Bug (security): Jailshell is missing /etc/crypto-policies so breaks crypto-policies(7) enforcement

Brian N

Member
Dec 28, 2021
12
1
3
United States
cPanel Access Level
Root Administrator
cPanel v94 on Alma 8.

Out of the box, the cPanel jailshell environment doesn't include the files under /etc/crypto-policies. This breaks crypto-policies(7) and can cause unexpected/undesired behavior across various processes (kerberos, (lib)openssh, (lib)openssl, etc).

As one example that recently caused me some hair pulling: openssl
The openssl config file is /etc/pki/tls/openssl.cnf which IS in the jailshell.
However, as part of the complete config, that file 'includes' /etc/crypto-policies/back-ends/opensslcnf.config which is NOT in the jailshell.
Typically, that file is a symlink to a file in /usr but changing the crypto-policies config could replace it with an actual file. The default file restricts openssl to TLS1.2 or later (among other things).

The real-world example: The php-ldap module is linked to libldap, which is linked to libssl, which uses the openssl.cnf mentioned above. A user has cgi using php-ldap to connect to a server supporting only TLS 1.0. By default, this shouldn't work, but the cgi was working happily under jailshell with no warnings or anything. When the user was switched to a normal shell, suddenly the program stopped working due to the default TLS restrictions then working as expected. If anything, one would assume jailshell to be MORE restrictive, not less!

Apart from unexpected behavior, this is also a security issue. As-is, jailshell allows users to circumvent the system-wide crypto policies which can expose them to things like TLS downgrade attacks and/or weak ciphers for anything that uses openssl libraries.

Thanks
Brian
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! Unless I'm not troubleshooting this correct, I see this working well in version 102, as I see the crypto-policies directory listed in /home/virtfs/username for the user with jailshell access on my test system.

Since 102 will be the next version going to the LTS tier, it's not likely this will get changed in 94 at this point. Would you have a way to check and confirm on a version 102 system that this is working how you expect?
 

Brian N

Member
Dec 28, 2021
12
1
3
United States
cPanel Access Level
Root Administrator
Sigh... No, I didn't think to check for it in a newer version. It seemed major enough to be a 'if they knew about it it would be fixed in LTS' type of issue. Seems not.

From v96 (!):
CPANEL-36575: Add '/etc/crypto-policies/back-ends' to virtfs.

I'm continually disappointed at how little 'support' LTS seems to get. What fixes do or don't get backported seems to be mostly arbitrary. This is the fourth or fifth bug I've had to chase down in recent memory only to find out "Oh it's fixed is a newer version...". Well why isn't it fixed in LTS? Especially something like this where I'd all but guarantee that the fix from 96 would work on 94 without modification. Not really much effort required there.

Oh well. Thanks for looking at it.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
It's always a combination of time, effort, and necessity, and how those all balance out. Some cases absolutely have to be backported, but many don't.

There is still going to be at least one LTS build and I've let our team know you're interested in seeing this case make that build. I'm following along with the case now and I'll post here again if I do get an update.