Being in a cage doesn’t always have to be a bad thing. In fact, we’re about to put all of our users in one. Figuratively, of course. We’re working on rolling out CageFS, a technology developed and created by the good folks over at CloudLinux. CageFS is an addition to the OS CloudLinux develops, which we use exclusively across all of our shared, reseller, and semi-dedicated servers. The goal of installing CageFS is both your account and our servers will be more secure, but that is an oversimplification of what is really an important upgrade for everyone involved.
A Secure State of Mind
(If anyone is wondering, that is a picture from a 2008 blog post — we’ve been thinking and talking about security for years.)
Security is brought up so often in the hosting industry these days it’s almost starting to become a buzzword. That isn’t to say security isn’t important, because we all know it is. A properly secured environment, be it a server, hosting account, or even a WordPress blog, is paramount to ensuring you don’t get that dreaded 4AM phonecall saying you’ve been hacked. But security isn’t some set it and forget it solution with one general set of “rules” to follow. Much like the hosting industry and the web in general, security is constantly evolving and new ideas are introduced daily. It’s our job to stay on top of those changes and keep you, as our customer, as safe as we possibly can.
Enter CageFS. Even though this product has been around and publicly available since August of 2011, we believe the product has finally reached a point where it’s mature (and stable!) enough to install on our entire fleet. According to CloudLinux, CageFS “is a virtualized file system and a set of tools to contain each user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc”.
To expand on our comment about putting our users in a cage, that is essentially what CageFS does. Before CageFS, users were able to list other usernames on the server, view system configuration files, and also inspect another users running processes. With CageFS installed you’ll have no way of determining any of that information.
Major Changes and Improvements
As a customer you shouldn’t notice any changes or issues, this is a seamless introduction. In fact, if it weren’t for this blog post and us publishing this information you may never know we’re running CageFS. That’s assuming you weren’t previously snooping for other users information though, in which case we’re sorry to ruin your fun. We just think things are better this way, and we’ll trust you agree!
In list form, here are the primary differences between a CloudLinux server with CageFS as opposed to one without:
- Utilization of /tmp – Previously all users wrote to the systems /tmp directory, which on occasion would get full from a runaway script or poorly coded application. With CageFS each user writes to a /tmp directory inside their home directory, improving both security and reliability.
- User and system access – You’re literally in your own environment now. No looking at other users, their processes, or what’s happening on the server. You won’t be able to view what other users are logged in via SSH. You’ll even only get access to specific binaries.
- Commands – A user under CageFS has a very limited set of commands they’re able to run from the shell. Essentially you should have everything you need and nothing you don’t. For example, here is the output of the ‘top’ command on a non-CageFS server:
And here is what top looks like on a server with CageFS installed:
As you can clearly see the user running ‘top’ with CageFS can only see their running processes and nothing else (other users, system processes, etc).
There are a number of other changes (Check out the documentation here) but those are the major changes we’re most excited about. CloudLinux also keeps their blog both active and up to date with releases and changes, so anyone looking for a more granular breakdown of CageFS can browse through there.
That was a bad pun on ‘case closed’, forgive me. CageFS was thoroughly tested before moving into our live environment, so we’re more than confident in its ability to perform (and operate) reliably. However, no software is bug free, especially a program as integrated with the OS as CageFS. We do anticipate some strange or even unexpected behavior so please don’t hesitate to report any oddities you may see. Having been a partner of CloudLinux for over 3 years now (we installed our first CloudLinux system in August 2010) we’re confident if we report an issue they’ll figure it out and fix it.
As a final note, as your host we do our absolute best to keep your account and websites as safe and secure as possible. However, we can’t protect against everything which is why it’s important to take your own security very seriously. We’ll be publishing a post about basic shared hosting security in the coming days, stay tuned 🙂
Pingback: How to Have a Safe and Secure Hosting Experience | Hawk Host Blog
Its great to see HawkHost implementing CloudLinux on the servers, one of the best ways to save my sites from other sites during their traffic spikes. Keep up the good work.
Hi Bryan 🙂
Is this like an advanced version of the old Chroot Jail’s? (I used to use Jailkit on my VPS until last year).
I’m just curious. 🙂 I was reading your blog because I am looking at a new provider.
I remember using Jailkit many years ago – it’s great! The idea is similar however instead of using chroot() it’s a modified OpenVZ kernel (software virtualization) which is “more secure” and “more difficult” to break out of. I suspect you’re familiar with the numerous ways (current and in the past) that one was able to break out of their chrooted environment. Due to the way CloudLinux implemented this (again, forked from OpenVZ) this is a thing of the past.
If you have any questions regarding how we run our servers or anything else please don’t hesitate to contact our sales department (https://support.hawkhost.com)!
Is this thing an open source project?
Jailkit is – a simple Google search should give you plenty of results. CageFS is not – it’s based around CloudLinux which is a commercial product.
Pingback: Your Hosting Accounts Security at Hawk Host | Hawk Host Blog