Accounts in VirtualFS have full server /usr/ access?

[martin MHC]

I have a server with WHM 78.0.23
I have CentOS 7.6

I noted by pure chance yesterday (16th May 2019) that two accounts on the server have virtual File System access to the entirity of the Server /usr/ directory and all contained files and sub-directories.

This is only true for these two accounts. All other accounts on the virtual File system, ( /home/virtfs/<account>/.... ) have empty or minimal /usr/ folder contents.

For example;
I can access this filepath:
/home/virtfs/<account-name>/usr/local/lib/php

And from there update the PHP classes used by the whole server.

Data:
Running

grep -i username /proc/mounts

for various usernames gives me NO results, except for the account with full /usr/ access; stating:

devtmpfs /home/virtfs/<accountname>/dev devtmpfs rw,nosuid,noexec,size=5990024k,nr_inodes=1497506,mode=755 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/opt ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/loop0 /home/virtfs/<accountname>/tmp ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/usr ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/scl ext4 ro,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/log ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/loop0 /home/virtfs/<accountname>/var/tmp ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/mail ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/usr/sbin ext4 ro,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/spool ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/apache2 ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/pki/tls ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/alternatives ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/pki/ca-trust ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/cpanel/php/sessions ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/cpanel/email_send_limits ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/home/<accountname> ext4 rw,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0

Question 1:
Is this a security risk or is this somehow intentional? Why is it one or two accounts (only) that have this access?

Question 2:
Yesterday there were two accounts that displayed this.
Today I am looking and see only one account that has this full breached-jail access in their /home/virtfs/ directory.

So this indicates that this access can be changed/reduced/removed. I do not think I want to unnmount the folder; /usr/ as every virtfs/account has a /usr/ folder, but theirs is empty, and this one is not. How can I do this safely?

Is it fine simply to run

umount /home/virtfs/username/usr

I have read WHM Virtual Jailed Shell documentation
I have read /home/virtfs/0_README_BEFORE_DELETING_VIRTFS

Thank you.

 

[dalem]

Question 1:
Is this a security risk or is this somehow intentional? Why is it one or two accounts (only) that have this access?

This is intentional & jails the users access so its a security enhancement.

Question 2:
Yesterday there were two accounts that displayed this.
Today I am looking and see only one account that has this full breached-jail access in their /home/virtfs/ directory.

The permissions have not changed, Likely that user has a cron running even if the user has no Jail shell enabled the users crontab will run in the jail. Best to just leave it alone as it appears to be working as it should.

 

[martin MHC]

Feedback from WHM / CPanel support (on another matter) came back with some useful guidance.

The Virtual File System access as described is put in place if there is any SSH or SFTP access to the account. This would typically be via the local IDE .
And yes - as dalem states; cronjob's also will cause these /virtfs/accountname/ access details to be automatically set up by the server.

I was initially surprised to find these access routes and with some digging am comfortable they're normal and proper as of WHM 78.

 

[dalem]

I was initially surprised to find these access routes and with some digging am comfortable they're normal and proper as of WHM 78.

they have been normal and proper since cpanel implemented jail shell years back

 

[cPanelLauren]

Glad to see you were able to get this resolved @martin MHC let us know if you have any further questions or concerns.


Thanks!