If you host your website on a shared server, your site lives alongside dozens or even hundreds of other accounts on the same physical machine. That arrangement keeps costs low, but it introduces a serious risk: what happens when another account on the server gets compromised? Without proper isolation, a single breached account can expose every other site on the server to malware, data theft, and downtime.
CloudLinux CageFS solves this problem by creating a virtualized, isolated file system for every user on the server. It is one of the most important security technologies in modern shared hosting, and understanding how it works will help you make smarter decisions about where you host your website.
What Is CloudLinux?
CloudLinux is a commercial Linux distribution designed specifically for shared hosting environments. Built on top of CentOS and RHEL, it adds a suite of tools that improve security, stability, and resource management on multi-tenant servers. Hosting providers deploy CloudLinux to ensure that one account's problems never cascade to other accounts on the same machine.
The CloudLinux kernel includes several proprietary technologies, but the three most important are:
- CageFS — a virtualized file system that isolates each user
- LVE (Lightweight Virtual Environment) — per-account resource limits for CPU, memory, I/O, and processes
- HardenedPHP — patched versions of older PHP releases that fix known security vulnerabilities
Together, these technologies transform a standard shared server into a hardened multi-tenant environment. MassiveGRID's high-availability cPanel hosting runs on CloudLinux to provide this level of protection to every hosting account.
How CageFS Works: The Technical Details
CageFS creates a virtual file system for each user that looks and feels like a full Linux environment but is actually a carefully controlled subset of the real server. When a user logs in via SSH, runs a PHP script, or executes a cron job, they see only their own files, a limited set of system binaries, and a restricted view of the operating system.
The Isolation Mechanism
Under the hood, CageFS uses a combination of mount namespaces and hard links to build a per-user root file system. Each user gets their own /etc, /tmp, /proc, and /var directories. The actual server file system is invisible to them. This means:
- Users cannot see other users' home directories
- Users cannot view the server's
/etc/passwdfile (they see a modified version containing only their own entry) - Users cannot access server-wide temporary files in
/tmp(each user gets a private/tmp) - Users cannot see other users' processes in
/proc - Users cannot access system binaries that are not explicitly whitelisted
What CageFS Hides
A standard Linux server exposes a great deal of information to all users. Without CageFS, any user with shell access can see the full list of users on the server, discover which software is installed, read world-readable configuration files, and potentially exploit misconfigurations. CageFS eliminates these attack vectors by hiding:
- Other users — the
/etc/passwdfile is filtered to show only the current user and system accounts - Server software — only whitelisted binaries appear in the user's path
- System configuration — sensitive files in
/etcare either hidden or replaced with safe versions - Server processes — the
/procfilesystem is filtered to show only the user's own processes - Temporary files — each user has an isolated
/tmpdirectory that other users cannot access
Why CageFS Matters for Website Security
The isolation provided by CageFS addresses several real-world attack scenarios that affect shared hosting environments every day.
Preventing Cross-Account Attacks
In a traditional shared hosting setup without CageFS, an attacker who compromises one account can often escalate to other accounts. Common techniques include reading other users' configuration files to steal database credentials, placing backdoors in shared /tmp directories, or exploiting symlink vulnerabilities to read files outside the attacker's home directory.
CageFS blocks all of these techniques. Even if an attacker gains shell access to one account, they are trapped inside their cage with no visibility into other accounts or the server infrastructure.
Mitigating Symlink Attacks
Symlink attacks are one of the most common threats in shared hosting. An attacker creates a symbolic link from their account pointing to a file in another user's account, such as wp-config.php, which contains database credentials. On an unprotected server, the web server follows the symlink and serves the target file's contents.
CageFS prevents symlink attacks by ensuring that users cannot see or reference files outside their cage. Combined with Apache's symlink protection features, this creates a robust defense against this entire class of attacks.
Protecting Against Privilege Escalation
On shared servers, attackers sometimes exploit local vulnerabilities to escalate their privileges from a regular user to root. CageFS significantly reduces the attack surface by limiting the binaries and system calls available to each user. Even if a vulnerability exists in a system binary, users cannot access it if it has not been whitelisted in CageFS.
CageFS vs. Other Isolation Technologies
| Technology | Isolation Level | Performance Impact | Best For | cPanel Compatible |
|---|---|---|---|---|
| CageFS | File system level | Minimal (~1-2%) | Shared hosting | Yes (native) |
| Docker containers | Process + filesystem | Low (~3-5%) | Application deployment | No |
| KVM/QEMU VMs | Full hardware virtualization | Moderate (~5-15%) | VPS hosting | Yes (separate instances) |
| chroot | Basic filesystem | Minimal | Simple isolation | Manual setup |
| No isolation | None | None | Single-tenant servers | Yes |
CageFS strikes the ideal balance for shared hosting: it provides strong isolation with almost no performance penalty. Docker containers and virtual machines offer stronger isolation but are not designed for the shared hosting model where hundreds of users share a single cPanel server.
How CageFS Works with cPanel
CageFS integrates seamlessly with cPanel/WHM, which is why it has become the standard for secure shared hosting. When a server administrator enables CageFS, every cPanel account is automatically placed inside its own cage. No action is required from individual account holders.
From the user's perspective, nothing changes. You can still use cPanel's File Manager, access phpMyAdmin, run PHP scripts, connect via SSH (if enabled), and manage your email. The cage is invisible during normal operations — it only becomes apparent when someone tries to do something they should not, like accessing another user's files.
Hosting providers that combine CloudLinux with cPanel deliver the best of both worlds: an easy-to-use control panel with enterprise-grade security isolation. This is exactly the approach used by MassiveGRID's high-availability cPanel hosting, where every account benefits from CageFS protection, Imunify360 security, and resource isolation via LVE.
LVE: The Resource Isolation Companion to CageFS
While CageFS handles file system isolation, LVE (Lightweight Virtual Environment) handles resource isolation. Each cPanel account runs inside its own LVE with defined limits for:
- CPU — maximum CPU cores and usage percentage
- Memory — physical and virtual memory limits
- I/O — disk read/write throughput limits
- IOPS — disk operations per second limits
- Entry processes — maximum concurrent PHP/CGI processes
- Number of processes — total process count limit
LVE prevents the noisy neighbor problem where one account consumes so many resources that other accounts on the server suffer degraded performance. If your neighbor's WordPress site gets hit with a traffic spike or runs a poorly optimized plugin, their resource consumption is capped by their LVE limits, and your site continues running normally.
HardenedPHP: Securing Legacy PHP Applications
Many shared hosting accounts run older PHP applications that require PHP versions that have reached end-of-life and no longer receive security patches from the PHP project. HardenedPHP, another CloudLinux component, backports security fixes to these older PHP versions, keeping them safe even though they are no longer officially supported.
This matters because shared hosting environments often need to support a wide range of PHP versions to accommodate different applications. HardenedPHP ensures that running PHP 7.4 or even PHP 7.2 does not expose the server to known vulnerabilities.
How to Verify CageFS Is Active on Your Hosting Account
If you have SSH access to your hosting account, you can quickly check whether CageFS is active:
# Check if you're inside a CageFS environment
ls /etc/cagefs
# If CageFS is active, this directory exists
# Try to view other users
cat /etc/passwd
# If CageFS is active, you'll only see your own user and system accounts
# Check your tmp directory
ls -la /tmp
# If CageFS is active, you'll see an isolated tmp directoryIf your hosting provider does not use CageFS, consider migrating to one that does. The security benefits are substantial, especially if your website handles customer data, processes transactions, or stores sensitive information.
Choosing a Host with CloudLinux CageFS
When evaluating hosting providers, look for those that explicitly advertise CloudLinux with CageFS. Not all shared hosting providers use CloudLinux — some run standard CentOS or AlmaLinux without any user isolation. Here is what to look for:
- CloudLinux OS — the server operating system should be CloudLinux, not standard CentOS/AlmaLinux/Ubuntu
- CageFS enabled — CloudLinux alone is not enough; CageFS must be enabled for all accounts
- LVE limits published — reputable hosts publish the resource limits (CPU, RAM, I/O) for each plan
- Imunify360 — the best CloudLinux hosts also run Imunify360 for AI-powered malware protection
- High availability architecture — combined with CageFS, HA hosting eliminates single points of failure for maximum uptime
MassiveGRID's high-availability cPanel hosting checks all of these boxes and adds high-availability infrastructure powered by Tier III+ data centers.
Frequently Asked Questions
Does CageFS slow down my website?
No. CageFS has a negligible performance impact, typically less than 1-2%. The isolation is implemented at the kernel level using efficient mount namespace operations. Your PHP scripts, databases, and web server processes run at full speed. In fact, CageFS can improve performance indirectly by preventing other users' compromised accounts from consuming excess server resources.
Can I disable CageFS on my hosting account?
CageFS is controlled by the server administrator, not individual account holders. Most hosting providers enable CageFS for all accounts and do not allow individual users to disable it, since doing so would compromise the security of the entire server. If you have a specific compatibility issue, contact your host's support team.
Does CageFS protect against all types of attacks?
CageFS protects against cross-account attacks, symlink exploits, information disclosure, and local privilege escalation attempts. However, it does not protect against attacks that target your application directly, such as SQL injection, cross-site scripting (XSS), or brute-force login attempts. For application-level protection, you need a web application firewall (WAF) and proper security hardening.
Is CageFS the same as a VPS or container?
No. CageFS is lighter than both VPS and container isolation. A VPS provides a complete virtual machine with its own kernel, while containers (like Docker) provide process-level isolation with a shared kernel. CageFS provides file system-level isolation on a shared server — it restricts what files and processes a user can see without the overhead of running separate operating system instances. This makes it ideal for shared hosting where hundreds of users coexist on one server.
Do I need to configure CageFS myself?
No. CageFS is configured and managed entirely by the hosting provider at the server level. As a hosting customer, you do not need to install, configure, or maintain CageFS. Simply choose a hosting provider that uses CloudLinux with CageFS enabled, and you automatically benefit from the isolation it provides.