Security

Zero-Trust Hosting: How 5-Layer Isolation Protects Your Customers (And What It Cannot Do Alone)

March 14, 2026

Security March 14, 2026

Shared hosting was built on a dangerous assumption: users can be trusted not to interfere with each other. A single Linux server, shared /tmp directory, shared PHP processes, shared everything. If one user's site is compromised, every other user on that server is exposed.

This model worked in 2005 when hosting customers were mostly hobbyists running personal blogs. It does not work in 2026 when servers host e-commerce platforms processing payments, SaaS applications handling sensitive data, and business-critical infrastructure that cannot tolerate cross-user contamination.

Zero-trust hosting means assuming every user's environment will eventually be compromised — and building isolation so thorough that a breach in one account cannot reach any other.

The Trust Problem in Traditional Hosting
Panelica's Five-Layer Isolation Model
Layer 1: Cgroups v2 — Resource Containment
Layer 2: Linux Namespaces — Process and Filesystem Isolation
Layer 3: SSH Chroot Jails — Restricted Shell Access
Layer 4: PHP-FPM Per-User Pools — Application Sandboxing
Layer 5: Unix Permissions — The Foundation
What Isolation Cannot Do (And What You Must)

1. The Trust Problem in Traditional Hosting

On a standard shared hosting server, here is what User B can do if User A's account is compromised:

┌─────────────────────────────────────────────────────────────────┐ │ TRADITIONAL SHARED HOSTING — THE TRUST PROBLEM │ │ │ │ User A (compromised) │ │ │ │ │ ├── Read /tmp/ ──── Find User B's session files │ │ │ (PHP session data, DB credentials) │ │ │ │ │ ├── Read /etc/passwd ── Enumerate all users on server │ │ │ │ │ ├── Read /proc/ ──── See all running processes │ │ │ (including User B's PHP workers) │ │ │ │ │ ├── Shared PHP ──── Same PHP binary, same extensions │ │ │ Symlink attacks possible │ │ │ │ │ ├── Fork bomb ──── No PID limits → crash entire server │ │ │ │ │ ├── RAM exhaust ── No memory limits → OOM kills │ │ │ random processes (maybe User B's DB) │ │ │ │ │ └── Disk fill ──── No quota enforcement in many setups │ │ → server runs out of disk space │ │ │ │ Result: ONE compromised user = ALL users at risk │ │ │ └─────────────────────────────────────────────────────────────────┘

Traditional panels solve this partially with add-ons. cPanel relies on CloudLinux CageFS (additional license required). Plesk has basic chroot. Most open-source panels have no isolation at all.

Panelica solves it with five independent layers that work together, enabled by default, at no additional cost.

2. Panelica's Five-Layer Isolation Model

┌─────────────────────────────────────────────────────────────────┐ │ THE FIVE-LAYER ISOLATION MODEL │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ Layer 5: UNIX PERMISSIONS │ │ │ │ Home dirs 700 | UID/GID per user | sudo writes │ │ │ │ │ │ │ │ ┌─────────────────────────────────────────────┐ │ │ │ │ │ Layer 4: PHP-FPM SANDBOXING │ │ │ │ │ │ Per-user, per-version pools │ │ │ │ │ │ open_basedir | disable_functions │ │ │ │ │ │ │ │ │ │ │ │ ┌─────────────────────────────────────┐ │ │ │ │ │ │ │ Layer 3: SSH CHROOT JAIL │ │ │ │ │ │ │ │ Restricted filesystem view │ │ │ │ │ │ │ │ SFTP-only or bash+chroot │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌─────────────────────────────┐ │ │ │ │ │ │ │ │ │ Layer 2: NAMESPACES │ │ │ │ │ │ │ │ │ │ PID isolation │ │ │ │ │ │ │ │ │ │ Mount isolation │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌───────────────────┐ │ │ │ │ │ │ │ │ │ │ │ Layer 1: │ │ │ │ │ │ │ │ │ │ │ │ CGROUPS v2 │ │ │ │ │ │ │ │ │ │ │ │ CPU | RAM | I/O │ │ │ │ │ │ │ │ │ │ │ │ PIDs | Bandwidth │ │ │ │ │ │ │ │ │ │ │ └───────────────────┘ │ │ │ │ │ │ │ │ │ └─────────────────────────────┘ │ │ │ │ │ │ │ └─────────────────────────────────────┘ │ │ │ │ │ └─────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ Each layer is independent. If one fails, four remain. │ │ │ └─────────────────────────────────────────────────────────────────┘

3. Layer 1: Cgroups v2 — Resource Containment

Cgroups v2 (control groups version 2) is a Linux kernel feature that limits, accounts for, and isolates resource usage. Panelica creates a dedicated cgroup slice for every user account.

/sys/fs/cgroup/panelica.slice/ └── panelica-user.slice/ ├── panelica-user-john.slice/ │ ├── cpu.max → "200000 100000" (2 CPU cores) │ ├── memory.max → "4294967296" (4 GB RAM) │ ├── io.max → "8:0 rbps=104857600 wbps=52428800" │ ├── pids.max → "512" (max processes) │ └── (all PHP-FPM, SSH, cron, Docker processes) │ ├── panelica-user-jane.slice/ │ ├── cpu.max → "100000 100000" (1 CPU core) │ ├── memory.max → "2147483648" (2 GB RAM) │ └── ... │ └── panelica-user-bob.slice/ └── ...

Scenario: The Cryptocurrency Miner

Without Cgroups: A compromised PHP script runs a cryptocurrency miner. It consumes 100% of all CPU cores. Every site on the server slows to a crawl. The admin gets 50 angry support tickets before identifying the rogue process. Other users' databases time out. Revenue is lost.

With Panelica Cgroups v2: The miner runs — but only within the compromised user's 2-core allocation. The other 6 cores remain available for other users. No other site is affected. The admin notices the user's CPU graph flatlined at 100% during routine monitoring and investigates. Other users never knew anything happened.

4. Layer 2: Linux Namespaces — Process and Filesystem Isolation

Namespaces are a Linux kernel feature that creates isolated views of system resources. Panelica uses PID namespaces and Mount namespaces for every user.

PID Namespace: User A cannot see User B's processes. ps aux shows only their own processes. No process enumeration. No killing other users' processes.
Mount Namespace: User A's filesystem view is limited to their own directories. Sensitive system paths are not visible. /proc is filtered to show only the user's own PIDs.

Scenario: Process Enumeration Attack

Without Namespaces: An attacker on the server runs ps aux | grep mysql and sees MySQL processes with command-line arguments — potentially including database names, socket paths, and configuration details. They run ls /home/ and see every username on the server. Social engineering or targeted attacks become trivial.

With Panelica Namespaces: ps aux returns only the attacker's own processes. ls /home/ shows only their own home directory. They cannot enumerate users, discover services, or gather intelligence for lateral movement. From their perspective, they are the only user on the server.

5. Layer 3: SSH Chroot Jails — Restricted Shell Access

When users need SSH or SFTP access, Panelica provides two jail modes:

SFTP-Only Jail

User can only transfer files via SFTP. No shell access. No command execution. The user sees only their own home directory. This is the safest option for clients who only need to upload files.

Full Bash + Chroot Jail

User gets a full bash shell, but chrooted to a restricted filesystem. They can run commands, but cannot access paths outside their jail. System binaries are provided via bind mounts — read-only.

┌─────────────────────────────────────────────────────────────────┐ │ CHROOT JAIL STRUCTURE │ │ │ │ What the user sees: What actually exists: │ │ │ │ / /opt/panelica/var/chroot/john/ │ │ ├── home/ ├── home/ │ │ │ └── john/ │ └── john/ (bind mount) │ │ │ ├── public_html/ │ └── → /home/john/ │ │ │ └── .ssh/ │ │ │ ├── bin/ (read-only) ├── bin/ (bind mount, ro) │ │ ├── lib/ (read-only) ├── lib/ (bind mount, ro) │ │ ├── usr/ (read-only) ├── usr/ (bind mount, ro) │ │ └── tmp/ (private) └── tmp/ (private tmpfs) │ │ │ │ The user sees a complete Linux filesystem — │ │ but it is a carefully constructed illusion. │ │ They cannot escape their jail. │ │ │ └─────────────────────────────────────────────────────────────────┘

6. Layer 4: PHP-FPM Per-User Pools — Application Sandboxing

Most PHP security breaches happen through web applications — WordPress plugins, custom PHP scripts, file upload vulnerabilities. Layer 4 ensures that even when PHP code is compromised, the damage is contained.

Panelica creates a dedicated PHP-FPM pool for every user, for every PHP version they use:

┌─────────────────────────────────────────────────────────────────┐ │ PHP-FPM ISOLATION (Per-User, Per-Version) │ │ │ │ User: john │ │ ├── PHP 8.4 Pool │ │ │ ├── Process owner: john:john (not www-data!) │ │ │ ├── open_basedir: /home/john/:/tmp/ │ │ │ ├── disable_functions: exec,system,passthru,shell_exec, │ │ │ │ proc_open,popen,curl_multi_exec │ │ │ ├── Socket: /opt/panelica/var/run/php-fpm-8.4-john.sock │ │ │ └── Cgroup: panelica-user-john.slice │ │ │ │ │ └── PHP 8.2 Pool (legacy app) │ │ ├── Process owner: john:john │ │ ├── open_basedir: /home/john/:/tmp/ │ │ └── Separate config, separate processes │ │ │ │ User: jane │ │ └── PHP 8.4 Pool │ │ ├── Process owner: jane:jane │ │ ├── open_basedir: /home/jane/:/tmp/ │ │ └── Socket: /opt/panelica/var/run/php-fpm-8.4-jane.sock │ │ │ │ John's PHP process CANNOT: │ │ ✗ Read jane's files (open_basedir) │ │ ✗ Execute system commands (disable_functions) │ │ ✗ Access john's DB via jane's credentials (process owner) │ │ ✗ Exceed CPU/RAM limits (cgroup inheritance) │ │ │ └─────────────────────────────────────────────────────────────────┘

Scenario: The File Upload Web Shell

Without per-user PHP-FPM: A web shell uploaded to User A's WordPress runs as www-data — the same user that runs all PHP on the server. The shell can read /home/userB/public_html/wp-config.php, accessing User B's database credentials. The attacker pivots from one compromised site to every site on the server.

With Panelica per-user PHP-FPM: The web shell runs as john:john, not www-data. open_basedir restricts file access to /home/john/. disable_functions prevents exec() and system(). Even if the attacker has code execution, they are sandboxed inside John's environment with no way to reach Jane's files, Bob's database, or the system's configuration.

7. Layer 5: Unix Permissions — The Foundation

The simplest layer is also the most important. Every user account in Panelica gets:

Unique UID/GID: Each user has a dedicated system user with a unique numeric ID. No shared groups.
Home directory 700: drwx------ — only the owner can read, write, or enter. Other users cannot even list the directory contents.
Secure file creation: The panel writes configuration files through WriteFileAsUserSudo() — the Go backend writes to a temp file as root, then chowns it to the user. No race conditions. No permission gaps.

Aspect Traditional Panel Panelica Home directory permissions Often 755 (world-readable) Always 700 (owner-only) PHP process owner www-data (shared) Per-user UID (isolated) /tmp directory Shared /tmp (session theft) Private /tmp per user (namespace) Config file writing Often as root, chown after Atomic write + chown (no race condition) Group membership Users share groups (e.g., www-data) Each user has unique primary group

8. What Isolation Cannot Do (And What You Must)

Five layers of isolation are comprehensive. They are not omnipotent. Here is what isolation does not cover:

Application Logic Flaws

If a WordPress plugin sends customer data to an attacker's server via an HTTP request, isolation does not prevent it. The request originates from within the user's legitimate sandbox. Your job: Vet plugins before installing. Monitor outbound traffic.

Credential Compromise

If a user's panel password is "password123", isolation does not help — the attacker logs in as the user with full permissions within that user's scope. Your job: Enforce strong passwords and 2FA.

Data Exfiltration Within Scope

A compromised account can exfiltrate all data within its own scope — its own databases, files, and emails. Isolation prevents cross-user damage, not within-user damage. Your job: Minimize data stored on the server. Encrypt sensitive fields.

Social Engineering

No amount of technical isolation prevents a user from being tricked into giving away their credentials or installing malicious software. Your job: Educate your users. Provide security awareness resources.

Isolation is the safety net, not the tightrope walker's skill. It catches you when you fall — but you still need to know how to walk. We build the strongest net we can. You bring the balance. — Panelica Engineering Team

┌─────────────────────────────────────────────────────────────────┐ │ │ │ ISOLATION + ADMINISTRATION = SECURITY │ │ │ │ ┌────────────────────────┐ ┌────────────────────────┐ │ │ │ PANELICA DOES │ │ ADMIN MUST DO │ │ │ │ (Automated) │ │ (Manual/Policy) │ │ │ ├────────────────────────┤ ├────────────────────────┤ │ │ │ ✓ Cgroups v2 per user │ │ ✓ Define resource plans│ │ │ │ ✓ PID/Mount namespaces │ │ ✓ Monitor usage graphs │ │ │ │ ✓ SSH chroot jails │ │ ✓ Review SSH key access│ │ │ │ ✓ PHP-FPM isolation │ │ ✓ Audit PHP functions │ │ │ │ ✓ Unix 700 permissions │ │ ✓ Enforce password pol.│ │ │ │ ✓ WAF + fail2ban │ │ ✓ Review firewall rules│ │ │ │ ✓ Audit logging │ │ ✓ Read the logs │ │ │ │ ✓ Backup automation │ │ ✓ Test the backups │ │ │ │ ✓ AI security scanning │ │ ✓ Act on the findings │ │ │ └────────────────────────┘ └────────────────────────┘ │ │ │ │ Neither column alone is sufficient. │ │ Together, they create defense in depth. │ │ │ └─────────────────────────────────────────────────────────────────┘

Zero-trust hosting is not about distrusting your users. It is about acknowledging reality: breaches happen, plugins have vulnerabilities, passwords get leaked, and humans make mistakes. The question is not "will something go wrong?" but "when it does, how much damage will it cause?"

With five independent isolation layers, the answer is: damage contained to a single user. With an attentive administrator, even that damage is caught and remediated quickly.

Five Layers of Isolation. Zero Extra Cost.

Every Panelica installation includes full 5-layer isolation by default. No add-ons. No premium tiers. No third-party dependencies.

Explore Panelica Isolation

Panelica — because "trust but verify" should be "isolate and verify."

The Complete Guide to Cloudflare Management in Panelica: DNS, Firewall, Cache, Email, Analytics — Everything in One Panel

Mar 14, 2026