What is CageFS?

0
984
cage-fs
cagefs Graphical Illustration

CageFS is developed by CloudLinux OS which is exclusively used for Shared, Reseller, VPS and Dedicated servers. The main motivation of CageFS is to secure the account and the servers. A properly secured environment is essential for everyone in hosting. The server, hosting accounts or even a WordPress blog, also needs security to protect from the hackers. According to the CloudLinux, CageFS is a virtualized file system and it has a set of tools to contain each user in its own cage. The user will have the full functionality of CageFS and the user will not be restricted in any way. For using CageFS, the user need not do any adjustments as all the scripts are working fine.

Benefits of CageFS:

  • Only Binary Safe files are available to the user.
  • The user cannot able to access other resources that are not allocated to the user.
  • The user cannot detect the presence of other user’s and also other details.
  • Users will not able to see the server configuration files such as Apache config files.
  • The user will not able to views the process of other users and they have the limited view of the process.

CageFS Script can be executed using:

  • Apache (suexec, suPHP, mod_fcgid, mod_fastcgi)
  • LightSpeed Web Server
  • Cron Jobs
  • SSH
  • Other Pluggable Authentication Modules (PAM) enabled service.

Installation of CageFS:

Minimum Requirements:
Kernel:
  • CL5 with lve0.8.54
  • CL6 with lve1.2.17.1
  • Or CL7.

Disk Space: 7GB Minimum.

Depends on the user:
  • 5GB to 20GB in /usr/share directory -> to store safe skeleton of a filesystem.
    8MB per user in /var directory -> to store custom /etc directory.
  • Procedure to Install CageFS:

To install Cage FS, use the command $ yum install cagefs

$ /usr/sbin/cagefsctl –init

  • To create skeleton directory that might be around 7GB in size, use the command$ mkdir /home/cagefs-skeleton.
  • If you don’t have enough space in usr/share, use the following command to place in different location.
    $ ln -s /home/cagefs-skeleton /usr/share/cagefs-skeleton
  • In cPanel, if you are placing the CageFS skeleton into /home directory, you must configure the option.
    cPanel WHM -> Home -> Server Configuration -> Basic cPanel/WHM setup -> Basic Config -> Additional home directory.

Without changing this option, cPanel will create the new user account in incorrect places. CageFS will automatically detect and configure all the necessary files in majority of control panels such as cPanel, Plesk, Direct Admin and etc.,

Procedure to Uninstall CageFS:

To uninstall CageFS, disable and remove all directories.

$ /usr/sbin/cagefsctl –remove -all

This command is used to disable CageFS for all customer and unmount for all users, removes the directory /usr/share/cagefs-skeleton & /var/cagefs directories. But it will not remove the directory /etc/cagefs.

Remove CageFS RPM:

$ yum remove cagefs

Managing Users:

There are two types of modes in CageFS.
Mode 1: You need to add all users to CageFS automatically.
Mode 2: It allows you to enable it one by one for your customer.

To start using CageFS you have to select the mode of operation. The modes of operation are

$ /usr/sbin/cagefsctl –-enable-all
$ /usr/sbin/cagefsctl –-disable-all
$ /usr/sbin/cagefsctl --toggle-mode

To enable individual user, use the command
$ /usr/sbin/cagefsctl –-enable [username]

To disable the individual user, use the command
$ /usr/sbin/cagefsctl –-disable [username]

To display the list of enabled user, use the command
$ /usr/sbin/cagefsctl –-list-enabled/strong>

To display the list of disabled user, use the command
$ /usr/sbin/cagefsctl –-list-disabled

To see the current mode of operation, use the command
$ /usr/sbin/cagefsctl –-display-user-mode

Commands inside CageFS:

If a user has shell enabled simply use the command
$ /bin/su - $USERNAME -c “_command_”

If a user has shell disabled, use the command $ /sbin/cagefs_enter_user $USERNAME “_command_” executed without proxyexec.

Due to nature of CageFS, some options will not work as before as it will require few changes.

PHP will load php.ini from /usr/selector/php.ini. This file is actually a link to a real php.ini file from your system. So that the same php.ini will be loaded in the end.

To update the CageFS, use this command cagefsctl –-update You can modify php.ini, or you want to get new/updated software inside CageFS.

While installing CageFS, it changes from jail shell to normal bash on cPanel. It will update all the users when jail shell is enabled and it will be changed to regular/bin/bash in /etc/passwd.
This is done to avoid possible conflict with virtfs when the non-cagefs users enters to virtfs. The jail shall is mounted on all the copies from cagefs -skeleton to /home/virtfs/$USER. Those mount points are duplicated for each user. The result leads to slow system performance. So that it is secure to provide the bash to enable the CageFS.

LEAVE A REPLY

Please enter your comment!
Please enter your name here