Suexec Jailshell Wrapper

[Fr3DBr]

Hi,

Currently suexec will execute any script with system wide permissions, meaning that a perl script, cgi script, bash script or anything else executed through suexec will be able to read/write files many files inside the system, with permissions that allows this.

Although, when using Jailshell this risk is minimized, due to the imposed "jailed environment".

Anyone knows how we can adjust suexec in a way to execute these scripts "inside" a jailshell session ? In my opinion this is necessary to ensure a better security/safety for shared webhosting customers.

 

[cPanelMichael]

Currently suexec will execute any script with system wide permissions, meaning that a perl script, cgi script, bash script or anything else executed through suexec will be able to read/write files many files inside the system, with permissions that allows this.

Hello,

Could you provide an example of this so we can attempt to reproduce the behavior you are reporting? What specific system files are you referring to?

Thank you.

 

[sparek-3]

I've been saying this for at least a few months now. With PHP-FPM and the ability to chroot a user's pool into a jailed environment and being able to execute CGI in a jailexec environment, cPanel would have a rather effective CageFS alternative.

But it doesn't appear to be something too many people are interested in. They'd rather just pay for CloudLinux and use CageFS.

 

[Fr3DBr]

Hello,

Could you provide an example of this so we can attempt to reproduce the behavior you are reporting? What specific system files are you referring to?

Thank you.

Try to make a bash script or a perl script and then interact with the system, by doing ls, following symlinks, checking many of the system files where the permissions are at least 644, and you'll have a lot of fun with suexec, of course it will adjust the uid/gid to the user responsible for the script, but this is still not enough isolation in the system, the best would be exactly the way jailshell works (well you know it, because this is why you've made jailshell anyways) and it wouldn't require mod_ruid2 or anything like it, as long suexec is properly wrapped inside a jail.

I've been trying to do it on my end, but it isn't so easy as suexec is impersonated by nobody and there's no tty to force the login of an user which the shell is currently jailshell.

 

[cPanelMichael]

Hello,

You'd need to install software such as CageFS from CloudLinux if you prefer to not use a combination of Mod_Ruid2 and the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell." option in "WHM >> Tweak Settings". That said, without software such as CageFS or Mod_Ruid2, you can protect against symlink attacks using one of the other solutions referenced at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Regarding access to other system files, this is discussed on threads such as:

https://forums.cpanel.net/threads/best-way-to-secure-server-from-symlinks.592747/

Access to files with account-specific data should be restricted.

Thank you.

 

[Fr3DBr]

The symlink issue is only a "sympthom" of a non jailed environment, but I'm speaking about everything else, such as configuration files for installed applications such as apache, bind, mysql and ect... there are alot of things one can "read" which in a proper environment it wouldn't happen, and if people set wrong permissions this become even worse to their files as well.

 

[cPanelMichael]

There's no direct equivalent to the functionality offered by CageFS or Mod_Ruid2/Jail Apache Users. I encourage you to open a feature request if you'd like to see something like that offered directly in the product:

Submit A Feature Request

Feature requests are the best way to provide our Development team with feedback about changes you'd like to see in the product.

Thank you.