No announcement yet.

[security] add option to only allow caged users

  • Filter
  • Time
  • Show
Clear All
new posts

  • [security] add option to only allow caged users

    We only allow caged users, so we set the default for users to be in a cage. Actually we have no use-case for users not in the cage, as this would mean a security risk. We would like to have an option that, when turned on, disables users as soon as they would not be in a cage. Example: I run the command `cagefsctl --reinit` As it is currently, for some time the users will be outside their cages, where they can learn valuable information that would normally not be possible. What I want in this situation is that at the time the cage is disabled ssh, PHP etc of the users will be disabled, so no information can leak. While the example cagefsctl --reinit might not be the best example, because this is something you dont normally do, and since if you want to do it you can disable other services before actually our real usecase is more important: We have seen some cases where users who were supposed to be in the cage were actually not! Not all of these cases are fixed, so it can still happen today. This means you cannot fully trust CageFS for security. I wont post these issues here (for obvious reasons), but I have reported them to CloudLinux support. With my suggested change instead of opening a security hole, a user would seize to function in the rare event that for some reason the cage is not working.