VirtFS Jailed Shell in cPanel & WHM

1. Overview

cPanel & WHM uses VirtFS to provide a jailed shell environment for users who connect via SSH. A jailed shell isolates the user inside a restricted filesystem container, preventing access to other users’ home directories and improving overall server security.

Users inside a jailed shell can run commands that are normally unavailable in restricted environments, such as crontab and passwd.

2. Important Warnings and Limitations

Mounting more than 4000 targets in Virtuozzo environments may cause performance or connection issues.
Servers with more than 500 accounts may experience issues if the experimental setting Jail Apache Virtual Hosts using mod_ruid2 is enabled.
On CloudLinux servers, enabling jailed shell may expose symlink vulnerabilities unless Link Traversal Protection is enabled.

3. The `/home/virtfs/` Directory

Critical Warning: Never use rm to delete files or directories inside /home/virtfs/. Doing so will delete the real files on the system and can render the server unusable.

The directory /home/virtfs/ is created automatically the first time a user logs in via SSH or SFTP in jailed mode. It contains configuration files, utilities, and BIND mounts.

This directory does not consume real disk space, but some commands (like du) may incorrectly report usage.

3.1 Understanding BIND Mounts

BIND mounts create virtual links between filesystem locations. For example:

/home/virtfs/username/usr/bin → /usr/bin

The user sees /usr/bin but within a restricted environment.

Note: On CentOS 7, CloudLinux 7+, AlmaLinux, Rocky Linux, RHEL 7, and Ubuntu, additional system mount points exist. Do not unmount them.

4. Enabling a Jailed Shell Environment

4.1 Enable for All New or Modified Accounts

Use the following WHM setting:

WHM » Server Configuration » Tweak Settings

Enable Use cPanel jailshell by default.

This applies only to new accounts or accounts edited in:

Modify an Account
Upgrade/Downgrade an Account

4.2 Enable for a Specific User

Use:

WHM » Account Functions » Manage Shell Access

When enabled, the user’s shell becomes:

/usr/local/cpanel/bin/jailshell

5. Exim and VirtFS

If a user’s shell is jailshell or noshell, Exim executes alias and filter processes inside VirtFS. This provides additional security by isolating Exim operations.

6. CSF or LFD Alerts

After updates, you may see warnings like:

/bin/crontab: FAILED
/bin/passwd: FAILED

This is a false positive. These files are symlinks used to allow jailed shell access to system commands.

7. Disabling or Removing a Jailed Shell Environment

Warning: VirtFS cannot be fully removed. Even after disabling it, certain processes may recreate the jailed environment, including:

Exim filters
Piped email
Cron jobs
Jailed Apache virtual hosts

7.1 Disable Jailed Shell for One User

Use:

WHM » Account Functions » Manage Shell Access

7.2 Disable Jailed Shell for All Users

Disable Use cPanel jailshell by default in Tweak Settings.
Set all accounts to Disabled Shell in Manage Shell Access.

When disabled, the user’s shell becomes:

/usr/local/cpanel/bin/noshell

8. Removing a User’s VirtFS Environment

Disable jailed shell for the user.
Unmount the user’s VirtFS BIND mounts:

umount /home/virtfs/username/usr/bin

9. Clear Orphaned VirtFS Mounts

To remove leftover mount points:

/usr/local/cpanel/scripts/clear_orphaned_virtfs_mounts

9.1 Remove Mounts for One User

/usr/local/cpanel/scripts/clear_orphaned_virtfs_mounts --user=username

9.2 Remove All VirtFS Mounts

/usr/local/cpanel/scripts/clear_orphaned_virtfs_mounts --clearall

9.3 Check for VirtFS Mounts

grep -i username /proc/mounts

Conclusion

VirtFS provides a secure and isolated shell environment for SSH users in cPanel & WHM. Understanding how it works, how to enable or disable it, and how to clean up mount points ensures better server security and stability.