cagefs vs php-fpm chroot

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • bogdan.sh
    replied
    Yes, exactly.

      Leave a comment:

    • zyrotnet
      replied
      Hi, sorry to be this way, you are showing me commands bash for CageFS ssh, just to confirm, this two features are also enabled CageFS php ?
      • Mounting a separate instance of the file system for each user.
      • Providing a limited view of the /proc file system, so users cannot see other users' processes.
      So no matter what service process is (php, ssh, cron, etc) CageFS will always have this two features, is that correct ?​

        Leave a comment:

      • bogdan.sh
        replied
        It's not just mounts, but CageFS uses a combination of Linux namespaces and file system virtualization.

        Each user is completely isolated from others. They cannot see or access each other's files, processes, or even the existence of other users. This is achieved by:
        • Mounting a separate instance of the file system for each user.
        • Providing a limited view of the /proc file system, so users cannot see other users' processes.

        ​Caged user will see only oen pids in /proc/ . Here is the live test from lab server.

        Under root user:
        Code:
        # cat /etc/passwd | wc -l
64
​
# ls -la /proc/ | wc -l
285
​
[root@CL9cPanel ~]# ls -la /proc/ | head
total 4
dr-xr-xr-x 282 root root 0 Jan 10 14:15 .
dr-xr-xr-x. 22 root root 4096 Jan 15 16:50 ..
dr-xr-xr-x 9 root root 0 Jan 10 14:15 1
dr-xr-xr-x 9 root root 0 Jan 15 02:54 10
dr-xr-xr-x 9 root root 0 Jan 15 02:54 11
dr-xr-xr-x 9 root root 0 Jan 15 02:54 12
dr-xr-xr-x 9 polkitd polkitd 0 Jan 14 02:54 1233
dr-xr-xr-x 9 root root 0 Jan 14 02:54 1255
dr-xr-xr-x 9 root root 0 Jan 15 02:54 13​

        And under regular cagefs user named 'az':
        Code:
        $ cat /etc/passwd | wc -l
25
​
$ ls -la /proc/ | wc -l
66
​
$ ls -la /proc/ | head
total 4
dr-xr-xr-x 282 root root 0 Jan 10 14:15 .
drwxr-xr-x 14 root root 4096 Aug 6 14:41 ..
dr-xr-xr-x 9 az az 0 Jan 15 16:58 983249
dr-xr-xr-x 9 az az 0 Jan 15 17:04 984042
dr-xr-xr-x 9 az az 0 Jan 15 17:04 984043
dr-xr-xr-x 3 root root 0 Jan 15 15:38 acpi
-r--r--r-- 1 root root 0 Jan 15 15:38 bootconfig
-r--r--r-- 1 root root 0 Jan 15 15:38 buddyinfo
dr-xr-xr-x 4 root root 0 Jan 15 15:38 bus


          Leave a comment:

        • zyrotnet
          replied
          Thank you for your quick input, When I say CageFS php I refer to CageFS program tied to php process, when this happened CageFS enabled linux namespace mnt (mount points, filesystems) is this correct ?, if that is true so my question is again:

          Users will have a limited view of /proc file system, and will not be able to see other users' processes,
          does have this linux namespace pid (processes) enabled in CageFS php ?

            Leave a comment:

          • bogdan.sh
            replied
            Not sure if I got your questions, but CageFS does not rely on PHP or other processes at all. It's is a full filesystem replacement (cage) for the user and processes launched under it.

            The network is not tied to CageFS in any way. It does not extend its functionality to include the management of these other namespaces. Each of these namespaces serves different purposes in Linux, such as isolating network resources or user IDs, but they are not inherently part of CageFS's functionality.

            User in CageFS will see own uid and hostname. But for him it will look like he is a single user on a server.

              Leave a comment:

            • zyrotnet
              replied
              Thanks, according to https://cloudlinux.zendesk.com/hc/en...What-is-CageFS
              Users will have a limited view of /proc file system, and will not be able to see other users' processes,
              1 does have this feature on php ?
              2 does php CageFS enabled anothers linux namespaces like:

              ? net (network stack)
              ? ipc (System V IPC)
              ? uts (hostname)
              ? user (UIDs)​

                Leave a comment:

              • bogdan.sh
                replied
                Hi,

                From what I know PHP-FPM can really isolate PHP processes from the res of the system to access files within a specified directory tree (Process isolation, but not user isolation). However, the big pain could be in setting it and maintaining for the dependent shared objects to keep them up to date after each system update. Another big case could be that any file paths in PHP scripts must be relative to this directory (it's chroot, meaning / become redefined). Unfortunately cannot provide more technical details on it as we are not familiar with such setups.


                With CageFS you are getting the 'safe filesystem' out of the box where users have fully functional environment with all the needed files and libraries.

                  Leave a comment:

                • zyrotnet
                  started a topic cagefs vs php-fpm chroot

                  cagefs vs php-fpm chroot

                  Hi, what is the difference between php-fpm chroot VS cagefs (just web php), I not looking ssh, cron, etc
                  can you give me technical details about the difference ?
                  Tags: None
                  Previous template Next
                  Working...

                  We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

                  By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                  I Agree