SecureLVE is a new security extension of CloudLinux. It virtualizes file system for end user, making sure that user can see only its own files. It works across shell, CGI and cronjobs. This should prevent user from seeing other users on the server, as well as seeing their files.
To install SecureLVE, run:
# yum install securelve
# securelve_init
* securelve_init can take a long time to run, and will stress out filesystem. Run it at off-peak time
That will install securelve package, as well as create skeleton directory with all the files that will be visible to end user. This are the files like perl, php, etc...
To complete the installation, update httpd & cronjob servers:
# yum update httpd cronjob
* This might vary from control panel to control panel
SecureLVE uses provides limited set of files available to end users. To update those files after you made some updates to the system, run:
# securelve_update
If the changes were major or you added new software, re-run:
# securelve_init
To add user to SecureLVE type:
# securelve_user <username>
To remove user from SecureLVE type:
# securelve_user -u <username>
securelve_user options
-s | --shell= shell : set shell inside jail (/bin/sh default)
-u | --unjail : unjail user
-w | --unmount : unmount user
-c | --change : used with -s, updates shell for end user
Since version 4.0.20, LSWS supports SecureLVE. Once enabled, user’s web host (vhost) will be chrooted/jailed in SecureLVE.
To enable in LSWS, go to Admin Console → Configuration → Server → Enable LVE ⇒ SecureLVE.
# echo "/usr/local/lsws" >> /etc/container/securelve.mp
[root@plesk10test ~]# su - test1
sh-3.2$ cat /etc/passwd
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh
sh-3.2$ ls -l /usr/local/lsws/fcgi-bin/
total 20160
-r-xr-xr-x 1 root root 4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root 1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root 3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root 2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root 7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root 11 Feb 15 20:24 lsphp5 -> lsphp-5.3.4
Create a test file under document root as follows:
sh-3.2$ cat test.php
<?php
$passwd=`cat /etc/passwd`;
echo "<pre>$passwd</pre>", "\n";
?>
point brower to http://test1.example.com/test.php should see following (i.e. user’s own /etc/passwd visible to the jailed vhost)
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
test1:x:10001:504::/var/www/vhosts/test1.com:/bin/sh
compile new php version(e.g. 5.2.14) in LSWS web admin console as normal. After complete, the new changes are as follows:
[root@plesk10test ~]# ls -l /usr/local/lsws/fcgi-bin
total 31836
-r-xr-xr-x 1 root root 4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root 1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root 3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root 2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root 7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root 12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
[root@plesk10test ~]#
[root@plesk10test ~]# su - test1
sh-3.2$ ls -l /usr/local/lsws/fcgi-bin
total 31836
-r-xr-xr-x 1 root root 4691 Feb 15 18:10 RailsRunner.rb
-r-xr-xr-x 1 root root 1095 Feb 15 18:10 RailsRunner.rb.2.3
-r-xr-xr-x 1 root root 3317 Feb 15 16:42 lsperld.fpl
-r-xr-xr-x 1 root root 2268816 Feb 15 16:42 lsphp
-rwxr-xr-x 1 root root 11938479 Feb 23 21:41 lsphp-5.2.14
-rwxr-xr-x 1 root root 18326580 Feb 15 20:24 lsphp-5.3.4
lrwxrwxrwx 1 root root 7 Feb 15 16:42 lsphp4 -> ./lsphp
lrwxrwxrwx 1 root root 12 Feb 23 21:41 lsphp5 -> lsphp-5.2.14
sh-3.2$
