This is an old revision of the document!

Setup and work with CloudLinux SecureLVE

Preamble

In this article, we show how to install SecureLVE (cloudlinux) and enable SecureLVE in LiteSpeed Web Server.

Detailed installation instructions are at http://www.cloudlinux.com/docs/securelve.php?sphrase_id=7323

CloudLinux SecureLVE

SecureLVE is a new security extension of CloudLinux. It virtualizes file system for end user, making sure that user can see only its own files. It works across shell, CGI and cronjobs. This should prevent user from seeing other users on the server, as well as seeing their files.

1. Installation

To install SecureLVE, run: 

# yum install securelve
# securelve_init

* securelve_init can take a long time to run, and will stress out filesystem. Run it at off-peak time

That will install securelve package, as well as create skeleton directory with all the files that will be visible to end user. This are the files like perl, php, etc…

To complete the installation, update httpd & cronjob servers: 

# yum update httpd cronjob

* This might vary from control panel to control panel

2. Maintaining latest files in SecureLVE skeleton

SecureLVE uses provides limited set of files available to end users. To update those files after you made some updates to the system, run: 

# securelve_update

If the changes were major or you added new software, re-run: 

# securelve_init

3. Working with SecureLVE

To add user to SecureLVE type: 

# securelve_user <username>

To remove user from SecureLVE type: 

# securelve_user -u <username>

securelve_user options 

 -s | --shell= shell   : set shell inside jail (/bin/sh default)
 -u | --unjail         : unjail user
 -w | --unmount        : unmount user
 -c | --change         : used with -s, updates shell for end user

Enable SecureLVE in LiteSpeed Web Server(LSWS)

Since version 4.0.20, LSWS supports SecureLVE. Once enabled, user's web host (vhost) will be chrooted/jailed in SecureLVE.

1. Enable SecureLVE in LSWS

To enable in LSWS, go to Admin Console → Configuration → Server → Enable LVE ⇒ SecureLVE.

2. Add mount point to /etc/container/securelve.mp

# echo "/usr/local/lsws" >> /etc/container/securelve.mp

3. Update securelve

# securelve_update

4. To add user (test1) to SecureLVE

# securelve_user test1

5. Verify SecureLVE setup

5.1 Jailed user only sees its own files in shell

[root@plesk10test ~]# su - test1
sh-3.2$ cat /etc/passwd
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh

5.2 Jailed user also sees files under mount point

sh-3.2$ ls -l /usr/local/lsws/fcgi-bin/
total 20160
-r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root       11 Feb 15 20:24 lsphp5 -> lsphp-5.3.4

5.3 Once SecureLVE enabled in LSWS, virtual host is jailed

Create a test file under document root as follows: 

sh-3.2$ cat test.php
<?php
$passwd=`cat /etc/passwd`;
echo "<pre>$passwd</pre>", "\n";
?>

point brower to http://test1.example.com/test.php should see following (i.e. user's own /etc/passwd visible to the jailed vhost) 

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh

6. Build a new lsphp

compile new php version(e.g. 5.2.14) in LSWS web admin console as normal. After complete, the new changes are as follows: 

[root@plesk10test ~]# ls -l /usr/local/lsws/fcgi-bin
total 31836
-r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root       12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
[root@plesk10test ~]#

7. check in securelve (*NO NEED* to umount/remount user. The new builds show up automatically)

7.1 changes under mount point are seen by jailed user without remount the user.

[root@plesk10test ~]# su - test1
sh-3.2$ ls -l /usr/local/lsws/fcgi-bin
total 31836
-r-xr-xr-x 1 root root     4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root     1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root     3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root  2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root        7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root       12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
sh-3.2$
  • Admin
  • Last modified: 2015/07/31 18:54
  • by Michael Alegre