Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:securelve_how_to [2011/02/24 22:48]
127.0.0.1 external edit
+++ — (current)
@@ Line 1: / Line 1: @@
-====== Setup and work with CloudLinux SecureLVE ======
-===== Preamble =====
-In this article, we show how to install SecureLVE (cloudlinux) and enable SecureLVE in LiteSpeed Web Server.
-Detailed installation instructions are at http://www.cloudlinux.com/docs/securelve.php?sphrase_id=7323
-===== CloudLinux SecureLVE =====
-SecureLVE is a new security extension of CloudLinux. It virtualizes file system for end user, making sure that user can see only its own files.  It works across shell, CGI and cronjobs. This should prevent user from seeing other users on the server, as well as seeing their files.
-==== 1. Installation ====
-To install SecureLVE, run:
-<code># yum install securelve
-# securelve_init</code>
-* securelve_init can take a long time to run, and will stress out filesystem. Run it at off-peak time
-That will install securelve package, as well as create skeleton directory with all the files that will be visible to end user. This are the files like perl, php, etc...
-To complete the installation, update httpd & cronjob servers:
-<code># yum update httpd cronjob</code>
-* This might vary from control panel to control panel
-==== 2. Maintaining latest files in SecureLVE skeleton ====
-SecureLVE uses provides limited set of files available to end users. To update those files after you made some updates to the system, run:
-<code># securelve_update</code>
-If the changes were major or you added new software, re-run:
-<code># securelve_init</code>
-==== 3. Working with SecureLVE ====
-To add user to SecureLVE type:
-<code># securelve_user <username></code>
-To remove user from SecureLVE type:
-<code># securelve_user -u <username></code>
-securelve_user options
-<code>
- -s | --shell= shell   : set shell inside jail (/bin/sh default)
- -u | --unjail         : unjail user
- -w | --unmount        : unmount user
- -c | --change         : used with -s, updates shell for end user
-</code>
-====== Enable SecureLVE in LiteSpeed Web Server(LSWS) ======
-Since version 4.0.20, LSWS supports SecureLVE.  Once enabled, user's web host (vhost) will be chrooted/jailed in SecureLVE.
-==== 1. Enable SecureLVE in LSWS ====
-To enable in LSWS, go to Admin Console -> Configuration -> Server -> Enable LVE => SecureLVE.
-==== 2. Add mount point to /etc/container/securelve.mp ====
-<code># echo "/usr/local/lsws" >> /etc/container/securelve.mp</code>
-==== 3. Update securelve ====
-<code># securelve_update</code>
-==== 4. To add user (test1) to SecureLVE ====
-<code># securelve_user test1</code>
-==== 5. Verify SecureLVE setup ====
-=== 5.1 Jailed user only sees its own files in shell ===
-<code>
-[root@plesk10test ~]# su - test1
-sh-3.2$ cat /etc/passwd
-smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
-root:x:0:0:root:/root:/bin/bash
-test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh
-</code>
-=== 5.2 Jailed user also sees files under mount point ===
-<code>
-sh-3.2$ ls -l /usr/local/lsws/fcgi-bin/
-total 20160
--r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
--r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
--r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
--r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
--rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
-lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
-lrwxrwxrwx 1 root root       11 Feb 15 20:24 lsphp5 -> lsphp-5.3.4
-</code>
-=== 5.3 Once SecureLVE enabled in LSWS, virtual host is jailed ===
-Create a test file under document root as follows:
-<code>
-sh-3.2$ cat test.php
-<?php
-$passwd=`cat /etc/passwd`;
-echo "<pre>$passwd</pre>", "\n";
-?>
-</code>
-point brower to http://test1.example.com/test.php should see following (i.e. user's own /etc/passwd visible to the jailed vhost)
-<code>
-smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
-root:x:0:0:root:/root:/bin/bash
-test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh
-</code>
-==== 6. Build a new lsphp ====
-compile new php version(e.g. 5.2.14) in LSWS web admin console as normal. After complete, the new changes are as follows:
-<code>
-[root@plesk10test ~]# ls -l /usr/local/lsws/fcgi-bin
-total 31836
--r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
--r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
--r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
--r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
--rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
--rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
-lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
-lrwxrwxrwx 1 root root       12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
-[root@plesk10test ~]#
-</code>
-==== 7. check in securelve (*NO NEED* to umount/remount user. The new builds show up automatically) ====
-=== 7.1 changes under mount point are seen by jailed user without remount the user. ===
-<code>
-[root@plesk10test ~]# su - test1
-sh-3.2$ ls -l /usr/local/lsws/fcgi-bin
-total 31836
--r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
--r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
--r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
--r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
--rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
--rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
-lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
-lrwxrwxrwx 1 root root       12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
-sh-3.2$
-</code>