Troubleshooting Jailed Shell on OpenVZ

Posted on July 28th, 2019

cPanel/WHM provides Jailed shell environment for users, this feature gives high-level security for users while connecting to the server via SSH. The Jailed shell environment provides more security than normal shell environment.

This feature protects each users home directory by not allowing other users to access one’s home directory. It means that the user can work inside their own home directory only, which obviously, improves the security. The problem is, the users on a Jailed shell get the full /proc mount even after they are assigned the limited /proc mount option in the Jailed /proc mount method option in the tweak setting.

This is about the analyses and solving some problems regarding Jailshell in VPS.

The /proc mount option for the Jailed shell users

One of the issues regarding the Jailed shell users is that some of the users are allowed to view all the processes running on the server. This happens because of the /proc mount method of Jailed shell in the WHM >> Home >>Server Configuration >> Tweak Settings >> System.

Jailshell problems

In order to verify whether this problem exists,

1) Login in to your server as Jailed User.

2) Execute ps aux command.

As the output of the command, if you are getting the complete process list of the server, the problem exists. This happens because the clone() system call did not accept the CLONE_NEWPID flag. For that, we must set the sys_admin capability to on for the clone() system call to handle this flag correctly.

To set the sys_admin capability to ON, run the following command:

vzctl set CTID --save --capability sys_admin:on

Unable to Set UIDs Error

Another error occurs on the system when the Jailed user attempts to access the Jailed shell environment is: Unable to set UIDs.

This problem mainly happens due to the conflict with custom hard nproc settings in the /etc/security/limits.conf file. Custom values for these settings may also cause problems with account creation. To fix this issue, we need to revert the hard nproc setting to the default values.

MySQL® connection errors

Some websites return errors after enabling the “Jail Apache Virtual Hosts using mod_ruid2 and cPanel Jailshell” setting in WHM’s Tweak Settings interface. This problem occurs due to a restriction of the loop device limit within OpenVZ.

To resolve this issue, perform the following steps to increase the loop device limit:

1) In the /etc/grub.conf file, add max_loop=256 as a kernel parameter.

2) Reboot the server.

3) Run the following command:

/sbin/MAKEDEV -v /dev/loop

4) Repeat these steps for the VPS node and VPS container.

So, this is how you can troubleshoot the jailed shell in OpenVZ. If you need help with troubleshooting, please comment down your query or contact our support department. We will help you solve the issues.

Leave a Reply