Some software has to run outside CageFS to be able to complete its job. This includes such programs as passwd, sendmail, etc.
CloudLInux uses proxyexec technology to accomplish this goal. You can define any program to run outside CageFS, by specifying it in /etc/cagefs/custom.proxy.commands file. Do not edit existing /etc/cagefs/proxy.commands as it will be overwritten with next CageFS update.
Once program is defined, run this command to populate the skeleton:
$ cagefsctl --update
All the cPanel scripts located in /usr/local/cpanel/cgi-sys/ that user might need to execute should be added to proxy.commandsv.
Users with duplicate UIDs
The syntax of /etc/cagefs/*.proxy.commands files is as follows:
Obligatory parameters are ALIAS and path_to_executable.
• ALIAS - any name which is unique within all /etc/cagefs/*.proxy.commands files;
• wrapper_name - the name of wrapper file, which is used as a replacement for executable file path_to_executable inside CageFS. Wrapper files are located in /usr/share/cagefs/safeprograms. If wrapper name is not specified, then default wrapper /usr/share/cagefs/safeprograms/cagefs.proxy.program is used. Also, a reserved word “noproceed” can be used, it will intend that wrapper is not in use (installed before) - applied for the commands with several ALIAS, as in the example below.
• username - the name of a user on whose behalf path_to_executable will run in the real system. If username is not specified, then path_to_executable will run on behalf the same user that is inside CageFS.
• path_to_executable - the path to executable file which will run via proxyexec.
Example of a simple command executed via proxyexec:
Example of crontab command execution with custom wrapper under root (privilege escalation). The command uses two ALIAS, that is why in the second line “noproceed” is specified instead of wrapper name.
Sometimes hosters may have users with non unique UIDs. Thus, proxyexec may traverse users directory to find a specific one. That behavior turns into inappropriate if users directory is not cached locally (for example LDAP is in use).
To turn this feature off:
Or to activate it back: