A directory called “virtfs” inside /home/ contain a copy from accounts on /home/ . What this mean?

Posted: July 28, 2013 in cPanel
0

———————————————————————————————————————————————-

VirtFS provides a jailed shell environment for a user connected to a server via SSH. Unlike a normal shell environment, a jailed shell environment prevents access to data outside of the user’s home directory. A jailed shell helps increase security for a system administrator’s other users.

How to remove VirtFS

In 11.38, updates to the jailed shell system were created to improve security. As a result, it is not possible to completely remove VirtFS.

ALERT! Warning: The directions below do not necessarily remove a jailed shell.

Before you can safely remove the jailed shell environment, you must unmount all bind mounts under /home/virtfs/$user/.

To unmount a bind-mounted directory, use the umount command.

For example, to unmount /home/virtfs/username/usr/bin (replace username with the cPanel user’s name), run the following command:

# umount /home/virtfs/username/usr/bin

Once you have unmounted the bind mounts, you can remove the user’s directory under /home/virtfs. To see whether a directory is still bind-mounted, search for the appropriate username in /proc/mounts. You can do this with the following command (replace username with the cPanel user’s name):

# grep -i ‘username’ /proc/mounts

How to disable VirtFS

To disable VirtFS, you can disable jailed shell access via both the Tweak Settings and Manage Shell Access interfaces in WHM.

Note: If a system administrator disables jailed shell access for a user, the user’s shell will be set to /usr/local/cpanel/bin/noshell. The user will still have access to SFTP in a non-jailed environment.

Exim in a jailed shell or disabled shell

When a user’s shell is configured to jailshell or noshell, Exim runs any process created from alias or filter files inside of VirtFS. This action provides extra security because Exim commands will run in a jailed shell and not affect other users. Before 11.38, Exim did not run in a jailed shell. As a result, there was a higher probability that filters and pipes in a jailed shell or disabled shell would act the same.

! You can remove all bind mounts for a particular user with the following command (replace username with the cPanel user’s name):

# /usr/local/cpanel/3rdparty/bin/perl -MCpanel::Filesys::Virtfs -e ‘Cpanel::Filesys::Virtfs::clean_user_virtfs(“username”);’

Leave a comment