Question

CloudLinux / CageFS - Account Level Security - Does DO provide anything similar?

Posted July 2, 2020 292 views
ApacheDigitalOcean

I am looking to make the transition from cPanel hosting to DO, I have several client websites that are all placed in ‘cages’. I have a few questions, I understand CloudLinux is not supported here on DO however I was wondering if there anything similar I could use?

If not - does it mean users or hackers are able to upload malicious scripts on an account and spy on other user accounts?

For those who don’t know what CageFS is:

CageFS is a virtualized, per-user file system that uniquely encapsulates each customer, preventing users from seeing each other and viewing sensitive information. CageFS prevents a large number of attacks, including most privilege escalation and information disclosure attacks.

With CageFS:

  • Users only have access to safe files.
  • Users cannot see other users and have no way to detect the presence of other users or user names on the server.
  • Users cannot see server configuration files, like Apache config files.
  • Users have a limited view of their own processing file system, and cannot see other users’ processes.
  • Remove each user’s access to ALL SUID scripts.
  • Limit each customer’s access to the /proc filesystem.
  • Prevent symbolic link attacks.

Even with this extensive security, a user’s environment is fully functional, and users do not feel restricted in any way. CageFS is completely transparent to the end-user, yet impregnable to a hacker.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

If it’s any use there do seem to be some instructions for running CloudLinux on DO and their workaround using kexec to switch to the CloudLinux kernel.

https://docs.cloudlinux.com/cloudlinux_installation/#digitalocean

Submit an Answer