Field Notes

Allow Access to Additional Commands for CageFS Users

  • Billy Ford

CageFS is a feature of CloudLinux that helps to isolate users in a shared environment. This is especially useful in shared hosting environments where hundreds of customers could be housed on a single server. To avoid a single customer from affecting the security or performance of the other tennants, CageFS isolates users, only allowing them to see their own data and restricting them to specific executables.

We often need to allow users to access executables that CageFS does not allow by default. There are a couple of ways to accomplish this depending on how the executable was installed.


Add an RPM to CageFS

If the command was installed via a package manager (such as YUM), we can use the cagefsctl to add the package to CageFS.

  1. Add the package to CageFS using the cagefsctl --addrpm command.

    sudo cagefsctl --addrpm rsync
  2. Force a CageFS update.

    sudo cagefsctl --force-update
    Copying /usr/local/bin/ffmpeg to /usr/share/cagefs-skeleton/usr/local/bin/ffmpeg
  3. (Optional) To confirm that the package was installed in CageFS, we can grep the output of cagefsctl --list-rpm.

    sudo cagefsctl --list-rpm | grep -i rsync

Add a Path to CageFS

If the command was not installed via a package manager, then we will need to add the command path to the binutils.cfg file.

  1. Find the full path of the command using the which command.

    sudo which ffmpeg
  2. Create a new file in the /etc/cagefs/conf.d/ directory that contains the command path we obtained in Step 1.

    • Create the file and set the permissions.

      sudo vi /etc/cagefs/conf.d/ffmpeg.cfg
      sudo chmod 600 /etc/cagefs/conf.d/ffmpeg.cfg
    • Edit the file and add the path to the command along with relevant details.

  3. Force a CageFS update.

    sudo cagefsctl --force-update
    Copying /usr/local/bin/ffmpeg to /usr/share/cagefs-skeleton/usr/local/bin/ffmpeg