Hi,

This is probably a dumb question, but I have searched and wasnt able to find an answer so hopefully someone can point me in the right direction.
I am trying to test how we can use cloudlinux with Cagefs to secure a shared hosting server.
Of particular interest, is preventing a case where one user becomes compromised and is then used as an attack vector to infect other users CMS on that server.

CageFS has been installed and enabled for all users.
If I look at /var/cagefs/00/user1/etc/passwd, I see what I would expect, a stripped down passwd file with all the usual system entries, but no entries for other users.

However, if I run /bin/su - user1 -c "cat /etc/passwd" , I see the real full /etc/passwd of the system, with all user accounts in it.
Should I not be presented with /var/cagefs/00/user1/etc/passwd when I try to look at /etc/passwd?

I have done a /usr/sbin/cagefsctl -u --force-update to make sure things in the skeleton have been updated properly.

I must be missing a simple step, or not understanding something very basic. Any thoughts?

Thanks

pam_lve is not enabled for su, you can enable it in /etc/pam.d/su but probably you shouldn

Igor, the documentation says that we should use this command to test how a command works, as the user:

/bin/su - USERNAME -c "/PATH/COMMAND"

I don understand your answer about enabling pam_lve for su.

In any event, @SystemsTeam, when I run the same command on my server, I get a different (and more expected result:

# /bin/su - someuser -c "cat /etc/fstab"
cat: /etc/fstab: No such file or directory

So, it would seem to indicate that you do not have something setup correctly.

- Scott

Actually, your question is confusing... you are talking about the visibility of /etc/passwd, but your command is using /etc/fstab?

When I run:

# /bin/su - someuser -c "cat /etc/passwd"

I am showing the correct passwd file at /var/cagefs/00/user1/etc/passwd, which contains the users own username, plus various system accounts (gopher, ftp, games, etc.) but no other users are listed.

- Scott

My apologies, there was a typo in my original comment. I meant to say (and have edited in):

if I run /bin/su - user1 -c "cat /etc/passwd" , I see the real full /etc/passwd of the system, with all user accounts in it.
Should I not be presented with /var/cagefs/00/user1/etc/passwd when I try to look at /etc/passwd?

> pam_lve is not enabled for su, you can enable it in /etc/pam.d/su but probably you shouldnt

OK. I dont think I need to, Im just trying to confirm the filesystem isolation is working.

Only problem... If I actually SSH to the server as user1... and again as a test, cat /etc/passwd. I am presented with the full /etc/passwd of the system, as opposed to seeing the contents of /var/cagefs/00/user1/etc/passwd as I would expect.

I know something is probably misconfigured, but Im trying to figure out what that might be.