1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/home/virtfs when all users have shell disabled, how it possible?

Discussion in 'General Discussion' started by hekri, Apr 19, 2007.

  1. hekri

    hekri Member

    Joined:
    Oct 14, 2003
    Messages:
    150
    Likes Received:
    1
    Trophy Points:
    18
    Hello

    Today i see in /home dir virtfs i read many post that i couldnt delete it, but i dont know why I see that directory, because all users on cpanel have shell disabled. Today i see thise directory and /home/virtfs/username thise username i check in cpanel have shell disabled.

    Its some seciurity BUG?

    Maybe i should disable something in system? (centos 4.4)

    Please help me (compilers also disabled in cPanel for all users)

    I check it and i see that /home/virtfs/user created when user login to the FTP over SFTP.... I dont understand it :(

    I go to /etc/sshd_config and see:
    Subsystem sftp /usr/libexec/openssh/sftp-server

    I do
    #Subsystem sftp /usr/libexec/openssh/sftp-server

    and restart SSH but i still cant login to SFTP, it is some seciurity hole because i can edit system files from SFTP (logs, etc files) :(


    I see that i have option to delete /home/virtfs, i reboot the system and all catalogs in /home/virtfs/user/ was empty, only catalog etc has files, but i think that i can change file name on real /etc/ delete file from /home/virtfs/user/etc/file and rename file to the original in /etc/.. :)

    Only way to stop this is disable SSH port example on APF and add to /etc/apf/allow_hosts.rules my home IP adress to only from that one ip ssh alow login?
     
    #1 hekri, Apr 19, 2007
    Last edited: Apr 19, 2007
  2. david510

    david510 Member

    Joined:
    Aug 22, 2004
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    16
    virtfs link is automatically made when a user logins via shell. It will remain as such if the user is not logged out properly. If you reboot the server, the link will be gone.
     
  3. hekri

    hekri Member

    Joined:
    Oct 14, 2003
    Messages:
    150
    Likes Received:
    1
    Trophy Points:
    18
    Byt 100% of my users have shell disabled, it is not normal that sftp (shell) working for users when they have shell disabled. It is a hole...
     
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,452
    Likes Received:
    0
    Trophy Points:
    36

    sftp is allowed if shell is disabled, its the only thing that can be run, and it runs inside a jail.
     
  5. hekri

    hekri Member

    Joined:
    Oct 14, 2003
    Messages:
    150
    Likes Received:
    1
    Trophy Points:
    18
    Yes i see that, but it is not normal that users can view from SFTP my /var/log /etc/ files etc...

    Is it any option to disable SFTP without blocking port 22?
     
  6. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,452
    Likes Received:
    0
    Trophy Points:
    36
    In the jailed env, you get a fake /etc

    /var/log is a link to the real one, but they should't be able to see any log files that have the proper permissions.


    Why would you want to disable sftp?


    You could just


    mv /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server.disabled
    ln -s /bin/false /usr/libexec/openssh/sftp-server
     
  7. hekri

    hekri Member

    Joined:
    Oct 14, 2003
    Messages:
    150
    Likes Received:
    1
    Trophy Points:
    18
    All permissions do cpanel, it is a seciurity hole for me and i want to suspend SFTP, thanx for help.
     
  8. nerbonne

    nerbonne Member

    Joined:
    Aug 19, 2007
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Good info, thanks nick.
     

Share This Page