At least now I know what it takes to be noticed by LWN :)
My name is Igor Seletskiy and I am CEO of CloudLinux.
First of all let me start by apologizing to kernel & Linux communities. What happened was internal company miscommunication. Source RPMs for the modules are available from our source repositories. http://repo.cloudlinux.com/cloudlinux/
Just in case -- I am not trying to say that it I told my guys to deploy it to source repository all along. I was just sure that we are not using GPL symbols in the module - as the issue of licensing and using GPL symbols was discussed a few times internally.
Now, if you don't mind -- let me respond to few questions raised by the article:
1. Everyone who uses our module also uses our kernel. Our kernel is slightly modified version of OpenVZ kernel. The mainstream kernel just doesn't have everything that we need.
2. We don't compete with OpenVZ/V-Server -- our client base is shared hosting providers - not VPS/cloud/etc.... Think of a server with 500 to 5,000 clients on it, each having a few websites. We did implement new "flavor" of linux containers specific for this case. No rocket science here -- just serving a need of specific market niche
3. Our revenue is not based on support, while we do provide 24/7 support, our clients are very technical -- and usually don't need it. Our revenue is from the software licensing / features that we provide.
4. Our marketing might look like total BS if you think about generic use of server. If you think of shared hosting, where you have hundreds of users that you only know by credit card number they provided, running code that was never vetted on your server -- and making sure that one will not bring down the whole server for everyone else -- you will see how it might help. It actually quite effective, and we have 8000+ servers licensed for that reason. I know it is a tiny number, but the market is small, and this is all paying customers.
5. Yes, we heard about FollowSymLinks. The problem is that user1, who might turn out a hacker would just do this:
ln -s ~user2/public_html/config.php read1.html
ln -s ~user2/pbulic_html/configure.php read2.html
And then read them -- often hitting config files for wordpress and other apps.
FollowSymLinksIfOwnerMatch is no help as well, as it can be overwritten via .htaccess
There are patches for apache to prevent that - but there is a race condition that circumvents that protection anyway -- so it doesn't really help.
Anyway, we did solve that part, but what we didn't solve was part of reading directory info via something like:
ln -s /etc/valiases 1.html
And that would give user all the domains on the server.
We decided it would be easier for us at that moment to add .htaccess to some places, and protect /proc & other directories via kernel module.
Please, note that many things went into decision, including:
a) A believe that we needed solution soon
b) The complexity of pushing changes to apache (as it is controlled by control panel vendors -- and it really takes time until they include our patch)
Was it a best solution - defiantly not. We knew that, but we didn't go for the best - we were going for something that we could do in short term, and that would provide protection against that particular type of attacks.
6. I don't know why we chose to do it via module instead of creating another filesystem. Maybe it would be better solution.
7. SELinux -- FUNNY :)
Once again -- my apologies to anyone who felt offended.