|
Configure SUID protection:
SUID protection will run by default in future CloakFS versions.
For cPanel users (and for other panels as they are added), BetterLinux groups will be automatically created for you based on your various packages. These groups will then be automatically used in conjunction with the block_suid parameter as follows: (NOTE: the block_suid parameter is found in this file: /etc/betterlinux/cpud.conf.d/cpanel.conf)
block_suid group=[your_group_name,and_another]
White list:
You can also add a white list of programs you don't want to block by creating a program group. Here's an example:
block_suid restricts named users from being able to run programs flagged as SUID root. It uses groups defined here:
groups.conf (for stock install)
cpanel-groups.conf (for cPanel install)
In these same .conf files, you can set which programs users can run. For example, users may need to run the passwd program. In groups.conf (stock) or cpanel-groups.conf (cPanel), specify as follows:
prog prog_group1 /usr/bin/passwd
Then add the prog_group1 group name to cpanel-allusers.conf (both of which are found in /etc/betterlinux/cpud.conf.d) using the example syntax below:
block_suid group=user_group1,user_group2 program=prog_group1 # [Default = NONE]
Then restart cpud.
In the example above, users in user_group1 and user_group2 are restricted from all programs flagged SUID root except the programs (passwd, defined in the prog_group1 programs.
|
