Cage File System is a virtualized file system with a set of tools to contain each user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc. The cagefsctl command provides us many options such as to initialize, enable, mount, unmount, assigning cagefs to users(enabling and disabling cage FS for users). more about the command options can be found from cagefs commands.

Installation

CageFS can be installed only in a cloudlinux server. For installing CageFS, it requires 8MB per user in /var directory for custom /etc directory and 5GB to 20GB in /usr/share directory for storing safe skeleton of the filesystem. CageFS can be installed and initialized using yum install cagefs and cagefsctl –init commands respectively. alternatively, cageFS skeleton can be set to another location by creating a link from the desired location to the default location.

While installing, CageFS will automatically detect and configure all necessary files for the LiteSpeed webserver and for the DB tools like MySQL and PostgreSQL and almost all the control panels. By default, CageFS is disabled for all users. Once CageFS is initialized, it can be enabled for particular users.

CageFS can be uninstalled once all the directories are disabled and removed using the command cagefsctl –remove all. The command will disable CageFS for all users, unmount CageFS for all users, removes /usr/share/cagefs-skeleton & /var/cagefs directories.
cageFS can be removed by yum remove cagefs command.

User Management

CageFS is having two modes namely Enabled and Disabled. The enabled mode can be used for production operations, where all new users are automatically added to CageFS. The disabled mode is convenient for the testing purposes as it provides the option to enable/disable it one by one for each user. The following commands can be used to understand cageFS user modes.

cagefsctl –enable-all // Enabled Mode
cagefsctl –disable-all // Disabled Mode
cagefsctl –toggle-mode // Switch the operation mode, preserving current users.
cagefsctl –enable [username] // Enables individual user
cagefsctl –disable [username] // Disables individual user
cagefsctl –list-enabled // Lists enabled users
cagefsctl –list-disabled // Lists disabled users.
cagefsctl –display-user-mode // Displays current mode of operation.
In CageFS users can execute commands from inside cageFS. from inside the shell just specify the desired command after the prefix su – username -c “command”. If there is no admin access, The command cagefs_enter_user $USERNAME “_command_”. Users can be excluded from CageFS by creating a file inside /etc/cagefs/exclude a folder, and adding that users in the file created.

File Management.

When CageFS is installed, a filesystem template is created in /usr/share/cagefs-skeleton directory after running the cagefsctl –init command. Behavior of the commands and the files copied into /usr/share/cagefs-skeleton directory depends on the configuration files in /etc/cagefs/conf.d. Additional files, users, groups and devices can be added into CageFS template by adding .cfg file, and running:the command cagefsctl –update. Using cagefsctl –addrpm and –delrpm command, files from different RPMs can be added to / deleted from CageFS. Files and directories can be excluded from CageFS by adding the file/directory names one by one per line in the file /etc/cagefs/black.list.

Space Management

CageFS creates an individual namespace for each user, making it impossible for users to see each other’s files thereby creating a high level of isolation. The directories which are to be shared with every user has mounted the cagefs skeleton directory and list of such directories are included in the file /etc/cagefs/cagefs.mp. For each users /home and /etc directories are mounted separately as /var/cagefs/[prefix]/username and /var/cagefs/[prefix]/username respectively. prefix denotes last two digits of the userid as in /etc/passwd file.

Advantages of Using CageFS

• Handling Hackers: CageFS prevents hackers from scanning the server for vulnerable files, and escalating privileges to gain root access.
• Virtual Private Area: CageFS ensures that users cannot see any other user and will have no way to detect the presence of other users in the server.
• Isolation from Server Configuration files: CageFS also prevents users from viewing the server configuration files, such as Apache config files.
• Compatibility with Various Control Panels: CageFS comes with a plugin for WHM that allows us to manage & update CageFS. Plesk, DirectAdmin, InterWorx and ISP Manager are also fully supported and can be integrated with CageFS.
• Ease of Installation and Configuration: CageFS has the advantage that it can automatically detect cPanel, Plesk, DirectAdmin, ISP Manager and InterWorx configuration from the server. This leads to less time needed to install the software and configure it.

‘Caged’ FS : Limits

• Due to the nature of CageFS, some things will not work as before or require some changes:
• Lastlog will not be working (/var/log/lastlog)
• PHP will load php.ini from /usr/selector/php.ini.
• The command cagefsctl –update is to be executed every time if any changes are made inside CageFS

If you require help, contact SupportPRO Server Admin