Manage Shell Access

Valid for versions 82 through the latest version

Version:

82

Last modified: June 13, 2024


Looking for this interface?
Note:

Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).

Overview

This interface allows you to manage which of your accounts can access your server remotely from the command line.

Warning:
Many users want this type of access. However, before you grant complete shell access to users, make certain that you consider the security risks. We recommend that you only provide jailed shell (sometimes seen as jailshell) access to users, which prevents the execution of certain harmful commands.

Manage shell access

To modify shell access for all of the accounts on your server, click the appropriate button at the top of the interface. To modify shell access for specific users, select the desired type of access in the row that corresponds to that account.

Note:
The account’s package determines whether the account has shell access. If you change the account’s permission to access a shell, the system will set the value for the account’s package to undefined in the account’s userdata file.

You can select the following types of shell access:

  1. Normal Shell — Select this option to grant the user access to the shell with no limitations.
  2. Jailed Shell — Select this option to grant the user access to a jailed shell, which limits the user’s ability to run certain commands that could harm your server. For more information, read our VirtFS - Jailed Shell documentation.
    Warning:
    If you enable a jailed shell on a server runs CloudLinux™, you may cause a security vulnerability with symlinks to files outside of the caged directory. To solve this issue, you must enable link traversal protection. For more information, read CloudLinux’s Link traversal protection documentation.
  3. Disabled Shell — Select this option to deny shell access to the user.
    Note:
    An account with a disabled shell may use SFTP if you enable it. To disable an account’s ability to use SFTP, you must set /bin/false as the user’s shell. To do this, run the following command as the root user, where username is the account for which you wish to disable SFTP:
    usermod -s /bin/false username

Additional Documentation