[Unionfs] unionfs for shared hosting - implementation ideas

konrad rzentarzewski konrad.rzentarzewski at artegence.com
Mon Feb 25 15:30:54 EST 2008 

hi unionfs,

we're using unionfs for - probably not common - shared hosting
environment. mainly for isolation and coherency. each virtual user's
chroot is built on union of common "skel" directory (where libraries
and binaries lie and which we update centrally) and his home directory
(where he can upload and run his php/cgi scripts).

this works pretty well and saves us maintenance nightmare (creating new
jail is just 1 line that goes to fstab), but we're moving into 2.0
version of our enviroment and so i want also to employ unionfs 2.2.

i'd like to add 2 specific features before moving it info production,
based on our observation of working system (2 years) and tightening
security. both are branch-based options.

first an illustration of how we work now with unionfs (fstab line):
	unionfs /home/vhosts/kondi.net unionfs \
	dirs=/home/vhosts/kondi.net=rw:/home/vhosts-skel=ro 0 0

first, it would be nice idea to be able to hide everything that jail is
composed of, so that user is only aware of existence of his home
directories and everything system-specific (etcs, libs, vars) is hidden,
that is: getdents() to lower branch returns -ENOENT. this may be tought
security by obscurity solution but i think that it's quite effective.

second, it should be possible to mark a branch as "noexec". basically i
allow user writes only in directories that exists on upper branch, and
store some system-specific binaries (ie. i give users ssh access with
ability to run some core system utils). given this, i'd like to let user
execute any binary that i've prepared for him, but keep him away from
ideas like uploading statically linked binaries to the box. this should
work equally good both with shell and his php/cgi scripts.

so, "updated" fstab line that mounts my user's jail should look somewhat
like:
	unionfs /home/vhosts/kondi.net unionfs \
	dirs=/home/vhosts/kondi.net=rw,noexec:/home/vhosts-skel=ro,hideout 0 0

please let me know if there will be some implementation issues before
i've started digging into code.

bonus question is: i've been already trying to apply 2.2.4 patch on
RHEL5 2.6.18 kernel. it has failed and i've failed to find a patch
suitable for this kernel on google. is there a ready patch for RHEL5
somewhere or i need to adjust it myself?

-- 
 konrad rzentarzewski -- sysadmin, Artegence sp. z o.o.

More information about the unionfs mailing list