PNG  IHDR pHYs   OiCCPPhotoshop ICC profilexڝSgTS=BKKoR RB&*! J!QEEȠQ, !{kּ> H3Q5 B.@ $pd!s#~<<+"x M0B\t8K@zB@F&S`cbP-`'{[! eDh;VEX0fK9-0IWfH  0Q){`##xFW<+*x<$9E[-qWW.(I+6aa@.y24x6_-"bbϫp@t~,/;m%h^ uf@Wp~<5j>{-]cK'Xto(hw?G%fIq^D$.Tʳ?D*A, `6B$BB dr`)B(Ͱ*`/@4Qhp.U=pa( Aa!ڈbX#!H$ ɈQ"K5H1RT UH=r9\F;2G1Q= C7F dt1r=6Ыhڏ>C03l0.B8, c˱" VcϱwE 6wB aAHXLXNH $4 7 Q'"K&b21XH,#/{C7$C2'ITFnR#,4H#dk9, +ȅ3![ b@qS(RjJ4e2AURݨT5ZBRQ4u9̓IKhhitݕNWGw Ljg(gwLӋT071oUX**| J&*/Tު UUT^S}FU3S ԖUPSSg;goT?~YYLOCQ_ cx,!k u5&|v*=9C3J3WRf?qtN (~))4L1e\kXHQG6EYAJ'\'GgSSݧ M=:.kDwn^Loy}/TmG X $ <5qo</QC]@Caaᄑ.ȽJtq]zۯ6iܟ4)Y3sCQ? 0k߬~OCOg#/c/Wװwa>>r><72Y_7ȷOo_C#dz%gA[z|!?:eAAA!h쐭!ΑiP~aa~ 'W?pX15wCsDDDޛg1O9-J5*>.j<74?.fYXXIlK9.*6nl {/]py.,:@LN8A*%w% yg"/6шC\*NH*Mz쑼5y$3,幄'L Lݛ:v m2=:1qB!Mggfvˬen/kY- BTZ(*geWf͉9+̳ې7ᒶKW-X潬j9(xoʿܔĹdff-[n ڴ VE/(ۻCɾUUMfeI?m]Nmq#׹=TR+Gw- 6 U#pDy  :v{vg/jBFS[b[O>zG499?rCd&ˮ/~јѡ򗓿m|x31^VwwO| (hSЧc3- cHRMz%u0`:o_F@8N ' p @8N@8}' p '#@8N@8N pQ9p!i~}|6-ӪG` VP.@*j>[ K^<֐Z]@8N'KQ<Q(`s" 'hgpKB`R@Dqj '  'P$a ( `D$Na L?u80e J,K˷NI'0eݷ(NI'؀ 2ipIIKp`:O'`ʤxB8Ѥx Ѥx $ $P6 :vRNb 'p,>NB 'P]-->P T+*^h& p '‰a ‰ (ĵt#u33;Nt̵'ޯ; [3W ~]0KH1q@8]O2]3*̧7# *p>us p _6]/}-4|t'|Smx= DoʾM×M_8!)6lq':l7!|4} '\ne t!=hnLn (~Dn\+‰_4k)0e@OhZ`F `.m1} 'vp{F`ON7Srx 'D˸nV`><;yMx!IS钦OM)Ե٥x 'DSD6bS8!" ODz#R >S8!7ّxEh0m$MIPHi$IvS8IN$I p$O8I,sk&I)$IN$Hi$I^Ah.p$MIN$IR8I·N "IF9Ah0m$MIN$IR8IN$I 3jIU;kO$ɳN$+ q.x* tEXtComment

Viewing File: /opt/cloudlinux/venv/lib/python3.11/site-packages/clsetuplib.py

# -*- coding: utf-8 -*-

# CLSETUP python lib

#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

# Classes:
#
# Kernel
# check min kernel for securelinks

# Setup:
#
# setup apache gid for securelinks
# setup nagios

import grp
import os
import pwd
import subprocess
import sys

import cldetectlib
from cl_proc_hidepid import remount_proc
from clcommon.sysctl import SYSCTL_CL_CONF_FILE, SysCtlConf


# Kernel Version Class
class KernelVersion:
    _SECURELINKS_MIN_KERNEL = ['1','1','95']
    _system_kernel = ''
    _cl_kernel = True

    def __init__(self):
        with subprocess.Popen(
            ['uname', '-r'],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        ) as proc:
            out, _ = proc.communicate()
            if proc.returncode != 0:
                print('error: subprocess call error. Cant\'t get current kernel version')
                sys.exit(1)
            if out.find('lve') != -1:
                self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.')
                print(self._system_kernel)
            else:
                self._cl_kernel = False

    # Check if system kernel newer then securelinks min kernel
    def securelinks_kernel_requirement(self):
        if self._cl_kernel:
            return (
                self._system_kernel >= self._SECURELINKS_MIN_KERNEL
                and os.path.isfile('/proc/sys/fs/symlinkown_gid')
            )
        print('error: Feature is not supported on non CL kernel.')
        sys.exit(1)


    # return _SECURELINKS_MIN_KERNEL
    def get_securelinks_min_kernel(self):
        return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL)


sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE)


def set_securelinks_gid(apache_gid):
    """
    Change /etc/sysctl.conf for apache gid
    :param apache_gid: id of apache's group
    :return: None
    """

    symlink_command = 'fs.symlinkown_gid'
    sysctl.set(symlink_command, apache_gid)


def _add_to_super_gid(user):
    """
    Add user to the group specified by fs.proc_super_gid.
    If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists
    then create "clsupergid" group, configure it as fs.proc_super_gid and
    add user to this group
    """
    sgid_key = 'fs.proc_super_gid'
    try:
        # sysctl.get may return empty string in some cases like cldeploy
        # when CL kernel is not loaded yet and proc has no such param
        proc_super_gid = int(sysctl.get(sgid_key))
    except ValueError:
        proc_super_gid = 0

    try:
        # Check that group with this gid really exists, and if not, then reset
        # it to undefined so it will be replaced with clsupergid below
        grp.getgrgid(proc_super_gid).gr_name
    except KeyError:
        proc_super_gid = 0

    if proc_super_gid == 0:
        # Create and configure group if it was undefined
        sgid_name = 'clsupergid'
        subprocess.run(f'groupadd -f {sgid_name}',
                       shell=True, executable='/bin/bash', check=False)
        proc_super_gid = grp.getgrnam(sgid_name).gr_gid
        sysctl.set(sgid_key, proc_super_gid)
    # If user already in this group or it's primary group == proc_super_gid
    # this will do nothing
    subprocess.run(f'usermod -a -G {proc_super_gid} {user}',
                   shell=True, executable='/bin/bash', check=False)


def setup_nagios(do_remount_proc=True):
    """
    Add nagios to configured fs.proc_super_gid group
    """
    if not cldetectlib.get_nagios():
        return  # Nothing to do

    _add_to_super_gid('nagios')

    # CAG-796: use hidepid=2 when mounting /proc
    if do_remount_proc:
        remount_proc()


def setup_mailman():
    """
    Detect "mailman" and add it to fs.proc_super_gid group
    """
    if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'):
        return

    try:
        pwd.getpwnam('mailman')
    except KeyError:
        return

    _add_to_super_gid('mailman')


def setup_supergids():
    """
    Configure "special" users to be in fs.proc_super_gid group, if it's
    necessary.
    If this GID was undefined(0) then create and setup special clsupergid group
    """
    setup_nagios(do_remount_proc=False)
    setup_mailman()

    # CAG-796: use hidepid=2 when mounting /proc
    remount_proc()
Back to Directory=ceiIENDB`