Executing By Proxy

Navigation:  CageFS > Configuration >

Executing By Proxy

Previous pageReturn to chapter overviewNext page

Some software has to run outside CageFS to be able to complete its job. This includes such programs as passwd, sendmail, etc.

 

CloudLInux uses proxyexec technology to accomplish this goal. You can define any program to run outside CageFS, by specifying it in /etc/cagefs/custom.proxy.commands file. Do not edit existing /etc/cagefs/proxy.commands as it will be overwritten with next CageFS update.

 

Once program is defined, run this command to populate the skeleton:

 

$ cagefsctl --update

 

All the cPanel scripts located in /usr/local/cpanel/cgi-sys/ that user might need to execute should be added to proxy.commands.

 

Users with duplicate UIDs

 

The syntax of /etc/cagefs/*.proxy.commands files is as follows:

 

ALIAS:wrapper_name=username:path_to_executable

 

Obligatory parameters are ALIAS and path_to_executable.

 

ALIAS - any name which is unique within all /etc/cagefs/*.proxy.commands files;

 

wrapper_name - the name of wrapper file, which is used as a replacement for executable file path_to_executable inside CageFS. Wrapper files are located in /usr/share/cagefs/safeprograms. If wrapper name is not specified, then default wrapper /usr/share/cagefs/safeprograms/cagefs.proxy.program is used. Also, a reserved word “noproceed” can be used, it will intend that wrapper is not in use (installed before) - applied for the commands with several ALIAS, as in the example below.

 

username - the name of a user on whose behalf path_to_executable will run in the real system. If username is not specified, then path_to_executable will run on behalf the same user that is inside CageFS.

 

path_to_executable - the path to executable file executed via proxyexec.

 

Example of a simple command executed via proxyexec:

 

SENDMAIL=/usr/sbin/sendmail

 

Example of crontab command execution with custom wrapper under root (privilege escalation). The command uses two ALIAS, that is why in the second line “noproceed” is specified instead of wrapper name.

 

CRONTAB_LIST:cagefs.proxy.crontab=root:/usr/bin/crontab

CRONTAB_SAVE:noproceed=root:/usr/bin/crontab

 

Sometimes hosters may have users with non unique UIDs. Thus proxyexec may traverse users directory to find a specific one. That behavior turns into inappropriate if users directory is not cached locally (for example LDAP is in use).

 

To turn this feature off:

 

touch /etc/cagefs/proxy.disable.duid

 

Or to activate it back:

 

rm /etc/cagefs/proxy.disable.duid