Announcement
Collapse
No announcement yet.
cagefs vs php-fpm chroot
Collapse
X
-
Hi, sorry to be this way, you are showing me commands bash for CageFS ssh, just to confirm, this two features are also enabled CageFS php ?- Mounting a separate instance of the file system for each user.
- Providing a limited view of the /proc file system, so users cannot see other users' processes.
Leave a comment:
-
It's not just mounts, but CageFS uses a combination of Linux namespaces and file system virtualization.
Each user is completely isolated from others. They cannot see or access each other's files, processes, or even the existence of other users. This is achieved by:- Mounting a separate instance of the file system for each user.
- Providing a limited view of the /proc file system, so users cannot see other users' processes.
Caged user will see only oen pids in /proc/ . Here is the live test from lab server.
Under root user:
Code:# cat /etc/passwd | wc -l 64 # ls -la /proc/ | wc -l 285 [root@CL9cPanel ~]# ls -la /proc/ | head total 4 dr-xr-xr-x 282 root root 0 Jan 10 14:15 . dr-xr-xr-x. 22 root root 4096 Jan 15 16:50 .. dr-xr-xr-x 9 root root 0 Jan 10 14:15 1 dr-xr-xr-x 9 root root 0 Jan 15 02:54 10 dr-xr-xr-x 9 root root 0 Jan 15 02:54 11 dr-xr-xr-x 9 root root 0 Jan 15 02:54 12 dr-xr-xr-x 9 polkitd polkitd 0 Jan 14 02:54 1233 dr-xr-xr-x 9 root root 0 Jan 14 02:54 1255 dr-xr-xr-x 9 root root 0 Jan 15 02:54 13
And under regular cagefs user named 'az':
Code:$ cat /etc/passwd | wc -l 25 $ ls -la /proc/ | wc -l 66 $ ls -la /proc/ | head total 4 dr-xr-xr-x 282 root root 0 Jan 10 14:15 . drwxr-xr-x 14 root root 4096 Aug 6 14:41 .. dr-xr-xr-x 9 az az 0 Jan 15 16:58 983249 dr-xr-xr-x 9 az az 0 Jan 15 17:04 984042 dr-xr-xr-x 9 az az 0 Jan 15 17:04 984043 dr-xr-xr-x 3 root root 0 Jan 15 15:38 acpi -r--r--r-- 1 root root 0 Jan 15 15:38 bootconfig -r--r--r-- 1 root root 0 Jan 15 15:38 buddyinfo dr-xr-xr-x 4 root root 0 Jan 15 15:38 bus
Leave a comment:
-
Thank you for your quick input, When I say CageFS php I refer to CageFS program tied to php process, when this happened CageFS enabled linux namespace mnt (mount points, filesystems) is this correct ?, if that is true so my question is again:
Users will have a limited view of /proc file system, and will not be able to see other users' processes,
does have this linux namespace pid (processes) enabled in CageFS php ?
Leave a comment:
-
Not sure if I got your questions, but CageFS does not rely on PHP or other processes at all. It's is a full filesystem replacement (cage) for the user and processes launched under it.
The network is not tied to CageFS in any way. It does not extend its functionality to include the management of these other namespaces. Each of these namespaces serves different purposes in Linux, such as isolating network resources or user IDs, but they are not inherently part of CageFS's functionality.
User in CageFS will see own uid and hostname. But for him it will look like he is a single user on a server.
Leave a comment:
-
Thanks, according to https://cloudlinux.zendesk.com/hc/en...What-is-CageFS
Users will have a limited view of /proc file system, and will not be able to see other users' processes,
1 does have this feature on php ?
2 does php CageFS enabled anothers linux namespaces like:
? net (network stack)
? ipc (System V IPC)
? uts (hostname)
? user (UIDs)
Leave a comment:
-
Hi,
From what I know PHP-FPM can really isolate PHP processes from the res of the system to access files within a specified directory tree (Process isolation, but not user isolation). However, the big pain could be in setting it and maintaining for the dependent shared objects to keep them up to date after each system update. Another big case could be that any file paths in PHP scripts must be relative to this directory (it's chroot, meaning / become redefined). Unfortunately cannot provide more technical details on it as we are not familiar with such setups.
With CageFS you are getting the 'safe filesystem' out of the box where users have fully functional environment with all the needed files and libraries.
Leave a comment:
-
cagefs vs php-fpm chroot
Hi, what is the difference between php-fpm chroot VS cagefs (just web php), I not looking ssh, cron, etc
can you give me technical details about the difference ?Tags: None
Leave a comment: