{"id":209,"date":"2021-07-23T12:19:23","date_gmt":"2021-07-23T12:19:23","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/virtfs-jailed-shell\/"},"modified":"2021-07-23T12:19:23","modified_gmt":"2021-07-23T12:19:23","slug":"virtfs-jailed-shell","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/virtfs-jailed-shell\/","title":{"rendered":"VirtFS Jailed Shell"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

cPanel & WHM uses VirtFS to provide a jailed shell environment for users who connect to a server via SSH. The jailed shell acts as a container for the user, and does not allow the user to access other users\u2019 home directories on the server.<\/p>\n

    \n
  • \n

    Unlike a normal shell environment, a jailed shell environment increases security for a server\u2019s other users.<\/p>\n<\/li>\n

  • \n

    Users in a jailed shell environment can run otherwise-unavailable commands (for example, crontab<\/code> and passwd<\/code>).<\/p>\n<\/li>\n<\/ul>\n

    \n
    Important:<\/div>\n
    \n
      \n
    • \n

      CentOS 6 and older support a maximum of only<\/strong> 256 jailshell users on systems that use the Apache mod_ruid2<\/code> module.<\/p>\n<\/li>\n

    • \n

      Some customers have reported performance and connection issues when they attempt to mount more than 4000 targets in a Virtuozzo environment.<\/p>\n<\/li>\n

    • \n

      If you enable a jailed shell on a server runs CloudLinux\u2122, you may cause a security vulnerability with symlinks to files outside of the caged directory. To solve this issue, you must<\/strong> enable link traversal protection. For more information, read CloudLinux\u2019s Link traversal protection documentation.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

      The virtfs directory<\/h2>\n
      \n
      Warning:<\/div>\n
      \n

      Do not<\/strong> use the rm<\/code> command to remove any mounted file or directory within the \/home\/virtfs\/<\/code> directory. If you run this on any mounted file or directory within the \/home\/virtfs\/<\/code> directory, you will also delete all of the files in the directory to which it is mounted. This action will<\/strong> render your server nonfunctional<\/strong>.<\/p>\n<\/p><\/div>\n<\/div>\n

      When a user logs in to a jailed shell environment via SSH or SFTP for the first time, the system creates the \/home\/virtfs\/<\/code> directory. This directory contains configuration files, utilities, and BIND mounts.<\/p>\n

        \n
      • \n

        You cannot<\/strong> prevent the creation of this directory or disable it.<\/p>\n<\/li>\n

      • \n

        This directory does not<\/strong> use any disk space. However, because it is a virtual mount point, some commands (for example, du<\/code>) report that the directory uses disk space.<\/p>\n<\/li>\n

      • \n

        BIND mounts create a virtual link between two locations on the file system. For example, if a user views the contents of the \/home\/virtfs\/username\/usr\/bin\/<\/code> directory, the user actually sees the contents of the \/usr\/bin\/<\/code> directory. For more information about BIND mounts, run the man 8 mount<\/code> command.<\/p>\n<\/li>\n<\/ul>\n

        \n
        Note:<\/div>\n
        \n
          \n
        • \n

          Servers that run CentOS 7 or 8, CloudLinux\u2122 7 or 8, AlmaLinux 8, or Red Hat\u00ae Enterprise Linux\u00ae (RHEL) 7 may use additional mount points for common system paths (for example, \/usr\/bin<\/code>). Do not<\/strong> dismount these mount points.<\/p>\n<\/li>\n

        • \n

          On servers that run CentOS 7 or 8, CloudLinux 7 or 8, AlmaLinux 8, or RHEL 7, the \/etc\/mtab<\/code> symlink points to the \/proc\/self\/mounts<\/code> file.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

          Enable a jailed shell environment<\/h2>\n

          WHM includes two options to activate a jailed shell environment. The option that you use depends on the type of users for whom you wish to enable jailed shells.<\/p>\n

          To enable a jailed shell environment for all new and modified users, use the Use cPanel\u00ae jailshell by default<\/em> option in WHM\u2019s Tweak Settings<\/em> interface (WHM<\/em> >> Home<\/em> >> Server Configuration<\/em> >> Tweak Settings<\/em>).<\/p>\n

            \n
          • \n

            This option allows you to force the use of a jailed shell for new accounts and accounts that you subsequently edit in the following interfaces:<\/p>\n

              \n
            • \n

              WHM\u2019s Modify an Account<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Modify An Account<\/em>).<\/p>\n<\/li>\n

            • \n

              WHM\u2019s Upgrade\/Downgrade an Account<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Upgrade\/Downgrade An Account<\/em>).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n

            • \n

              This option does not<\/strong> affect accounts that already exist on the server but that you have not edited in these interfaces.<\/p>\n<\/li>\n<\/ul>\n

              To enable a jailed shell environment for a specific user, use WHM\u2019s Manage Shell Access<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Manage Shell Access<\/em>).<\/p>\n

              \n
              Note:<\/div>\n
              \n

              When you enable jailed shell access for a user, the system sets the user\u2019s shell to the \/usr\/local\/cpanel\/bin\/jailshell<\/code> location.<\/p>\n<\/p><\/div>\n<\/div>\n

              Exim and VirtFS<\/h3>\n

              When a user\u2019s shell location is \/usr\/local\/cpanel\/bin\/jailshell<\/code> (jailed shell is enabled) or \/usr\/local\/cpanel\/bin\/noshell<\/code> (all shells are disabled), Exim runs any process from alias or filter files inside VirtFS. This action provides extra security because Exim commands run in a jailed shell and do not affect other users.<\/p>\n

              CSF or LFD alerts<\/h3>\n

              If you use a utility that monitors system changes (for example, CFS or LFD), you may see an alert that resembles the following example after you upgrade:<\/p>\n

              \n
              \n\n\n
              \n
              1\n<\/span>2\n<\/span>3\n<\/span>4\n<\/span>5\n<\/span><\/code><\/pre>\n<\/td>\n
              		\n
              The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way.\nThis could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:\n\n\/bin\/crontab: FAILED\n\/bin\/passwd: FAILED<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
              This is a false positive warning. cPanel & WHM uses the \/bin\/crontab<\/code> and \/bin\/passwd<\/code> symlinks to link to files in the \/usr\/bin<\/code> directory. These symlinks allow jailed shell environments to access the crontab<\/code> and passwd<\/code> commands.<\/p>\n
              Disable or remove a jailed shell environment<\/h2>\n
              \n
              Warning:<\/div>\n
              \n
              You cannot<\/strong> completely remove the jailed shell system (VirtFS). The directions below remove a jailed shell environment, but cannot<\/strong> prevent the recreation of the jailed shell environment. The following processes may recreate the jailed shell environment:<\/p>\n
                \n
              • \n
                Exim processing filters.<\/p>\n<\/li>\n
              • \n
                Piped email addresses.<\/p>\n<\/li>\n
              • \n
                Cron jobs.<\/p>\n<\/li>\n
              • \n
                Jailed Apache virtual hosts that use the mod_ruid2<\/code> module via the EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel\u00ae jailshell<\/em> option in WHM\u2019s Tweak Settings<\/em> interface (WHM >> Home >> Server Configuration >> Tweak Settings<\/em>).<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
                Disable the jailed shell environment<\/h3>\n
                \n
                Warning:<\/div>\n
                \n        You cannot<\/strong> disable the \/home\/virtfs\/<\/code> directory for your users, even if you disable jailed shell access. For more information about the \/home\/virtfs\/<\/code> directory, read the The \/home\/virtfs\/<\/code> directory section above.\n    <\/div>\n<\/div>\n
                To disable the jailed shell environment for a specific user, use WHM\u2019s Manage Shell Access<\/em> interface (Home<\/em> >> Account Functions<\/em> >> Manage Shell Access<\/em>).<\/p>\n
                To disable the jailed shell environment for all of the users on your server, perform the following steps:<\/p>\n
                  \n
                1. \n
                  Disable the Use cPanel\u00ae jailshell by default<\/em> option in WHM\u2019s Tweak Settings<\/em> interface (WHM<\/em> >> Home<\/em> >> Server Configuration<\/em> >> Tweak Settings<\/em>).<\/p>\n<\/li>\n
                2. \n
                  Select Disabled Shell<\/em> for all of the server\u2019s accounts in WHM\u2019s Manage Shell Access<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Manage Shell Access<\/em>).<\/p>\n<\/li>\n<\/ol>\n
                  \n
                  Note:<\/div>\n
                  \n
                  When you disable jailed shell access, the system sets the users\u2019 shells to the \/usr\/local\/cpanel\/bin\/noshell<\/code> location. With this location, the user retains access to SFTP in a non-jailed environment.<\/p>\n<\/p><\/div>\n<\/div>\n
                  Remove a user\u2019s jailed shell environment<\/h3>\n
                  To remove a jailed shell environment, perform the following steps:<\/p>\n
                    \n
                  1. \n
                    Disable the jailed shell environment for the user in WHM\u2019s Manage Shell Access<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Manage Shell Access<\/em>).<\/p>\n<\/li>\n
                  2. \n
                    To unmount the VirtFS BIND mounts, run the following command, where username<\/code> is the desired account username:\n<\/p>\n
                    \n
                    umount \/home\/virtfs\/username\/usr\/bin<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                    The clear orphaned VirtFS mounts script<\/h3>\n
                    You can run the \/usr\/local\/cpanel\/scripts\/clear_orphaned_virtfs_mounts<\/code> script to unmount the BIND mounts for users who no longer exist or who no longer use a jailed shell environment. This script removes the \/home\/virtfs\/username\/<\/code> directory and its contents.<\/p>\n
                    To force the removal of all VirtFS mount points, run the following command, where username<\/code> is an account\u2019s username:<\/p>\n
                    \n
                    \/usr\/local\/cpanel\/scripts\/clear_orphaned_virtfs_mounts --clearall<\/code><\/pre>\n<\/div>\n
                    To check your system for VirtFS mount points, run the following command, where username<\/code> is the desired account username:<\/p>\n
                    \n
                    grep -i username \/proc\/mounts<\/code><\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
                    Overview cPanel & WHM uses VirtFS to provide a jailed shell environment for users who connect to a server via SSH. The jailed shell acts as a container for the user, and does not allow the user to access other users\u2019 home directories on the server. Unlike a normal shell environment, a jailed shell environment …<\/p>\n","protected":false},"author":1,"featured_media":210,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/209"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=209"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/210"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}