Sales | Support:1-888-96LINUX

Enable new CloakFS features

How to Enable New CloakFS Features


Upgrade BetterLinux to latest version 1.1.5-1 or newer:

Run this:

    yum --disableexcludes=all upgrade betterlinux\*

Then this to regenerate the configuration files:  (Warning: this will overwrite the existing BetterLinux configuration files. Move any changes you want to retain to a custom.conf file.)

    /etc/betterlinux/cpanel/bl-cphooks --init

Then reboot your system.


Enable new cloak_file and block_suid features:

After installing or upgrading to the 1.1.5-1 release, you can enable new CloakFS features: "cloak_file" and "block_suid"

cPanel server steps:

vim /etc/betterlinux/cpud.conf.d/cpanel.conf

Find the lines that starts with:

#cloak_file

Remove the "#" symbol:

cloak_file

Then find the line that starts with:

#block_suid

Remove the "#" symbol:

block_suid

Save the file and restart cpud and cloakfs:

service cpud restart
service cloakfs restart

Reverse the process to disable the features.

The cloak_file lines will block users from seeing /etc/passwd, /etc/named.conf, and /var/log. The block_suid line will block root suid programs from running as users listed in the group= argument. The programs= argument contains a list of programs that are allowed to run. You can view this list in /etc/betterlinux/cpanel/block-suid-exceptions. Please add or remove any programs to customize it for your business needs and then restart cpud and cloakfs:

service cpud restart
service cloakfs restart

Stock Linux steps:

"cloak_file" is a parameter that allows you to hide all files in /etc/passwd/, named.conf, and /var/log with pre-installed scripts. You can also write your own scripts for hiding any other file or directory.

In your custom .conf file, add the following parameters with their included value settings, substituting ExampleGroup_Level1, etc., with your own BetterLinux group names. If you are just beginning, see the BetterLinux documentation for information on creating BetterLinux groups and where to find and how to use .conf files.



Add only the parameter and its values to your .conf file.

Hide /etc/passwd: (note: the password file cloaking is incompatible with nscd (name service cache daemon).)

cloak_file file=/etc/passwd cloak_with_program=/etc/betterlinux/bin/etc_passwd_handler cloak_file_from_group=ExampleGroup_Level1,ExampleGroup_Level2

Hide /etc/named.conf:

cloak_file file=/etc/named.conf cloak_with_program=/etc/betterlinux/bin/etc_named_conf_handler cloak_file_from_group=ExampleGroup_Level1,ExampleGroup_Level2

Hide /var/log:

cloak_file file=/var/log cloak_with_program=/etc/betterlinux/bin/var_log_handler cloak_file_from_group=ExampleGroup_Level1,ExampleGroup_Level2

As stated above, using the same format, you can write your own scripts for hiding other files and directories.

"block_suid" is a parameter that uses groups defined in groups.conf to prevent users from running programs flagged as SUID root.

In your custom .conf file, add the following parameter with its included value settings, substituting ExampleGroup_Level1, etc., with your own BetterLinux group names: 

block_suid group=ExampleGroup_Level1,ExampleGroup_Level2

Programs that users in the group are allowed to run can also be specified. Read the block_suid section under CloakFS & Security for more information.





Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
How can I tell if CloakFS is working? (Views: 1621)
How do I configure SUID protection in CloakFS? (Views: 1867)

Copyright © 2011 BetterLinux.com. All rights reserved.