What is CloudLinux / CageFS - Account Level Security?
In this guide, we will show you what is the role of CloudLinux in the Performance & Security of your Shared Hosting.
What is CloudLinux?
CloudLinux is a Linux based Operating System especially used in a Shared Environment that Isolates each User in its own Lightweight Virtual Environment (LVE) which consumes a predefined Amount of Resources Allocated for each User that cannot be Exceeded.
That is, each User will be in a Caged Environment.
The Resource Usage of any User won’t affect the stability of another User. Each User will be allocated a specific amount of Resources.
If a User’s Website Utilizes the entire Resources Allocated to it, then it won’t Affect other Users. Only that particular User will face problems related to this.
What is CageFS?
CageFS is a virtualized file system and a set of tools to lock each user in its own 'cage'. Each customer will have its own fully functional filesystem, with all the system files, tools, etc.
Many people try to secure hosting using php.ini file - this gives some results, yet PHP.ini restrictions are often easy to circumvent. Additionally, they will not work at all for CGI scripts. That’s why we decided to develop a more effective tool for increasing security at the server and created CageFS.
CageFS has many benefits, such as:
- only safe binaries are available to the user
- the user will not see any other users and would have no way to detect the presence of other users and their usernames on the server
- the user will not be able to see server configuration files, such as Apache config files
- the user will have a limited view of /proc filesystem and will not be able to see other users processes
- at the same time, the user’s environment will be fully functional and the user will not feel restricted in any possible way, no adjustments to user scripts are needed.
Today it is trivial for attackers to use hacked web applications to deploy PHP Shell. Checking any simple PHP Shell Script for a user without CageFS you may notice that it can see all users from /etc/passwd, it can read full Apache Config file so that, it can determine domains hosted on the same server as well home path locations. However, as soon as the user is added to CageFS - he will see only system users and itself in /etc/passwd. In addition, he can not read apache configs etc.
Even with this extensive security, a user's environment is fully functional, and users do not feel restricted in any way. CageFS is completely transparent to the end-user, yet impregnable to a hacker.