virtfs folder end though shell access is disabled

May 2, 2020
5
0
1
Northern VA
cPanel Access Level
Root Administrator
I hope this is in the right forum.

I've been tolerating a strange thing for a couple of years. I've asked the host support team a few times but they never seem to know the answer to this mystery.

I have shell access disabled for every single account. From my understanding the virtfs folder is used as a place for jailed shell script access. Since all shell access is disabled I would assume that the virtfs directory would be empty.

But it isn't. Every day I scan my server for malware and every day I get a long list of files that have appeared in my virtfs folder.

What's remarkable about this is that I run this command every hour:

/scripts/clear_orphaned_virtfs_mounts --clearall

That clears all orphaned virtfs mounts so the mounts are cleared every hour.

If you can solve this mystery I would be grateful.

Who/how/what is generating this? Is there anything I can do eliminate it once and for all?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Does VirtFS exist for all accounts or just for specific ones? This may be best addressed in a ticket as it's best done with a full understanding of what's occurring on the server.
 
May 2, 2020
5
0
1
Northern VA
cPanel Access Level
Root Administrator
Does VirtFS exist for all accounts or just for specific ones? This may be best addressed in a ticket as it's best done with a full understanding of what's occurring on the server.
Sorry if I don't understand the question but I was under the impression that virtfs folders were only created when jailed shell access is enabled. I'm not aware of a cPanel setting that enables virtfs for specific accounts. I just opened WHM and searched for virtfs and it's not an option. I also double-checked and shell access is disabled for all accounts.

As I noted in this thread, I've asked the host why files are appearing in virtfs and I get a shrug. This is why I've asked the question: Is there some way that virtfs folders can be creted even though a user has no shell access?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Because the only way these are created is in the event that JailedShell was enabled for the account at some point. If some VirtFS containers remain after JailShell is disabled and you've cleared the Orphaned VirtFS mounts it would seem that it's being utilized by something, or there's an issue with the VirtFS mount, like someone attempted to delete it manually. My suggestion to open a ticket with our support still stands there's too many working parts for me to be able to confidently tell you what the issue is without seeing the system.
 
May 2, 2020
5
0
1
Northern VA
cPanel Access Level
Root Administrator
Because the only way these are created is in the event that JailedShell was enabled for the account at some point. If some VirtFS containers remain after JailShell is disabled and you've cleared the Orphaned VirtFS mounts it would seem that it's being utilized by something, or there's an issue with the VirtFS mount, like someone attempted to delete it manually. My suggestion to open a ticket with our support still stands there's too many working parts for me to be able to confidently tell you what the issue is without seeing the system.
Thanks. Am I allowed to open a ticket with cPanel about this? I thought I had to open a ticket with the host.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,019
225
368
cPanel Access Level
Root Administrator
I wouldn't get too worked up about items being found in /home/virtfs - in fact I really wouldn't scan it. Because it's just going to create a huge burden for you to scan when it's just mirrored copies of the files that already exist on your filesystem.

As for how the /home/virtfs gets populated... that's anybody's guess. It does have to do with jailshell, but users don't specifically have to log in to shell with jailshell for it to be populated. Exim filters will parse through it. SFTP will run through it. If you're using php-fpm and the undocumented (and never fully developed) jailshell chroot, it will use it. I suspect if you use whatever Apache Jail Chroot thingy there is, it also goes through the jailshell ecosystem. So it doesn't have to explicitly be jailshell SSH.

As far are getting rid of them (DON'T DELETE THE VIRTFS DIRECTORY!) I'm not sure if the /scripts/clear_orphaned_virtfs_mounts script really does an adequate job of this.

I would use something like:

cat /proc/mounts | grep /home/virtfs | awk '{print $2}' | xargs -n1 echo umount

(remove the echo if you really want it to umount the directories... the echo is provided here so you can see what commands it would actually run)

You may have to run through it a few times - because it may try to umount a parent path before it umounts all of it's inside directories.

But even if you umount them, they'll come back because of all of the ancillary systems that utilize the jailshell ecosystem.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Thanks. Am I allowed to open a ticket with cPanel about this? I thought I had to open a ticket with the host.
You sure are, we do encourage that you see assistance with your hosting provider first but if you've done this already and they're unwilling or unable to assist you, you're welcome to open a ticket with us.

Also @sparek-3 offers some solid advice
 
Thread starter Similar threads Forum Replies Date
C Security 6
U Security 9
J Security 1
S Security 4
T Security 2