Allow Access to Additional Commands for CageFS Users
CageFS is a feature of CloudLinux that helps to isolate users in a shared environment. This is especially useful in shared hosting environments where hundreds of customers could be housed on a single server. To avoid a single customer from affecting the security or performance of the other tennants, CageFS isolates users, only allowing them to see their own data and restricting them to specific executables.
We often need to allow users to access executables that CageFS does not allow by default. There are a couple of ways to accomplish this depending on how the executable was installed.
Instructions
Add an RPM to CageFS
If the command was installed via a package manager (such as YUM), we can use the cagefsctl
to add the package to CageFS.
-
Add the package to CageFS using the
cagefsctl --addrpm
command.sudo cagefsctl --addrpm rsync
-
Force a CageFS update.
sudo cagefsctl --force-update Copying /usr/local/bin/ffmpeg to /usr/share/cagefs-skeleton/usr/local/bin/ffmpeg
-
(Optional) To confirm that the package was installed in CageFS, we can grep the output of
cagefsctl --list-rpm
.sudo cagefsctl --list-rpm | grep -i rsync rsync
Add a Path to CageFS
If the command was not installed via a package manager, then we will need to add the command path to the binutils.cfg file.
-
Find the full path of the command using the
which
command.sudo which ffmpeg /usr/local/bin/ffmpeg
-
Create a new file in the
/etc/cagefs/conf.d/
directory that contains the command path we obtained in Step 1.-
Create the file and set the permissions.
sudo vi /etc/cagefs/conf.d/ffmpeg.cfg sudo chmod 600 /etc/cagefs/conf.d/ffmpeg.cfg
-
Edit the file and add the path to the command along with relevant details.
[ffmpeg] comment=ffmpeg paths=/usr/local/bin/ffmpeg
-
-
Force a CageFS update.
sudo cagefsctl --force-update Copying /usr/local/bin/ffmpeg to /usr/share/cagefs-skeleton/usr/local/bin/ffmpeg