License Portal
Deutsch

LiveConfig Account Container (LAC)

Note

This feature requires a LiveConfig Business license.

In shared hosting, a crucial security aspect is the isolation of websites from each other. Under no circumstances should it be possible to access the content of other users on the same server without authorization. The server’s resources (CPU, memory, I/O) should also be distributed fairly without, for example, a defective script slowing down the entire server.

LiveConfig already creates all files and directories in such a way that the operating system prohibits unauthorized access based on the file system permissions. Configuration files are also not normally readable by users so that they cannot indirectly obtain information about the server. Nevertheless, access cannot be restricted to all files, e.g. the well-known /etc/passwd is required by the operating system and must always be readable.

With LiveConfig v3 there is a completely new, additional protection mechanism for shared hosting servers: the LiveConfig Account Container (LAC). Accounts are organized into individual “containers”, which offers the following advantages, among others:

  • complete filtering of the file system (e.g. no more /boot/, /sbin/ and /usr/sbin/ directories)

  • filtered system files (e.g. /etc/passwd only contains information about the current account)

  • separate /tmp/ directory per account

  • generally only own processes visible in the process list

  • own virtual network interface per account (no externally accessible services possible by default)

  • own loopback interface (127.0.0.1) per account (no resource conflicts, e.g. with NodeJS applications on 127.0.0.1:8080)

  • resource limitation of CPU, RAM and I/O via CGroups possible

  • no overhead at runtime (no separate service required per container)

LiveConfig uses only technologies that are available in the standard Linux kernel for several years:

  • no kernel patches or proprietary drivers required

  • works with any distribution supported by LiveConfig (.rpm and .deb based, e.g. Rocky Linux, Ubuntu and Debian)

From a technical point of view, the LiveConfig Account Container can be thought of as a kind of Docker container - only much more lightweight and optimized for the intended purpose.

Requirements

  • LiveConfig Business license on the affected web server

  • Linux distribution supported by LiveConfig 3

  • systemd & PAM service with systemd module (pam-systemd)

Restrictions:

  • currently doesn’t work with PHP-FPM, only FastCGI supported

  • can initially only be activated per account, not in templates

  • Apache suexec tool is replaced by slightly modified version

Usage

Install the lac package (included in the LiveConfig repository).

LiveConfig automatically recognizes whether LAC is available on the respective server. If so, this is displayed under Server administration -> (Select server) -> Web:

LiveConfig Account Containers available

The network range from which LiveConfig randomly generates the IP addresses for the individual containers is also displayed. The IPv4 network used 100.64.0.0/10 is the “Carrier Grade NAT” network (RFC 6264) and should therefore not collide with the IP addresses of the server itself.

You can then activate LAC when creating a new account or editing an existing account:

Enable LAC for an account

It is important here that the PHP execution is automatically switched to FastCGI (PHP-FPM is not yet technically supported).

After a few seconds, the affected account will then run within an LAC container. Deactivating LAC works in exactly the same way: deactivate the checkbox, save, done.

lacctl

The LiveConfig Account Containers are managed with the tool lacctl. You can configure the list of filtered, hidden or emptied directories at /etc/liveconfig/lac.conf.