Announcement

Collapse
No announcement yet.

Cage Configserver CSX quaranteen ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cage Configserver CSX quaranteen ?

    Hello,

    Configserver CSX requires that a directory be put in chmod 1777 for its quarantine, however this means that all users on the server can read its contents.

    You have to specify the path of this quarantine, by default they suggest /home/safe

    CSX creates the following folders when it quarantines a file :

    /home/safe/scan/[username]/

    The [username] file is only created when CSX finds a file to quarantine. Users that dont have a quarantined file dont have a folder.

    Is there a way to add /home/safe/scan/[username]/ to cagefs and restrict each user to his own quarantine (and not allow his to see other folders in /home/safe/scan/ ?

  • #2
    In the documentation I see :



    Woud simply adding :

    Code:
    ^/home/safe/scan/
    to /etc/cagefs/cagefs.base.home.dirs

    do what Im looking for ?

    does it matter if /home/safe/scan/{USERNAME} doesnt exist ?

    Thanks

    Comment


    • #3
      Hi!

      You can not copy or mount anything inside "base" home directory except home directory of the user.
      Base home directory of users is /home (in your case).
      So, /home directory in CageFS can contain only home directory of the user but nothing else.

      cagefs.base.home.dirs will not solve the problem.

      You should configure CXS to use directory that is out of /home (for example /cxs/scan).

      Then, add line to /etc/cagefs/cagefs.mp file:
      @/cxs/scan,1777

      And then execute in order to remount CageFS:
      cagefsctl --remount-all

      After that every user in CageFS will have his own /cxs/scan directory.
      These directories are created when user enters to CageFS for the first time (after remount of CageFS).
      So, you can force creation of that directory for user "username" by executing
      su -s /bin/bash -c "echo" username

      These directories are actually located here (in real system):
      /home/user/.cagefs/cxs/scan

      Comment

      Working...
      X