Jailshell is a level of shell (SSH) access that limits a user to his or her specific directory structure. Under regular SSH when users log into their servers they are taken to their home directory and can execute commands within their directory structure.
Under SSH, that user can also travel to any directory on the server and even use “ls” to get a directory listing, they just cannot open the files or interact with them. Jailshell, on the other hand, logs users into their directory structure and locks them in (much like a prison or jail cell), disallowing them from openly traversing the directory structure outside of their home.
Jailshell is easily implementable in cPanel. You can switch an account’s shell access in WHM by navigating to Manage Shell Access, under the Account Functions header.
The way this level of access works in cPanel is that it creates a virtual file system for jailshell users that only contains their own files and enough system files to perform basic system commands. For example, if you log in as a jailshelled user, the only files you can view and edit are the files owned by that user in the /home/username directory. You can change directories to a virtual filesystem above that, but it only contains certain files, not the whole list expected if you were the root user.
-jailshell-3.2$ pwd / -jailshell-3.2$ ls bin checkvirtfs dev etc generic home lib opt proc tmp usr var
As opposed to:
root [/]# pwd / root [/]# ls ./ .autofsck .gnupg/ .spamassassin/ aquota.user@ boot/ etc/ lib/ mnt/ proc/ sbin/ selinux/ sys/ usr/ ../ .autorelabel .rnd aquota.group@ bin/ dev/ home/ media/ opt/ root/ scripts/ srv/ tmp/ var/
The jailed shell filesystem only contains the files relevant to the user, and files that would normally contain more information only contain data that pertain to that user. For example, the /etc/localdomains file, which is owned by root:root but has world readable permissions, only shows:
-jailshell-3.2$ cat localdomains server.hostname.com
Where as it shows all localdomains as the root user:
root [/]# cat /etc/localdomains domain.com server.hostname.com domain1.com domain2.com domain3.com domain4.com
This limits the user with jailshell access to only modifying his or her files and the limited number of files necessary to perform any shell commands that he or she may need to do.
Photo by Brian Talbot