Getting started with CloudLinux OS Shared
Tenant isolation with CageFS
Here, we will present you one of the most important features of CloudLinux OS – CageFS.
CageFS is a virtualized file system and a set of tools to lock each user in its own ‘cage’. Each customer will have its own fully functional filesystem, with all the system files, tools, etc.
Many people try to secure hosting using php.ini file – this gives some results, yet PHP.ini restrictions are often easy to circumvent. Additionally, they will not work at all for CGI scripts. That’s why we decided to develop a more effective tool for increasing security at the server and created CageFS.
CageFS has many benefits, such as:
- only safe binaries are available to the user
- the user will not see any other users and would have no way to detect the presence of other users and their usernames on the server
- the user will not be able to see server configuration files, such as Apache config files
- the user will have a limited view of /proc filesystem and will not be able to see other users processes
- at the same time, user’s environment will be fully functional and the user will not feel restricted in any possible way, no adjustments to user scripts are needed.
The installation is simple enough, just execute:
yum install cagefs
Now, initialize CageFS with command:
cagefsctl --init
And enable it globally for all users:
cagefsctl --enable-all
Today it is trivial for attackers to use hacked web applications to deploy PHP Shell . Checking any simple PHP Shell script for a user without cagefs you may notice that it can see all users from /etc/passwd, it can read full apache config file so that, it can determine domains hosted on the same server as well home path locations. However as soon as the user is added to cagefs – he will see only system users and itself in /etc/passwd . In addition, he can not read apache configs etc.
Some software has to be run outside of CageFS to be able to complete its job. This includes such programs as passwd, sendmail, etc. CloudLinux uses proxyexec technology to accomplish this goal. You can define any program to run outside CageFS, by specifying it in /etc/cagefs/custom.proxy.commands file.
For more in-depth information on CageFS, visit this page.