I have a server with WHM 78.0.23
I have CentOS 7.6
I noted by pure chance yesterday (16th May 2019) that two accounts on the server have virtual File System access to the entirity of the Server /usr/ directory and all contained files and sub-directories.
This is only true for these two accounts. All other accounts on the virtual File system, ( /home/virtfs/<account>/.... ) have empty or minimal /usr/ folder contents.
For example;
I can access this filepath:
/home/virtfs/<account-name>/usr/local/lib/php
And from there update the PHP classes used by the whole server.
Data:
Running
for various usernames gives me NO results, except for the account with full /usr/ access; stating:
Question 1:
Is this a security risk or is this somehow intentional? Why is it one or two accounts (only) that have this access?
Question 2:
Yesterday there were two accounts that displayed this.
Today I am looking and see only one account that has this full breached-jail access in their /home/virtfs/ directory.
So this indicates that this access can be changed/reduced/removed. I do not think I want to unnmount the folder; /usr/ as every virtfs/account has a /usr/ folder, but theirs is empty, and this one is not. How can I do this safely?
Is it fine simply to run
I have read WHM Virtual Jailed Shell documentation
I have read /home/virtfs/0_README_BEFORE_DELETING_VIRTFS
Thank you.
I have CentOS 7.6
I noted by pure chance yesterday (16th May 2019) that two accounts on the server have virtual File System access to the entirity of the Server /usr/ directory and all contained files and sub-directories.
This is only true for these two accounts. All other accounts on the virtual File system, ( /home/virtfs/<account>/.... ) have empty or minimal /usr/ folder contents.
For example;
I can access this filepath:
/home/virtfs/<account-name>/usr/local/lib/php
And from there update the PHP classes used by the whole server.
Data:
Running
Code:
grep -i username /proc/mounts
devtmpfs /home/virtfs/<accountname>/dev devtmpfs rw,nosuid,noexec,size=5990024k,nr_inodes=1497506,mode=755 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/opt ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/loop0 /home/virtfs/<accountname>/tmp ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/usr ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/scl ext4 ro,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/log ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/loop0 /home/virtfs/<accountname>/var/tmp ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/mail ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/usr/sbin ext4 ro,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/spool ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/apache2 ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/pki/tls ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/alternatives ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/etc/pki/ca-trust ext4 ro,nosuid,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/cpanel/php/sessions ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/var/cpanel/email_send_limits ext4 rw,nosuid,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
/dev/mapper/VolGroup00-LogVolRoot /home/virtfs/<accountname>/home/<accountname> ext4 rw,relatime,data=ordered,jqfmt=vfsv0,usrjquota=quota.user 0 0
Question 1:
Is this a security risk or is this somehow intentional? Why is it one or two accounts (only) that have this access?
Question 2:
Yesterday there were two accounts that displayed this.
Today I am looking and see only one account that has this full breached-jail access in their /home/virtfs/ directory.
So this indicates that this access can be changed/reduced/removed. I do not think I want to unnmount the folder; /usr/ as every virtfs/account has a /usr/ folder, but theirs is empty, and this one is not. How can I do this safely?
Is it fine simply to run
Code:
umount /home/virtfs/username/usr
I have read WHM Virtual Jailed Shell documentation
I have read /home/virtfs/0_README_BEFORE_DELETING_VIRTFS
Thank you.
Last edited: