content

JailShell Users Escape Jail Over SFTP

Comments

10 comments

  • vatra

    I just figured out that I was using SFTP, which is why Pure-FTPd's "ChrootEverybody yes" wasn't working, because SFTP is SSH, not FTP.

    But still, how come users can freely browse the entire server via SFTP? Would this work to chroot users?

    Subsystem sftp internal-sftpMatch Group sftpusersChrootDirectory /home/%uForceCommand internal-sftpAllowTcpForwarding noX11Forwarding no
    0
  • cPRex Jurassic Moderator

    Hey hey!  As far as I can tell this is normal behavior through file permissions.  If the file has "read" access, such as having 644 permissions any user on the server would be able to see it.  

    I can't say if that specific change would work as that isn't something we test on our end.

    0
  • vatra

    I figured that out for permissions, but why aren't users chrooted by default on SFTP? What's the use of users browsing outside of their home directory, where only root should be doing something?

    0
  • cPRex Jurassic Moderator

    Now *that's* a good question.  Since it's not happening by default, would you like me to make a feature request for this?  That would likely help get to the bottom of things or at least get the team thinking.

    1
  • vatra

    Please do. Here is the complete request with two important things:

    1. SFTP is tied to the SSH feature by default. If you disable SSH, SFTP will also be disabled. In my opinion, SFTP is superior to FTPS, since it supports key logins. 95% of users will never use Shell access, and 100% of users will need FTP, so why not give them SFTP, while disabling Shell? This is not that hard to do in the SSH configuration. Just add another toggle in the WHM > Tweak Settings > Leave SFTP enabled if Shell is disabled, or better yet, make this option a column in the WHM > Manage Shell Access table for each user to enable/disable SFTP.
    2. Like in an FTP server, where you can chroot all users simply by adding ChrootEverybody yes to the config file (and this is present by default), you should be able to do this for SFTP. Since JailedShell is used by default, this should be the default as well. Without this, ALL USERS can wander around your entire server via their SFTP client, browsing everything, and reading a lot of files. Your only line of defense is a hope that you set your file permissions properly.

    I don't know how these two are not present by default. They are so obvious and not that hard to implement.

    0
  • cPRex Jurassic Moderator

    I've added this to the list for discussion!

    1
  • cPRex Jurassic Moderator

    I got this in just in time and I was able to talk about it with the team this morning.

    In general, FTP is a deprecated feature in cPanel as we don't enable the FTP service by default, so we likely won't be adding additional FTP features.  It's also worth noting that any user with FTP access can upload a PHP script that will easily print a list of readable files, whether or not they have sFTP enabled.

    This seems to be working as intended and isn't a security concern - BUT - if you wanted additional restrictions on what users can view this is something that CloudLinux takes care of through CageFS: https://cloudlinux.com/getting-started-with-cloudlinux-os/41-security-features/934-cagefs-tenant-isolation/

    0
  • vatra

    Thanks for the input, but how is this an FTP feature? I was talking about SSH and SFTP; I was just comparing it to FTP.

    0
  • cPRex Jurassic Moderator

    I was just throwing that part in for additional details.

    1
  • itx_sumeet

    You can see system folders because read access is allowed, but you can’t change anything so it’s not a security risk.

    1

Please sign in to leave a comment.