SimuzoFS

Filesystem isolation system for secure user environments.

Overview

SimuzoFS provides SimuzoFS isolation, creating a secure jail environment for each user. Users can only see and access their own files, preventing them from viewing or interfering with other users' data.

How It Works

  1. Jail Creation: Each user gets a private filesystem view
  2. PAM Integration: Authentication sets up jail context
  3. Path Restriction: LD_PRELOAD library intercepts file operations
  4. Command Execution: Commands run within the jail context

Components

simuzofs-ld.so

LD_PRELOAD library that restricts filesystem access.

LD_PRELOAD=/usr/local/simuzo/bin/simuzofs-ld.so <command>

pam_simuzofs.so

PAM module that sets up jail environment on login.

Jail Filesystem Structure

/var/simuzo/fs/
├── user1/
│   ├── root/
│   │   └── simuzofs/       # Persistent Volume (Physical Source)
│   │       ├── etc/
│   │       │   ├── passwd  # User-specific filtered passwd
│   │       │   └── group   # User-specific filtered group
│   │       └── var/log/    # User-specific logs
│   ├── etc/                # Bind-mounted (rbind) from skeleton
│   ├── usr/                # Bind-mounted (rbind) from skeleton
│   ├── home/               # Bind-mounted from host
│   └── tmp/                # Bind-mounted from host
├── user2/
│   └── ...
└── simuzofs/               # Global Skeleton Template

Configuration

SimuzoFS is configured via /usr/local/simuzo/conf/main.conf:

JAIL_HOME /var/simuzo/fs
DEBUG_LEVEL 3
SettingDescription
JAIL_HOMERoot directory for jail filesystems
DEBUG_LEVELDebug verbosity (0-3)

Enabling SimuzoFS

1) Enable in Settings

Go to Settings → Toggle SimuzoFS ON

2) Monitor Installation

Background task installs SimuzoFS system-wide and builds the common skeleton.

3) Enable for Users

Select users and click Enable simuzofs. This creates their persistent volume and configuration.

Managing Users

Enable SimuzoFS for User

  1. Go to Users
  2. Select the user
  3. Click Enable simuzofs
  4. Virtual hosts are rebuilt automatically to use the jailed environment.

Disable SimuzoFS for User

  1. Go to Users
  2. Select the user
  3. Click Disable simuzofs

Bulk Enable/Disable

Select multiple users with checkboxes, then choose the action.

CLI Management

# Install SimuzoFS components
simuzofs install

# Uninstall SimuzoFS components
simuzofs uninstall

# Add user to jail (and generate persistent volume)
simuzofs --enable --user=<username>

# Remove user from jail (removes configuration and jail)
simuzofs --disable --user=<username>

# Reinitialize SimuzoFS (Full System Rebuild)
# Kicks out active users, rebuilds skeleton, and migrates all user configs
simuzofs reinit

Advanced Architecture

Recursive Bind Mounts (rbind)

SimuzoFS uses rbind for /usr, /etc, and /opt. This ensures that nested system mount points (like /usr/libexec) are correctly propagated into each user's private namespace.

Persistent Volumes

User-specific sensitive files (like /etc/passwd) are stored physically in /var/simuzo/fs/<user>/root/simuzofs/. This path is then bind-mounted over the skeleton's files inside the jail namespace, ensuring data persistence across rebuilds.

PAM Integration

Simuzo automatically configures the necessary PAM modules during installation to manage user jail isolation upon login. The module pam_simuzofs.so is used to set up the jail environment for SSH, FTP, and other supported services.

Troubleshooting

User Cannot Access Files

  1. Check jail exists: ls /var/simuzo/fs/<user>/
  2. Verify PAM config in /etc/pam.d/ for files : su, sshd, login, crond
  3. Check simuzofs-ld.so is in place: ls -la /usr/local/simuzo/bin/simuzofs-ld.so
  4. Review logs: /var/simuzo/logs/simuzofs.log

Jail Initialization Fails

  1. Check disk space: df -h /var/simuzo/fs
  2. Verify permissions on jail directory
  3. Check user exists: id <username>
Performance SimuzoFS adds minimal overhead to file operations. Most users won't notice any performance impact.

Related Topics