cPanel v94 on Alma 8.
Out of the box, the cPanel jailshell environment doesn't include the files under /etc/crypto-policies. This breaks crypto-policies(7) and can cause unexpected/undesired behavior across various processes (kerberos, (lib)openssh, (lib)openssl, etc).
As one example that recently caused me some hair pulling: openssl
The openssl config file is /etc/pki/tls/openssl.cnf which IS in the jailshell.
However, as part of the complete config, that file 'includes' /etc/crypto-policies/back-ends/opensslcnf.config which is NOT in the jailshell.
Typically, that file is a symlink to a file in /usr but changing the crypto-policies config could replace it with an actual file. The default file restricts openssl to TLS1.2 or later (among other things).
The real-world example: The php-ldap module is linked to libldap, which is linked to libssl, which uses the openssl.cnf mentioned above. A user has cgi using php-ldap to connect to a server supporting only TLS 1.0. By default, this shouldn't work, but the cgi was working happily under jailshell with no warnings or anything. When the user was switched to a normal shell, suddenly the program stopped working due to the default TLS restrictions then working as expected. If anything, one would assume jailshell to be MORE restrictive, not less!
Apart from unexpected behavior, this is also a security issue. As-is, jailshell allows users to circumvent the system-wide crypto policies which can expose them to things like TLS downgrade attacks and/or weak ciphers for anything that uses openssl libraries.
Thanks
Brian
Out of the box, the cPanel jailshell environment doesn't include the files under /etc/crypto-policies. This breaks crypto-policies(7) and can cause unexpected/undesired behavior across various processes (kerberos, (lib)openssh, (lib)openssl, etc).
As one example that recently caused me some hair pulling: openssl
The openssl config file is /etc/pki/tls/openssl.cnf which IS in the jailshell.
However, as part of the complete config, that file 'includes' /etc/crypto-policies/back-ends/opensslcnf.config which is NOT in the jailshell.
Typically, that file is a symlink to a file in /usr but changing the crypto-policies config could replace it with an actual file. The default file restricts openssl to TLS1.2 or later (among other things).
The real-world example: The php-ldap module is linked to libldap, which is linked to libssl, which uses the openssl.cnf mentioned above. A user has cgi using php-ldap to connect to a server supporting only TLS 1.0. By default, this shouldn't work, but the cgi was working happily under jailshell with no warnings or anything. When the user was switched to a normal shell, suddenly the program stopped working due to the default TLS restrictions then working as expected. If anything, one would assume jailshell to be MORE restrictive, not less!
Apart from unexpected behavior, this is also a security issue. As-is, jailshell allows users to circumvent the system-wide crypto policies which can expose them to things like TLS downgrade attacks and/or weak ciphers for anything that uses openssl libraries.
Thanks
Brian
