From bef9cc3af791c9f24a1627c41ce9a0e28b481fa3 Mon Sep 17 00:00:00 2001 From: Andrei Zheregelia Date: Wed, 11 Feb 2026 13:35:46 -0500 Subject: [PATCH] CLOS-3846: Document cagefsctl --enable/disable-cagefs-no-dev-log commands Add the two new cagefsctl commands to the CLI reference table and update the CageFS Syslog section with usage instructions for the cagefs-no-dev-log feature flag. --- .../cloudlinux_os_components/README.md | 26 ++++++++++++++++--- .../cloudlinuxos/command-line_tools/README.md | 2 ++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/docs/cloudlinuxos/cloudlinux_os_components/README.md b/docs/cloudlinuxos/cloudlinux_os_components/README.md index a1a537e1b..b05ba2b5b 100644 --- a/docs/cloudlinuxos/cloudlinux_os_components/README.md +++ b/docs/cloudlinuxos/cloudlinux_os_components/README.md @@ -2919,17 +2919,35 @@ add `clean_user_php_sessions=false` line to _/etc/sys #### Syslog -By default, _/dev/log_ should be available inside end user's CageFS . This is needed so that user's cronjobs and other things that user _dev/log_ would get recorded in the system log files. +By default, _/dev/log_ should be available inside end user's CageFS . This is needed so that user's cronjobs and other things that use _/dev/log_ would get recorded in the system log files. + +##### Disabling /dev/log in CageFS + +When _/dev/log_ is available inside CageFS, jailed users can write arbitrary messages to the system log (e.g. via the `logger` binary or by writing to the socket directly), which may be used to insert or spoof log entries. To prevent this, disable _/dev/log_ inside CageFS using the `cagefs-no-dev-log` feature flag: -This is controlled using file _/etc/rsyslog.d/schroot.conf_ with the following content:
``` -$AddUnixListenSocket /usr/share/cagefs-skeleton/dev/log +cagefsctl --enable-cagefs-no-dev-log ```
-To remove presence of _dev/log_ inside CageFS, remove that file, and restart rsyslog service. +This command removes _/dev/log_ from the CageFS skeleton, updates the syslog configuration, and remounts all CageFS users. User processes inside CageFS will no longer be able to write to the system log via _/dev/log_ . + +To restore _/dev/log_ in CageFS: + +
+ +``` +cagefsctl --disable-cagefs-no-dev-log +``` +
+ +These commands automatically update the syslog configuration depending on the system setup: + +* **Legacy syslog** (systems with _/etc/sysconfig/syslog_ ): the `-a /usr/share/cagefs-skeleton/dev/log` option is removed from or added back to `SYSLOGD_OPTIONS` , and the syslog service is restarted. +* **rsyslog** (systems with _/etc/rsyslog.conf_ ): the drop-in config file _/etc/rsyslog.d/cagefs-syslog-socket.conf_ (containing `$AddUnixListenSocket /usr/share/cagefs-skeleton/dev/log` ) is deleted or recreated, and the rsyslog service is restarted. +* **systemd-journal** (systems where _/dev/log_ is a symlink to _/run/systemd/journal/dev-log_ ): the socket is mounted directly into the CageFS skeleton as a hardlink; no syslog or rsyslog configuration changes are needed. #### Excluding mount points diff --git a/docs/cloudlinuxos/command-line_tools/README.md b/docs/cloudlinuxos/command-line_tools/README.md index 1b18823a0..08c00dad6 100644 --- a/docs/cloudlinuxos/command-line_tools/README.md +++ b/docs/cloudlinuxos/command-line_tools/README.md @@ -50,6 +50,8 @@ Options: | | --force-update |force update of CageFS (ignore period of update)| | | --force-update-etc |force update of _/etc_ directories for users in CageFS| | | --reconfigure-cagefs |configure CageFS integration with other software (control panels, database servers, etc)| +| | --enable-cagefs-no-dev-log |stop creating _/dev/log_ inside CageFS skeleton and remount all users (see [Syslog](/cloudlinuxos/cloudlinux_os_components/#syslog))| +| | --disable-cagefs-no-dev-log |restore _/dev/log_ inside CageFS skeleton and remount all users (see [Syslog](/cloudlinuxos/cloudlinux_os_components/#syslog))| Use the following syntax to manage users: `/usr/sbin/cagefsctl [OPTIONS] username [more usernames]`