Your IP : 3.144.255.247


Current Path : /opt/cloudlinux/venv/lib64/python3.11/site-packages/
Upload File :
Current File : //opt/cloudlinux/venv/lib64/python3.11/site-packages/clsetuplib.py

# -*- coding: utf-8 -*-

# CLSETUP python lib

#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

# Classes:
#
# Kernel
# check min kernel for securelinks

# Setup:
#
# setup apache gid for securelinks
# setup nagios

import grp
import os
import pwd
import subprocess
import sys

import cldetectlib
from cl_proc_hidepid import remount_proc
from clcommon.sysctl import SYSCTL_CL_CONF_FILE, SysCtlConf


# Kernel Version Class
class KernelVersion:
    _SECURELINKS_MIN_KERNEL = ['1','1','95']
    _system_kernel = ''
    _cl_kernel = True

    def __init__(self):
        with subprocess.Popen(
            ['uname', '-r'],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        ) as proc:
            out, _ = proc.communicate()
            if proc.returncode != 0:
                print('error: subprocess call error. Cant\'t get current kernel version')
                sys.exit(1)
            if out.find('lve') != -1:
                self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.')
                print(self._system_kernel)
            else:
                self._cl_kernel = False

    # Check if system kernel newer then securelinks min kernel
    def securelinks_kernel_requirement(self):
        if self._cl_kernel:
            return (
                self._system_kernel >= self._SECURELINKS_MIN_KERNEL
                and os.path.isfile('/proc/sys/fs/symlinkown_gid')
            )
        print('error: Feature is not supported on non CL kernel.')
        sys.exit(1)


    # return _SECURELINKS_MIN_KERNEL
    def get_securelinks_min_kernel(self):
        return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL)


sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE)


def set_securelinks_gid(apache_gid):
    """
    Change /etc/sysctl.conf for apache gid
    :param apache_gid: id of apache's group
    :return: None
    """

    symlink_command = 'fs.symlinkown_gid'
    sysctl.set(symlink_command, apache_gid)


def _add_to_super_gid(user):
    """
    Add user to the group specified by fs.proc_super_gid.
    If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists
    then create "clsupergid" group, configure it as fs.proc_super_gid and
    add user to this group
    """
    sgid_key = 'fs.proc_super_gid'
    try:
        # sysctl.get may return empty string in some cases like cldeploy
        # when CL kernel is not loaded yet and proc has no such param
        proc_super_gid = int(sysctl.get(sgid_key))
    except ValueError:
        proc_super_gid = 0

    try:
        # Check that group with this gid really exists, and if not, then reset
        # it to undefined so it will be replaced with clsupergid below
        grp.getgrgid(proc_super_gid).gr_name
    except KeyError:
        proc_super_gid = 0

    if proc_super_gid == 0:
        # Create and configure group if it was undefined
        sgid_name = 'clsupergid'
        subprocess.run(f'groupadd -f {sgid_name}',
                       shell=True, executable='/bin/bash', check=False)
        proc_super_gid = grp.getgrnam(sgid_name).gr_gid
        sysctl.set(sgid_key, proc_super_gid)
    # If user already in this group or it's primary group == proc_super_gid
    # this will do nothing
    subprocess.run(f'usermod -a -G {proc_super_gid} {user}',
                   shell=True, executable='/bin/bash', check=False)


def setup_nagios(do_remount_proc=True):
    """
    Add nagios to configured fs.proc_super_gid group
    """
    if not cldetectlib.get_nagios():
        return  # Nothing to do

    _add_to_super_gid('nagios')

    # CAG-796: use hidepid=2 when mounting /proc
    if do_remount_proc:
        remount_proc()


def setup_mailman():
    """
    Detect "mailman" and add it to fs.proc_super_gid group
    """
    if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'):
        return

    try:
        pwd.getpwnam('mailman')
    except KeyError:
        return

    _add_to_super_gid('mailman')


def setup_supergids():
    """
    Configure "special" users to be in fs.proc_super_gid group, if it's
    necessary.
    If this GID was undefined(0) then create and setup special clsupergid group
    """
    setup_nagios(do_remount_proc=False)
    setup_mailman()

    # CAG-796: use hidepid=2 when mounting /proc
    remount_proc()

?>