UNIX user namespacing

What is UNIX user namespacing, and why is it the default?

This article explains what namespacing is, the two effects it has, and the one case in which you may want to opt out.

What it is

By default, Cyberfusion runs each UNIX user — and each FPM pool — inside its own Linux namespace. A namespace is an isolated execution environment: processes inside it see a restricted view of the system.

Namespacing has two distinct effects, and both are relied on across Cyberfusion:

Per-user PHP and Node.js versions — the user's selected default version is always what runs.
Protection against Local Privilege Escalation — SUID binaries don't work, which blocks most LPE exploits.

Per-user PHP and Node.js versions

Inside a namespaced UNIX user, calls to php or node always run the version set as the default for that UNIX user.

To change the version used, update the default for the UNIX user:

For PHP: see Change PHP settings.
For Node.js: see Install Puppeteer for the navigation steps (the same path applies to any Node.js project).

How it works

On Linux, there is normally one system-wide default version of binaries such as php and node, which all users share. Cyberfusion uses the namespacing facilities to mount the UNIX user's selected default version over those default binaries.

As a result, the user's chosen default is always what gets invoked, regardless of how many other versions are installed on the cluster.

Protection against Local Privilege Escalation

Inside a namespace, SUID binaries (such as sudo) do not function. Attempting to use sudo simply fails.

This blocks Local Privilege Escalation (LPE) vulnerabilities — bugs that let a regular user elevate to root. Most LPE exploits depend on a SUID binary to perform the escalation. With SUID binaries disabled, the exploit cannot run even if the underlying bug is present.

Publicly known LPE exploits (Copy Fail, Dirty Frag, Fragnesia, and similar) do not work against namespaced UNIX users on Cyberfusion, regardless of patch state.

When to opt out

There is essentially one reason not to use namespacing: you need SUID binaries to work, typically because a legacy application depends on sudo or a similar SUID binary.

When namespacing is disabled, both effects above are lost:

Per-user versions — to approximate per-user defaults, Cyberfusion sets up shell aliases for php and node that point to the user's selected version. The aliases don't cover every case: they don't apply in non-interactive shells, in scripts that invoke the binary indirectly, or when the caller uses a full path. When the alias doesn't apply, the cluster's system-wide default version is used instead — which may not be the version you expected. To guarantee a specific version, call it by its full path. For example:
```
/usr/bin/php7.4 /usr/bin/composer
```
LPE protection — SUID binaries function normally, so LPE exploits against unpatched bugs become possible.

Most projects do not need to opt out. Leave namespacing enabled unless a SUID-dependent legacy setup forces you to disable it.