Category Archives: Cloudlinux

20Sep/16

Enable additional commands to CageFS users in CloudLinux

Introduction

In CloudLinux, CageFS is a virtualized, per-user file system that uniquely encapsulates each customer, preventing users from seeing each other and viewing sensitive information.

It prevents a large number of attacks, including most privilege escalation and information disclosure attacks.

It is completely transparent to your customers, without any need for them to change their scripts.

After enabling cageFS

  • Users only have access to safe files.
  • They cannot see other users and have no way to detect the presence of other users or user names on the server.
  • They cannot see server configuration files, like Apache config files.
  • And they have a limited view of their own processing file system, and cannot see other users’ processes.

To enable additional commands to cageFS users in CloudLinux

  • Login to server as root using SSH
  • Open the file /etc/cagefs/conf.d/binutils.cfg in vi editor
#vi /etc/cagefs/conf.d/binutils.cfg
  • Add the path of the commands in the line starts with “paths=”.

like this

paths=/bin/arch, /bin/awk, /bin/basename, /bin/cat

You can get the path of a command using the below command

Syntax: which {command-name}

Eg: #which ls

/bin/ls
  • Add the command paths in the file. We can add multiple file paths separated by commas.
  • Save the file and run cagefs update using the below command
#cagefsctl --force-update
Another advantage of CloudLinux is PHP Selector.

PHP Selector is a CloudLinux component that sits on top of cagefs. It allows each user to select PHP version and module based on their needs. PHP Selector requires account to have cageFS enabled to work.

 

To install PHP selector:

Here are the installation steps for PHP Selector which is very easy to follow.

# yum groupinstall alt-php

Next step is to update cagefs and LVE Manager with support for all PHP alternatives

# yum update cagefs lvemanager

In cPanel/WHM server, make sure ‘Select PHP version is enabled‘ in Feature Manager.

Once this is enabled, default location for alt-php will be as follows:

The configuration file (php.ini) path for your PHP (for version 5.3) will be /opt/alt/php53/etc
Loaded configuration file – /opt/alt/php53/etc/php.ini

Once this is enabled, placing custom php.ini files to accounts’ in public_html folder will break your website. To customize  PHP settings go to  “Edit PHP settings” section in your cPanel.

 

14Jun/16

Move cagefs-skeleton directory from /usr/share to another partition

CageFS is a virtualized file system and a set of tools to lock each system user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc.  For a cageFS enabled user only safe binaries are available, user will not see any other users  etc are the main benefits of CageFS.

CageFS creates individual namespace for each user, making it impossible for users to see each other’s files and creating high level of isolation. These safe files for each users are created by default on a folder location /usr/share/cagefs-skeleton.

Sometimes you need to move this cagefs-skeleton directory  from /usr/share to another partition like /home due to low free disk space available in the /usr partition. Below are the steps we used to achieve the same.

# cagefsctl --disable-cagefs 

This command will disable cagefs in the server.

 #  cagefsctl --unmount-all

This command will unmount all mount points created by cagefs.

To ensure all mount points created by cagefs are unmounted successfully please issue below command.

# cat /proc/mounts | grep cagefs 

if you see any cagefs entries, execute “cagefsctl –unmount-all” again and cagefs still exists please issue below command.

# /usr/share/cagefs-plugins/hooks/jail_shell_disable.sh

# mv /usr/share/cagefs-skeleton /home/cagefs-skeleton 

This command will move the folder from /usr to /home (which is having more free disk space).

 #  ln -s /home/cagefs-skeleton /usr/share/cagefs-skeleton

This commnad will create a softlink from /usr/share/cagefs-skeleton to /home/cagefs-skeleton where the actual files exits.

 # cagefsctl --enable-cagefs

This command will enable cagefs in the server.

If we doing this in cPanel servers, then in cPanel WHM choose “Server Configuration” and go to “Basic cPanel/WHM Setup”, then change Additional home directories default value to blank not “home”. If we haven’t set this option, then cPanel will create new accounts in incorrect places.

We encourage your valuable comments below if you encounter any issues while following this article.

09Jul/14

Install Redis Daemon and Redis PHP extention on CentOS/RHEL/cPanel

Redis is an open-source, networked, in-memory, key-value data store with optional durability. It is written in ANSI C. It’s a “NoSQL” key-value data store. More precisely, it is a data structure server.

To install Redis as daemon on a CentOS/RHEL/cPanel server, do the following steps

cd /usr/local/
wget http://download.redis.io/releases/redis-2.8.12.tar.gz
tar -xvzf redis-2.8.12.tar.gz
cd redis-2.8.12
make
cp src/redis-server /usr/local/bin
cp src/redis-cli /usr/local/bin
mkdir -p /etc/redis
mkdir -p /var/redis
cp redis.conf /etc/redis/redis.conf

Open /etc/redis/redis.conf using vi edirot and set the values as follows.

daemonize yes
port 6379
bind 127.0.0.1
dir  /var/redis/
logfile  /var/log/redis.log
pidfile  /var/run/redis.pid

Now create the startup script. Create a new file as /etc/init.d/redis and add the following contents to it ( Reference https://gist.github.com/paulrosania/257849 ). And make it executable ( chmod 755 /etc/init.d/redis ).

#!/bin/sh
#
# redis - this script starts and stops the redis-server daemon
#
# chkconfig:   - 85 15 
# description:  Redis is a persistent key-value database
# processname: redis-server
# config:      /etc/redis/redis.conf
# config:      /etc/sysconfig/redis
# pidfile:     /var/run/redis.pid
 
# Source function library.
. /etc/rc.d/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
 
redis="/usr/local/bin/redis-server"
prog=$(basename $redis)
 
REDIS_CONF_FILE="/etc/redis/redis.conf"
 
[ -f /etc/sysconfig/redis ] && . /etc/sysconfig/redis
 
lockfile=/var/lock/subsys/redis
 
start() {
    [ -x $redis ] || exit 5
    [ -f $REDIS_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $redis $REDIS_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}
 
stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}
 
restart() {
    stop
    start
}
 
reload() {
    echo -n $"Reloading $prog: "
    killproc $redis -HUP
    RETVAL=$?
    echo
}
 
force_reload() {
    restart
}
 
rh_status() {
    status $prog
}
 
rh_status_q() {
    rh_status >/dev/null 2>&1
}
 
case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart|configtest)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
	    ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
esac

Now make sure the daemon will start after server reboot.

chkconfig --add redis
chkconfig redis on

Now we can start redis using command /etc/init.d/redis start

To make sure redis is working, run command “redis-cli ping” from commandline. If you get result “PONG”, that shows redis is working.

Now install redis PHP extension, using following command.

pecl install redis

Now open php.ini ( /usr/local/lib/php.ini on cPanel servers ) file and add the following line to it

extension=redis.so

Now restart Apache to apply the changes to php.ini file.

11Jun/14

Service Interruption while EasyApache

I have seen many people warn customers about a few minutes of downtime while running EasyApache on their servers. So they always suggest to run it is off-peak hours. Though it is not recommend to recompile such mission critical stuff during peak traffic hours ( which may put some server load as well ) it will not cause a few minutes of down-time normally. cPanel has built EasyApache Apache package intelligently, so that even though the build fails it will switch Apache/PHP back to the working versions. Also it will do only single service restart at the end, which is only defined service interruption while an EasyApache. But there are other possibilities as well, if Apache restarts during EasyApache build. Like if we restart Apache while building mod_sec module, it will throw syntax error if you have mod_sec directives defined for of of your websites. That is because Apache off-load mod_sec module just to recompile and the error remains until the so file rebuild by EasyApache. That will persists only for a few seconds and if we try to restart Apache during that time it will fail. So in such a case, we will have to force another manual start for Apache after building specific .so file.

01May/14

no certificate found for domain.com in the installed ssl data store – cPanel

Today we had this strange error in WHM while attempting to install SSL certificate for a domain. Auto-fill option worked just fine and filled each field with correct data. But clicking on “Install” button kept showing the above error message. To overcome it, I have gone to WHM >> Home » SSL/TLS » Manage SSL Hosts and “Deleted” the SSL virtualhost for the domain, for which I am attempting to install new certificate. Then tried to install the certificate again and it worked just fine. I believe the error occurred due to the conflict/missing SSL certificate details configured with the old SSLvirtualhost.

08Oct/13

Premature end of script headers: wredirect.cgi

If you are getting Internal Server Error while doing /webmail /whm /cpanel , please check the apache error log.

For us it was like the below error

[Tue Oct 08 08:14:44 2013][error][client x.x.x.x] Premature end of script headers: wredirect.cgi
[Tue Oct 08 08:14:44 2013][error][client x.x.x.x] File does not exist: /home/user/public_html/500.shtml

A temporary fix is to disable Suexec from WHM from the drop down at  Home »Service Configuration »Configure PHP and suEXEC and save. But in this case you are compromising the security.

This is actually a known bug  and if you are using cagefs then please do the below steps to fix this permanently

cagefsctl --remount-all
service proxyexecd restart

Continue reading

02Oct/13

kernel: LVE: Can’t enter to lve from slave context

These kind of error can be seen in /var/log/messages in a cpanel cloudlinux based server which will be filling the /var/log/messages quickly.

This can be caused due to below reasons :

1. You are running php as CGI and if that is the case, you can ignore this error and you can get this fixed by simply upgrading to the latest LVE kernel.

2. This happens due to conflict between mod_hostinglimits and mod_fcgid . In such cases, try disabling the mod_hostinglimits and see if that resolves the issue. If it fixes the issue, then

Edit “/usr/local/apache/conf/modhostinglimits.conf” and remove the handlers which are handled by mod_fcgid.

(I simply commented the AllowedHandlers line completely which stopped those errors)

Continue reading