CageFS simple test - What am I missing?
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Uri Nimat
  2. Wednesday, 21 October 2015
  3.  Subscribe via email
Confused about some differences I'm seeing between what's in a users skeleton directory and what they actually see
Rate this post:
  1. 21.10.2015 20:10:47
  2. # 1
Uri Nimat Accepted Answer
Posts: 2
Joined: 21.10.2015
0
Votes
Undo
Hi,

This is probably a dumb question, but I have searched and wasn't able to find an answer so hopefully someone can point me in the right direction.
I am trying to test how we can use cloudlinux with Cagefs to secure a shared hosting server.
Of particular interest, is preventing a case where one user becomes compromised and is then used as an attack vector to infect other users CMS on that server.

CageFS has been installed and enabled for all users.
If I look at /var/cagefs/00/user1/etc/passwd, I see what I would expect, a stripped down passwd file with all the usual system entries, but no entries for other users.

However, if I run '/bin/su - user1 -c "cat /etc/passwd" , I see the real full /etc/passwd of the system, with all user accounts in it.
Should I not be presented with /var/cagefs/00/user1/etc/passwd when I try to look at /etc/passwd?

I have done a '/usr/sbin/cagefsctl -u --force-update' to make sure things in the skeleton have been updated properly.

I must be missing a simple step, or not understanding something very basic.  Any thoughts?

Thanks
  1. 22.10.2015 14:10:36
  2. # 2
Uri Nimat Accepted Answer
Posts: 2
Joined: 21.10.2015
0
Votes
Undo
My apologies, there was a typo in my original comment.  I meant to say (and have edited in):


 if I run '/bin/su - user1 -c "cat /etc/passwd" , I see the real full /etc/passwd of the system, with all user accounts in it. 
Should I not be presented with /var/cagefs/00/user1/etc/passwd when I try to look at /etc/passwd? 

pam_lve is not enabled for su, you can enable it in /etc/pam.d/su but probably you shouldn't

OK.  I don't think I need to, I'm just trying to confirm the filesystem isolation is working.

Only problem... If I actually SSH to the server as user1... and again as a test, cat /etc/passwd.  I am presented with the full /etc/passwd of the system, as opposed to seeing the contents of /var/cagefs/00/user1/etc/passwd as I would expect.

I know something is probably misconfigured, but I'm trying to figure out what that might be.
  1. 22.10.2015 10:10:03
  2. # 3
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
pam_lve is not enabled for su, you can enable it in /etc/pam.d/su but probably you shouldn\'t
  1. 22.10.2015 10:10:16
  2. # 4
Scott Neader Accepted Answer
Posts: 89
Joined: 12.06.2014
0
Votes
Undo
Igor, the documentation says that we should use this command to test how a command works, as the user:

/bin/su - USERNAME -c \"/PATH/COMMAND\"

I don\'t understand your answer about enabling pam_lve for su.

In any event, @SystemsTeam, when I run the same command on my server, I get a different (and more expected result:

# /bin/su - someuser -c \"cat /etc/fstab\"
cat: /etc/fstab: No such file or directory

So, it would seem to indicate that you do not have something setup correctly.

- Scott
  1. 22.10.2015 10:10:33
  2. # 5
Scott Neader Accepted Answer
Posts: 89
Joined: 12.06.2014
0
Votes
Undo
Actually, your question is confusing... you are talking about the visibility of /etc/passwd, but your command is using /etc/fstab?

When I run:

# /bin/su - someuser -c "cat /etc/passwd" 

I am showing the correct passwd file at /var/cagefs/00/user1/etc/passwd, which contains the user's own username, plus various system accounts (gopher, ftp, games, etc.) but no other users are listed.

- Scott
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.