In cPanel’s WebHost Manager (WHM), it gives you the option to enable or disable shell access for individual hosting users. With shell access (SSH) enabled, users will be able to access your server’s command line through a terminal emulator. Allowing SSH access provides users with a tremendous amount of power, but as the old superhero adage goes, “with great power comes great responsibility.”
By default, your shell users will have limited access. That means they will not have the permissions required to do any serious damage. Despite that, they will still be able to see any directory and any file that offers at least read permissions. That can expose your server to security risks. One handy solution to that is a “jailed shell”.
Unlike a normal shell account that allows the user to see directories above his own home directory, a jailed shell provides a very enclosed workspace for the user. The root directory for this user will be his own home directory. It will appear as though directories above his do not even exist.
A couple of security notes:
- A jailed account does not necessarily mean that the user’s account is any less of a threat. In other words, it will not stop a seasoned hacker from taking over their account and doing damage. It can, however, serve as a deterrent.
- You should still take other security measures and hand out shell account sparingly.
For more information about managing shell access, see the WHM documentation on the subject.