Being in a cage doesn’t always have to be a bad thing. In fact, we’re about to put all of our users in one. Figuratively, of course. We’re working on rolling out CageFS, a technology developed and created by the good folks over at CloudLinux. CageFS is an addition to the OS CloudLinux develops, which we use exclusively across all of our shared, reseller, and semi-dedicated servers. The goal of installing CageFS is both your account and our servers will be more secure, but that is an oversimplification of what is really an important upgrade for everyone involved.
A Secure State of Mind
(If anyone is wondering, that is a picture from a 2008 blog post – we’ve been thinking and talking about security for years.)
Security is brought up so often in the hosting industry these days it’s almost starting to become a buzzword. That isn’t to say security isn’t important, because we all know it is. A properly secured environment, be it a server, hosting account, or even a WordPress blog, is paramount to ensuring you don’t get that dreaded 4AM phonecall saying you’ve been hacked. But security isn’t some set it and forget it solution with one general set of “rules” to follow. Much like the hosting industry and the web in general, security is constantly evolving and new ideas are introduced daily. It’s our job to stay on top of those changes and keep you, as our customer, as safe as we possibly can.
Enter CageFS. Even though this product has been around and publicly available since August of 2011, we believe the product has finally reached a point where it’s mature (and stable!) enough to install on our entire fleet. According to CloudLinux, CageFS “is a virtualized file system and a set of tools to contain each user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc”.
To expand on our comment about putting our users in a cage, that is essentially what CageFS does. Before CageFS, users were able to list other usernames on the server, view system configuration files, and also inspect another users running processes. With CageFS installed you’ll have no way of determining any of that information.
Major Changes and Improvements
As a customer you shouldn’t notice any changes or issues, this is a seamless introduction. In fact, if it weren’t for this blog post and us publishing this information you may never know we’re running CageFS. That’s assuming you weren’t previously snooping for other users information though, in which case we’re sorry to ruin your fun. We just think things are better this way, and we’ll trust you agree!
In list form, here are the primary differences between a CloudLinux server with CageFS as opposed to one without:
- Utilization of /tmp – Previously all users wrote to the systems /tmp directory, which on occasion would get full from a runaway script or poorly coded application. With CageFS each user writes to a /tmp directory inside their home directory, improving both security and reliability.
- User and system access – You’re literally in your own environment now. No looking at other users, their processes, or what’s happening on the server. You won’t be able to view what other users are logged in via SSH. You’ll even only get access to specific binaries.
- Commands – A user under CageFS has a very limited set of commands they’re able to run from the shell. Essentially you should have everything you need and nothing you don’t. For example, here is the output of the ‘top’ command on a non-CageFS server:
There are a number of other changes (Check out the documentation here) but those are the major changes we’re most excited about. CloudLinux also keeps their blog both active and up to date with releases and changes, so anyone looking for a more granular breakdown of CageFS can browse through there.
That was a bad pun on ‘case closed’, forgive me. CageFS was thoroughly tested before moving into our live environment, so we’re more than confident in its ability to perform (and operate) reliably. However, no software is bug free, especially a program as integrated with the OS as CageFS. We do anticipate some strange or even unexpected behavior so please don’t hesitate to report any oddities you may see. Having been a partner of CloudLinux for over 3 years now (we installed our first CloudLinux system in August 2010) we’re confident if we report an issue they’ll figure it out and fix it.
As a final note, as your host we do our absolute best to keep your account and websites as safe and secure as possible. However, we can’t protect against everything which is why it’s important to take your own security very seriously. We’ll be publishing a post about basic shared hosting security in the coming days, stay tuned