VirtFS – Jailed Shell
Posted by Allura on 29 08 2019.
cPanel and WHM utilizes VirtFS to give an imprisoned shell condition to clients who interface with a server by means of SSH. The imprisoned shell goes about as a holder for the client, and does not enable the client to get to other clients’ home indexes on the server.
- In contrast to an ordinary shell condition, an imprisoned shell condition expands security for a server’s other clients.
- Users in an imprisoned shell environment can run otherwise-unavailable commands (for example, crontaband passwd).
The /home/virtfs/ directory
Try not to utilize the rm command to expel any mounted record or registry inside the/home/virtfs/catalog.
- If you run the rm command on any mounted file or directory within the /home/virtfs/ directory, you will also delete all of the files in the directory to which it is mounted.
- This action will render your server non-functional.
When a client signs in to an imprisoned shell condition by means of SSH or SFTP for the first time, the framework makes the/home/virtfs/registry. This catalog contains design documents, utilities, and BIND mounts.
- You cannot prevent the creation of this directory or disable it.
- This directory does not use any disk space. However, because it is a virtual mount point, some commands (for example, du) report that the directory uses disk space.
- BIND mounts create a virtual link between two locations on the file system.
- For example, if a user views the contents of the /home/virtfs/username/usr/bin/ directory, the user actually sees the contents of the /usr/bin/ directory.
- For more information about BIND mounts, run the man 8 mount command.
- Servers that run CentOS 7, CloudLinux™ 7, or Red Hat® Enterprise Linux (RHEL) 7 may use additional mount points for common system paths (for example, /usr/bin). Do not dismount these mount points.
- On servers that run CentOS 7, CloudLinux 7, or RHEL 7, the /etc/mtab symlink points to the /proc/self/mounts file.
Enable a jailed shell environment
WHM incorporates two choices to initiate an imprisoned shell condition. The alternative that you use relies upon the sort of clients for whom you wish to empower imprisoned shells.
To enable a jailed shell environment for all new and modified users, use the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).
- This option allows you to force the use of a jailed shell for new accounts and accounts that you subsequently edit in the following interfaces:
- WHM’s Modify an Account interface (WHM >> Home >> Account Functions >> Modify An Account).
- WHM’s Upgrade/Downgrade an Account interface (WHM >> Home >> Account Functions >> Upgrade/Downgrade An Account).
- This option does not affect accounts that already exist on the server but that you have not edited in these interfaces.
To enable a jailed shell environment for a specific user, use WHM’s Manage Shell Access interface (WHM >> Home >> Account Functions >> Manage Shell Access).
Note: When you enable jailed shell access for a user, the system sets the user’s shell to the /usr/local/cpanel/bin/jailshell location.
Exim and VirtFS
When a user’s shell location is /usr/local/cpanel/bin/jailshell (jailed shell is enabled) or /usr/local/cpanel/bin/noshell (all shells are disabled), Exim runs any process from alias or filter files inside VirtFS. This action provides extra security because Exim commands run in a jailed shell and do not affect other users.
Disable or remove a jailed shell environment
You can’t totally expel the imprisoned shell framework (VirtFS). The bearings beneath evacuate an imprisoned shell condition, however you cannot prohibit the recreation of the imprisoned shell condition.
The following processes may recreate the jailed shell environment:
- Exim processing filters.
- Piped email addresses.
- Cron jobs.
- Jailed Apache virtual hosts that use the mod_ruid2 module via the EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell option in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).
Disable the jailed shell environment
To disable the jailed shell environment for a specific user, use WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).
To disable the jailed shell environment for all of the users on your server, perform the following steps:
- Disable the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).
- Select Disabled Shell for all of the server’s accounts in WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).
Note: When you disable jailed shell access, the system sets the users’ shells to the /usr/local/cpanel/bin/noshell location. With this location, the user retains access to SFTP in a non-jailed environment.
Remove a user’s jailed shell environment
To remove a jailed shell environment, perform the following steps:
- Disable the jailed shell environment for the user in WHM’s Manage Shell Access interface (WHM >> Home >> Account Functions >> Manage Shell Access ).
- To unmount the VirtFS BIND mounts, run the following command, where username is the desired account username:
The /scripts/clear_orphaned_virtfs_mounts script
You can run the/contents/clear_orphaned_virtfs_mounts content to unmount the BIND mounts for clients who don’t exist or who will never again utilize an imprisoned shell condition.
- This script removes the /home/virtfs/username/ directory and its contents, where username is an affected account’s username.
- To force the removal of all VirtFS mount points, run the following command:
To check your system for VirtFS mount points, run the following command, where username is the desired account username:
grep -i username /proc/mounts