Skip to content

I suggest you ...

← General

Do not add non-existing users to CageFS excludes (CageFS bypass)

CloudLinux by default installs /etc/cagefs/exclude/systemuserlist with usernames that do not exist in system. If client buys account named like one of those usernames (e.g. varnish) or reseller creates user named like one of those usernames, then that user will be outside CageFS with access to full user list and files outside CageFS. Tested on CloudLinux+DirectAdmin system. Task CAG-940. I was sent here from #64992.

First 3 ways to bypass CageFS reported by us were fixed by You, now security@cloudlinux.com does not even answer (tried to report db_governor crash by unprivileged user from CageFS #64282) and You ask to publish 4th way to bypass CageFS here. What is going on?

9 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Adam commented  ·   ·  Report

    And here i thought that CloudLinux is Quality Software.

  • M commented  ·   ·  Report

    Nice catch Zerg2k. Let us know how many $$$$ from bugbounty you gonna get for this.

General

Categories

Feedback and Knowledge Base

(thinking…)