BuycPanel Blog

BuycPanel Blog

Latest news and updates

What is the VirtFS Jailed Shell?

Posted by Allura on 15 10 2019.

Introduction
The cPanel & WHM makes use of VirtFS in providing a jailed shell environment. It is for the users who connect via SSH to a server. This shell acts as a container for the user and prevents the user to access other users’ home directories on the server.A jailed shell environment, unlike the normal shell environment, increases the amount of security for a server’s other users.
Users in jailed shell can run otherwise-unavailable commands like crontab and passwd.CentOS 6 and older supports 256 jail shell users to a maximum extent on the systems which use the Apache_ruid2 module.The /home/virtfs/ Directory
One must not use the rm command to remove any mounted file within this directory. If a user, runs the rm command within it, one will also delete all the files in the directory in which it is mounted. This will render the server nonfunctional.When for the first time a jailed shell environment…

Introduction

The cPanel & WHM makes use of VirtFS in providing a jailed shell environment. It is for the users who connect via SSH to a server. This shell acts as a container for the user and prevents the user to access other users’ home directories on the server.

  • A jailed shell environment, unlike the normal shell environment, increases the amount of security for a server’s other users.
  • Users in jailed shell can run otherwise-unavailable commands like crontab and passwd.

CentOS 6 and older supports 256 jail shell users to a maximum extent on the systems which use the Apache_ruid2 module.

The /home/virtfs/ Directory

One must not use the rm command to remove any mounted file within this directory. If a user, runs the rm command within it, one will also delete all the files in the directory in which it is mounted. This will render the server nonfunctional.

When for the first time a jailed shell environment via SSH or SFTP is logged in by a user, the system creates the /home/virtfs/ directory. It contains configuration files, utilities, and BIND mounts.

  • One fails to prevent the creation or disabling of this directory.
  • No sort of disk space is used by this directory. As it is a virtual mount point, some commands (for example, du) reports the directory of using disk space.
  • A virtual link between two locations on the file system is created by BIND mounts.
    • As for example, if a user views the contents of the /home/virtfs/username/usr/bin/ directory, the user views the contents of the /usr/bin/ directory.
    • One can run the man 8 mount command to have more information on BIND mounts.

Enable A Jailed Shell Environment

WHM includes two options in order to activate a jailed shell environment. The option used, depends on the type of users for whom one desires to enable jailed shells.

In order to enable a jailed shell environment for all new and modified users, one can use the Use cPanel® jailshell by default option in WHM’s  Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings).

  • This option grants a user to force the use of a jailed shell for new accounts and accounts subsequently edited in the following interfaces:
  • WHM’s  Modify an Account interface (WHM >> Home  >> Account Functions >> Modify An Account).
  • WHM’s  Upgrade/Downgrade an Accountinterface (WHM >> Home  >> Account Functions >> Upgrade/Downgrade An Account).
  • Accounts already existing on the server is not affected by the options which have not edited in these interfaces.

One can use WHM’s  Manage Shell Access interface (WHM >> Home  >> Account Functions >> Manage Shell Access) in order to enable a jailed shell environment for a specific user. When one enables this jailed shell for a user, the user shell is all set by the system to the /usr/local/cpanel/bin/jailshell location.

Exim And VirtFS

The Exim runs any process from alias or filter files inside VirtFS when a user’s shell location is /usr/local/cpanel/bin/jailshell (jailed shell is enabled) or /usr/local/cpanel/bin/noshell (all shells are disabled). This action gives extra security as Exim commands run in a jailed shell and there is no affect on other users.

CSF Or LFD Alerts

There is a possibility of an alert resembling the example given below when a utility is used that monitors system changes like CFS or LFD. One may view an alert resembling the following example after it is upgraded:

The following list of files has FAILED the md5sum comparison test. This means that the file has been changed in some way.

This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/bin/crontab: FAILED

/bin/passwd: FAILED 

However its a false positive warning. cPanel & WHM makes use of the /bin/crontab and /bin/passwd symlinks to link the files in the /usr/bin directory. These symlinks grants jailed shell environments to allow the access of crontab and passwd commands.

Conclusion

All information on the jailed shell environment is outlined in this review.