MAINHACK

Viewing / Editing File: clsetuplib.py

File is not writable. Editing disabled.
# -*- coding: utf-8 -*-

# CLSETUP python lib

#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

# Classes:
#
# Kernel
# check min kernel for securelinks

# Setup:
#
# setup apache gid for securelinks
# setup nagios

from __future__ import print_function
from __future__ import absolute_import
import sys, subprocess, os, grp, pwd
import cldetectlib
from cl_proc_hidepid import remount_proc
from clcommon.sysctl import SysCtlConf, SYSCTL_CL_CONF_FILE


# Kernel Version Class
class KernelVersion:
    _SECURELINKS_MIN_KERNEL = ['1','1','95']
    _system_kernel = ''
    _cl_kernel = True

    def __init__(self):
        p = subprocess.Popen(['uname', '-r'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        (out, err) = p.communicate()
        if (p.returncode != 0):
            print('error: subprocess call error. Cant\'t get current kernel version')
            sys.exit(1)
        if (out.find('lve') != -1):
            self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.')
            print(self._system_kernel)
        else:
            self._cl_kernel = False

    # Check if system kernel newer then securelinks min kernel
    def securelinks_kernel_requirement(self):
        if self._cl_kernel:
            if (self._system_kernel >= self._SECURELINKS_MIN_KERNEL) and os.path.isfile('/proc/sys/fs/symlinkown_gid'):
                return True
            else:
                return False
        else:
            print('error: Feature is not supported on non CL kernel.')
            sys.exit(1)


    # return _SECURELINKS_MIN_KERNEL
    def get_securelinks_min_kernel(self):
        return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL)


sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE)


def set_securelinks_gid(apache_gid):
    """
    Change /etc/sysctl.conf for apache gid
    :param apache_gid: id of apache's group
    :return: None
    """

    symlink_command = 'fs.symlinkown_gid'
    sysctl.set(symlink_command, apache_gid)


def _add_to_super_gid(user):
    """
    Add user to the group specified by fs.proc_super_gid.
    If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists
    then create "clsupergid" group, configure it as fs.proc_super_gid and
    add user to this group
    """
    sgid_key = 'fs.proc_super_gid'
    try:
        # sysctl.get may return empty string in some cases like cldeploy
        # when CL kernel is not loaded yet and proc has no such param
        proc_super_gid = int(sysctl.get(sgid_key))
    except ValueError:
        proc_super_gid = 0

    try:
        # Check that group with this gid really exists, and if not, then reset
        # it to undefined so it will be replaced with clsupergid below
        grp.getgrgid(proc_super_gid).gr_name
    except KeyError:
        proc_super_gid = 0

    if proc_super_gid == 0:
        # Create and configure group if it was undefined
        sgid_name = 'clsupergid'
        subprocess.run('groupadd -f ' + sgid_name, shell=True, executable='/bin/bash')
        proc_super_gid = grp.getgrnam(sgid_name).gr_gid
        sysctl.set(sgid_key, proc_super_gid)
    # If user already in this group or it's primary group == proc_super_gid
    # this will do nothing
    subprocess.run('usermod -a -G {} {}'.format(proc_super_gid, user),
                   shell=True, executable='/bin/bash')


def setup_nagios(do_remount_proc=True):
    """
    Add nagios to configured fs.proc_super_gid group
    """
    if not cldetectlib.get_nagios():
        return  # Nothing to do

    _add_to_super_gid('nagios')

    # CAG-796: use hidepid=2 when mounting /proc
    if do_remount_proc:
        remount_proc()


def setup_mailman():
    """
    Detect "mailman" and add it to fs.proc_super_gid group
    """
    if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'):
        return

    try:
        pwd.getpwnam('mailman')
    except KeyError:
        return

    _add_to_super_gid('mailman')


def setup_supergids():
    """
    Configure "special" users to be in fs.proc_super_gid group, if it's
    necessary.
    If this GID was undefined(0) then create and setup special clsupergid group
    """
    setup_nagios(do_remount_proc=False)
    setup_mailman()

    # CAG-796: use hidepid=2 when mounting /proc
    remount_proc()
Cancel / Back
[ MAINHACK ]

Viewing / Editing File: clsetuplib.py

Server Info

System Features

User Info
