ZOOM Hosting announced today that it is rolling out CageFS in all its shared hosting servers. CageFS is a CloudLinux feature mainly responsible for tenant isolation.

cloudlinux cagefs

One of the most serious issues that besets web hosting companies and shared hosting account owners is security. We already know that protecting a server from attacks is a tough job for server administrators. What makes the job even tougher is the fact that in a shared hosting environment, account owners are free to administer their own websites, set directory permission, install scripts and the only time they'll ever do security audit if ever they do is when they first set it up.

While some may think that shared accounts in a server are isolated, the truth is a lot of servers around the world are not protected. Assuming an attacker is able to successfully punch a hole in one of the accounts hosted in a shared server, he can do one or combination of exploits such as symlink attacks to jump from one account directory to another. If the server is not protected from symlink attack, it's useless to be securing your precious CMS installation because there's a backdoor hole from other users’ account.

CageFS in a nutshell is a secured virtualized file system with its own set of libraries that allows the system to contain each user in its own "cage". In CageFS environment, accounts are treated as if one is isolated from the other. The account will have its own system files and configuration. Before CageFS, users are able to list other usernames in a server, view other user's process and access system files.


Some advantages of CageFS are:

A user has no means of detecting other users on the server nor will they be able to access files and directories owned by other users

Critical binaries are hidden and only safe binaries are accessible to the user

User cannot view other users’ processes and they only have a limited access to /proc file system

The beauty of CageFS is that all scripts are left untouched and will remain to be fully functional. Users do not have to configure anything and will not be restricted in anyway, except for their inability to access critical system binaries.


According to CloudLinux documentation, CageFS will cage any scripts execution done via:

  • LiteSpeed Web Server
  • Apache Web Server
  • SSH
  • and other PAM enabled service.

However, mod_php is not supported as of this writing, and MPM ITK requires a patch.


Below are the major differences between a server running on CLOUDLINUX with CageFS enabled and traditional stand alone server running on CentOS.

  • Temporary Files - Without CageFS, temporary files are written to the system's /tmp directory. One problem with this is that all users share the same directory, so if one poorly coded script from another user account dumps junk temp files on this directory and it gets full, it may affect the performance of the server. With CageFS, each user utilizes its own /tmp directory inside their home path, thus improving both security and performance.
  • Tenant Isolation – CageFS isolates each user. With other Linux variants and even with CloudLinux without CageFS, users that are logged via SSH can actually view processes run by other users and see what's happening in the server. Gone are those days. With CageFS, you are one lonely cowboy, unable to list other users’ login, and can't see processes running in the server.
  • Command Access – CageFS limits the commands that can be executed by users to only the essential commands. You will not be able to access commands that you do not need and that will compromise the server and other users' privacy.

For those managing their own dedicated server, CageFS is very easy to install.

Here are the system requirements:

Kernel: You must be running on CloudLinux 5.x with lve 0.8.54 or later and CloudLinux 6.x with lve or later and must have at least 7GB free space.

To install, you must login as root and execute these commands:

$ yum install cagefs
$ /usr/sbin/cagefsctl --init

The command /usr/sbin/cagefsctl1 --init will create skeleton directory needed by CageFS under /usr/share. In case you do not have enough disk space in this directory or for some other reason you want to create this in another directory, you just need to mkdir a new directory where you want to ceate the skeleton ( if it does not exist yet ) and then create a symbolick link of that directory from /usr/share/cagefs-skeleton

$ mkdir /home/cagefs-skeleton
$ ln -s /home/cagefs-skeleton /usr/share/cagefs-skeleton

For cPanel servers, if you intend to create skeleton inside the /home directory, you must configure the following:

cPanel WHM WHM > Server Configuration > Basic cPanel/WHM Setup > Basic Config > Additional home directories

Change the value to blank  (default is "home")

Not changing this option will cause cPanel will create new accounts in incorrect directories.

CageFS has automatic configurfation and detection script for Cpanel, DirectAdmin, Plesk, ISPManager, Interworx, PostgreSQL and LiteSpeed

Web interface to manage CageFS is available for cPanel, Plesk 10+, DirectAdmin, ISPmanager & Interworx. For other control panels, command line tool would need to be used.

For Cpanel users, once template is initialized. you can start enabling users through WHM under WHM > Plugins > CageFS. By default CageFS is disabled for all users. 

 PHP Selector

Another advantage of CageFS is that it allows users to have different versions of PHP. Before this feature, the dilemma of share hosting companies is that when they upgrade their servers to new version of PHP, they would be bombarded with support tickets the next day from clients whose scripts cease to function because codes that they are using from old version of PHP are already deprecated. This issue is addressed by PHP Selector.

When enabled, an account owner may change the PHP version used for his account anytime through Cpanel.

To install PHP Selector, you need CageFS and LVE Manager, both are CloudLinux features with WHM plugins.

It's recommended that you update cagefs and lvemanager with support for PHP Alternatives to make sure you have the needed libraries.

$ yum update cagefs lvemanager

Next, you need to enable "Select PHP version" in WHM > Feature Manager, edit the package where you want to enable "PHP Selector", once done. PHP Selector will appear on the accounts' Cpanel.

WARNING: Be careful not to use settings like SuPHP_ConfigPath, PHPRC, PHP_INI_SCAN_DIR. Do not redefine path to php.ini and ini-files for php modules. 

Saturday, January 18, 2014

« Back