SecureLVE
- SecureLVE is available in production for RPM based control panels
- For Plesk 9.5 you have to use our suexec script (and not the one from Plesk). We are working with Parallels to resolve it.
- We are actively working on SecureLVE beta for cPanel, and plan to start beta testing on Apr 15st
SecureLVE works across shell, CGI and cronjobs. That makes sure that any end user executable code is properly virtualized.
This should prevent user from seeing other users on the server, as well as seeing their files.
Installation
To install SecureLVE, run:
# yum install securelve # securelve_init
* securelve_init can take a long time to run, and will stress out filesystem. Run it at off-peak time
That will install securelve package, as well as create skeleton directory with all the files that will be visible to end user. This are the files like perl, php, etc...
To complete the installation, update httpd & cronjob servers:
# yum update httpd cronjob
* This might vary from control panel to control panel
Working with SecureLVE
To add user to SecureLVE type:
# securelve_user <username>
To remove user from SecureLVE type:
# securelve_user -u <username>
securelve_user options
-s | --shell= shell : set shell inside jail (/bin/sh default)
-u | --unjail : unjail user
-w | --unmount : unmount user
-c | --change : used with -s, updates shell for end user
Maintaining latest files in SecureLVE skeleton
SecureLVE uses provides limited set of files available to end users. To update those files after you made some updates to the system, run:
# securelve_update
If the changes were major or you added new software, re-run:
# securelve_init
You can create your own config file and specify additional software you want installed there. Use --configfile parameter to use that file for initialization:
# securelve_init --configfile=/etc/container/securelve.my.cfg
How it works
When you run securelve_init, SecureLVE creates
/usr/share/securelve-skeleton with a copy of system files, based on /etc/container/securelve.cfg
That skeleton would have skeleton of /etc directory, /dev directory, as well as common binary and library files.
When you do securelve_user <username>, the shell for that user in /etc/passwd is changed to /usr/sbin/securelve_sh
Also, directory /var/securelve/<username> is created with
/etc directory based on skeleton directory, but with customized passwd & group files
Stubs for all other directories in skeleton, for proc directory and for user's home directory.
The exact folders of what user will see inside securelve is defined in /etc/container/securelve.mp
* !!!Important: Be very careful before you try to remove /var/securelve/<username> directory. This directory can contain mount points to other parts of the system, and running something like rm -rf /var/securelve/<username> can remove system files from the main system. Before trying to remove that directory, make sure you run: securelve_user -u <username>. Then wait for some time until all the mount points are unmounted. Double check that there is no files in var, bin, lib folders of /var/securelve/<username>
Once user logs in, or if CronJob or CGI/PHP for that user is executed, SecureLVE detects that the user should be secured, and mounts (if they weren't mounted yet) all necessary directories (based on /etc/container/securelve.mp) into /var/securelve/<username>
After that user is chrooted into /var/securelve/<username>
User will see virtualized /proc filesystem, as well as all other directories, and the list of software available to user will be somewhat limited (no /sbin binaries, no suexec files). The list of devices will be limited, and there will be no other users in that virtualized filesystem.