Overview
cPanel & WHM uses VirtFS to provide a jailed shell environment for users who connect to a server via SSH. The jailed shell acts as a container for the user, and does not allow the user to access other users’ home
directories on the server.
- Unlike a normal shell environment, a jailed shell environment increases security for a server’s other users.
- Users in a jailed shell environment can run otherwise-unavailable commands (for example,
crontab
andpasswd
).
The /home/virtfs/
directory
Warning:
Do not use the rm
command to remove any mounted file or directory within the /home/virtfs/
directory.
- If you run the
rm
command on any mounted file or directory within the/home/virtfs/
directory, you will also delete all of the files in the directory to which it is mounted. - This action will render your server nonfunctional.
When a user logs in to a jailed shell environment via SSH or SFTP for the first time, the system creates the /home/virtfs/
directory. This directory contains configuration files, utilities, and BIND mounts.
- You cannot prevent the creation of this directory or disable it.
- This directory does not use any disk space. However, because it is a virtual mount point, some commands (for example,
du
) report that the directory uses disk space. - BIND mounts create a virtual link between two locations on the file system.
- For example, if a user views the contents of the
/home/virtfs/username/usr/bin/
directory, the user actually sees the contents of the/usr/bin/
directory. - For more information about BIND mounts, run the
man 8 mount
command.
- For example, if a user views the contents of the
Notes:
- Servers that run CentOS 7, CloudLinux™ 7, or Red Hat® Enterprise Linux (RHEL) 7 may use additional mount points for common system paths (for example,
/usr/bin
). Do not dismount these mount points. - On servers that run CentOS 7, CloudLinux 7, or RHEL 7, the
/etc/mtab
symlink points to the/proc/self/mounts
file.
Enable a jailed shell environment
WHM includes two options to activate a jailed shell environment. The option that you use depends on the type of users for whom you wish to enable jailed shells.
To enable a jailed shell environment for all new and modified users, use the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).
- This option allows you to force the use of a jailed shell for new accounts and accounts that you subsequently edit in the following interfaces:
- WHM’s Modify An Account interface (Home >> Account Functions >> Modify An Account).
- WHM’s Upgrade/Downgrade An Account interface (Home >> Account Functions >> Upgrade/Downgrade An Account).
- This option does not affect accounts that already exist on the server but that you have not edited in these interfaces.
To enable a jailed shell environment for a specific user, use WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).
Note:
When you enable jailed shell access for a user, the system sets the user’s shell to the /usr/local/cpanel/bin/jailshell
location.
Exim and VirtFS
When a user’s shell location is /usr/local/cpanel/bin/jailshell
(jailed shell is enabled) or /usr/local/cpanel/bin/noshell
(all shells are disabled), Exim runs any process from alias or filter files inside VirtFS. This action provides extra security because Exim commands run in a jailed shell and do not affect other users.
CSF or LFD alerts
If you use a utility that monitors system changes (for example, CFS or LFD), you may see an alert that resembles the following example after you upgrade:
1 2 3 4 5 | The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated: /bin/crontab: FAILED /bin/passwd: FAILED |
This is a false positive warning. cPanel & WHM uses the /bin/crontab
and /bin/passwd
symlinks to link to files in the /usr/bin
directory. These symlinks allow jailed shell environments to access the crontab
and passwd
commands.
Disable or remove a jailed shell environment
Warning:
You cannot completely remove the jailed shell system (VirtFS). The directions below remove a jailed shell environment, but cannot prevent the recreation of the jailed shell environment.
The following processes may recreate the jailed shell environment:
- Exim processing filters.
- Piped email addresses.
- Cron jobs.
- Jailed Apache virtual hosts that use the
mod_ruid2
module via the EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell option in WHM’s Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).
Disable the jailed shell environment
Warning:
You cannot disable the /home/virtfs/
directory for your users, even if you disable jailed shell access. For more information about the /home/virtfs/
directory, read the The /home/virtfs/
directory section above.
To disable the jailed shell environment for a specific user, use WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).
To disable the jailed shell environment for all of the users on your server, perform the following steps:
- Disable the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).
- Select Disabled Shell for all of the server’s accounts in WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).
Note:
When you disable jailed shell access, the system sets the users’ shells to the /usr/local/cpanel/bin/noshell
location. With this location, the user retains access to SFTP in a non-jailed environment.
Remove a user’s jailed shell environment
To remove a jailed shell environment, perform the following steps:
- Disable the jailed shell environment for the user in WHM’s Manage Shell Access interface ( Home >> Account Functions >> Manage Shell Access ).
- To unmount the VirtFS BIND mounts, run the following command, where
username
is the desired account username:umount
/home/virtfs/username/usr/bin
The /scripts/clear_orphaned_virtfs_mounts
script
You can run the /scripts/clear_orphaned_virtfs_mounts
script to unmount the BIND mounts for users who no longer exist or who no longer use a jailed shell environment.
- This script removes the
/home/virtfs/username/
directory and its contents, whereusername
is an affected account’s username. - To force the removal of all VirtFS mount points, run the following command:
/scripts/clear_orphaned_virtfs_mounts
--clearall
To check your system for VirtFS mount points, run the following command, where username
is the desired account username:
grep -i username /proc/mounts |