B u&`bM*@sddlmZddlmZddlmZddlmZddlmZeddlTddl m Z ddl Z ddl Z ddl Z ddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZdd l m!Z!m"Z"dd l#m$Z$m%Z%m&Z&m'Z'dd l(m)Z)m*Z*m+Z+m,Z,dd l-m.Z.m/Z/dd l0m1Z1m2Z2m3Z3m4Z4ddl5Z5ddl6Z6ddl7Z7dZ8dZ9dZ:dZ;dZdZ?dZ@dZAdZBe@dZCeAdZDdZEdZFdZGdZHdZId ZJd!ZKd"ZLd#ZMd$ZNd%aOd&ZPd'ZQd(ZRd)ZSd*ZTd+ZUd,ZVd-ZWd.ZXd/ZYd0ZZd1Z[d2Z\d3Z]d4Z^d5Z_e@d6Z`e@d7Zad8Zbd9Zcd:dZed;Zfejghe?ddl0Z0ddliZiddd?gZmdddZt=fddZddZddZddZdZddZd?ddZddZddZddZddZddZddZd@ddZddZdAddZiaeMfddZddZdd„ZdBddĄZddƄZdCddʄZdd̄Zdd΄ZdDddЄZdd҄ZddԄZdEddքZdd؄ZddڄZdd܄Zdejejfdd߄ZddZddZddZdZdaddZddZdFddZddZddZddZddZddZddZddZddZddZddZddZdGddZddZdHddZd d Zd d Zd dZddZdIddZÐddZĐddZŐddZƐdJddZeEfddZȐddZeEddfd d!ZʐdKd"d#Zːd$d%Z̐d&d'ZiaeCdddddddfd(d)Zϐd*d+ZАd,d-Zѐd.d/ZҐd0d1ZӐd2d3d4e0jԐd5d6d7gZՐd8d9Z֐dLd:d;Zedd<d=d>ZِdMd?d@ZڐdAdBZGdCdDdDe܃ZݐdEdFZސdGdHZߐdNdIdJZde0jfdKdLZdOdMdNZdPdOdPZdQdRZdSdTZdUdVZdWdXZdYdZZd[d\Zd]d^Zgaiad_d`ZdQdadbZdcddZdRdedfZdgdhZdidjZdkdlZdmdnZdSdodpZdqdrZdTdsdtZdUdudvZdwdxZdydzZd{d|ZdVd}d~ZddZddZdWddZddZddZddZdXddZddZddZdaddZddZ ddZ ddZ ddZ dYddZ dZddZd[ddZd\ddZddZddZddZddZddZddZddZddZddZddZddZdad]ddZddZiadde0j dde0j!dde0j dga"ddZ#d^dd„Z$dÐdĄZ%d_dŐdƄZ&d`dǐdȄZ'dadɐdʄZ(dːd̄Z)dbd͐d΄Z*dϐdЄZ+dcdѐd҄Z,dddӐdԄZ-da.dՐdքZ/dאd؄Z0dedِdڄZ1dېZ2da3dܐd݄Z4dސdߐdddZ5ddZ6dfddZ7dgddZ8ddZ9ddZ:dhddZ;diddZ<djddZ=dkddZ>ddZ?ddZ@ddZAddZBddZCddZDddZEddZFdlddZGdmddZHdnd d ZId d ZJd dZKiaLddZMddZNddZOddZPddZQddZRdoddZSddZTdd ZUd!d"ZVd#d$ZWd%d&ZXd'd(ZYd)d*ZZd+d,Z[d-d.Z\d/d0Z]d1d2Z^d3d4Z_d5d6Z`d7d8Zaead9d:Zbecd;krܐe`dS(p)print_function)absolute_import)division)unicode_literals)standard_library)*) native_strN)is_plesk is_cpanel)ExternalProgramFailedcreate_symlinkis_socket_file mod_makedirs)ClPwdreload_processes clconfpars clcaptain) unicodeifybyteify) stripslashCageFSExceptionSYSTEMD_JOURNAL_SOCKETis_new_syslog_socket_usedz/usr/sbin/lvectlz /bin/umountz /bin/mountz/bin/lve_umountz /var/cagefsz/usr/share/cagefs-skeletonz/cagefs-skeleton/z/usr/share/cagefsz /etc/cagefs/z/usr/share/cagefs/z/etc/cagefs/conf.d/z cagefs.mpzcagefs.mp.prevz/usr/share/cagefs/.lockz/etc/cagefs/etc.safe/etc.systemz/etc/cagefs/etc.safe/etc.safez/etc/cagefs/etc.safez%/usr/share/cagefs/skeleton.files.listz$/usr/share/cagefs/skeleton.libs.listz/usr/share/cagefs/passwd.cachez/usr/share/cagefs/conf.dz/etc/cagefs/excludez/usr/share/cagefs/excludeiz/etc/cagefs/cagefs.min.uidz/var/lock/subsys/cagefsz"/etc/cagefs/etc.safe/disable.etcfsz /usr/bin/diffz/var/run/proxyexec/cagefs.sockz/var/lib/proxyexec/cagefs.sockz/etc/cagefs/black.listz2/usr/share/cagefs-plugins/install-cagefs-plugin.pyz/usr/share/cagefs/.cagefs.emptyz"/usr/share/cagefs/exclude.packagesz/etc/cagefs/proxy.commandsz/usr/share/cagefs/need.remountz/var/log/cagefs.logz/var/lve/lveinfo.verz/usr/share/l.v.e-manager/cl.{}z/etc/cagefs/dev.shm.optionszusers.disabledz users.enabledZ InitializedzNot initializedaImageMagick ImageMagick-c++ ImageMagick-c++-devel ImageMagick-devel ImageMagick-perl cloudlinux-ImageMagick cloudlinux-ImageMagick-c++ cloudlinux-ImageMagick-c++-devel cloudlinux-ImageMagick-devel expat expat-devel libtool-ltdl nss nss-softokn tcl compat-glibc-headers glibc-headers kernel-headers cpp compat-libgcc-296 gcc-gfortran compat-gcc-34-c++ compat-gcc-34-g77 libgcc gcc-c++ compat-gcc-34 gcc redhat-rpm-config automake autoconf m4 mc ghostscript fontconfig fontpackages-filesystem perl-Text-PDF pdf-tools perl-PDF-Reuse libedit aspell aspell-en hunspell hunspell-en cpanel-git git git-core pango mktemp coreutils scl-utils python3-virtualenv python36 libc-client-2007e unixODBC-libs mhash libxml2 tcp_wrappers compat-libstdc++ libmcrypt recode libxslt libtidy crypto-policies libicu libicu-devel tmpwatch net-snmp libgpg-error postgresql-libs libpng gmp pam bzip2-libs cracklib ncurses libidn libc-client-2004g db4 ncurses-libs openldap libXpm libgcrypt cyrus-sasl-lib unixODBC zlib openssl net-snmp-libs alt-libicu enchant libmm freetype freetype-devel curl curl-devel libssh2 GeoIP cyrus-sasl ffmpeg-libs termcap bind-utils libgs libgs-develz7.3.1-1.el7.cloudlinux) sigterm_check)is_ea4_enabledz/usr/local/cpanel/3rdparty/binz/var/lib/spamassassinc Cs|dkrt}yJtd}ttd}tjt||dd| t|t tdWn2t k r}zt dtd|Wdd}~XYnXdS)N?wb)ZprotocoliZsaving-) secureio get_pwd_dictosumaskopen PASSWD_CACHEpickledumprclosechmod Exception print_error)pw umask_savedpferrr//usr/share/cagefs/cagefsctl.pysave_passwd_caches   r1c Csti}tjtrpy,ttd}ttj|t d}| Wn2t k rn}zt dtd|Wdd}~XYnX|S)Nrb)encodingZloadingr)r!pathisfiler$r#rr%loadlocaleZgetpreferredencodingr'r)rr*)r+r-r.r/r/r0load_passwd_caches   "r8c Cs||dkrt}|dkrt}g}xL|D]D}y||||krH||Wq(tk rj||w(Yq(Xq(Wt||S)N)r8rr appendKeyErrorr1)Zpw_oldZpw_newusersuserr/r/r0get_modified_userss   r=c CsttjtsXyttdWqttfk rTt dtt dt dYqXnFyt tdWn4ttfk rt dtt dt dYnXdS)NizError: failed to create z$Error: failed to set permissions to )rr!r4lexists EMPTY_DIRrIOErrorOSErrorrloggingSILENTsysexitr(r/r/r/r0create_empty_dirs rGcCspt|}tj|rlxVtddddt|gtdddt|gfD]0}t|}|dkr8t dtd|t d q8WdS) Nz-nz-onosuidz--bindzremount,ro,nosuid,bindrzfailed to mountz->r>) SKELETONr!r4isdirMOUNTr@ subprocesscallrr*rErF)r4destcmdretr/r/r0mount_empty_dirs ( rQcCs tjtS)N)r!r4exists DISABLE_ETCFSr/r/r/r0etcfs_is_disabledsrTc Cs~|tj}tj|rvyt|d}|}|Wntt fk rLdSX| }yt |St k rrdSXndSdS)Nrr) cagefslib ETC_VERSIONr!r4r5r#readliner'rArBrstripint ValueError)r4fpathfverr/r/r0get_etc_versions    r_c Cs||tj}td}y$t|d}|d||Wn4ttfk rlt d|t dt dYnXt|dS)Nrwz%d zError: failed to write r>)rVrWr!r"r#writer'rArBrrCrDrErF)r4r^r\r,r]r/r/r0set_etc_versions    rbc CsF|tj}|tj}yt||Wntttjfk r@YnXdS)N)rVrWshutilZcopy2rBrAError)srcdstZsrcpathZdstpathr/r/r0copy_etc_versions   rgz/var/log/cagefs-update.logcCs>tjtr$ttdtdntjtr:t tdS)Nzis a directoryr>) r!r4rJLOGFILErr*rErFr5remover/r/r/r0remove_log_file s     rjz/var/lib/mysqlz /var/lib/davz/var/www/cgi-binz/optz/var/www/php-binz/dev/shmz /var/www/htmlz/var/run/pgsqlz/var/passengerz/dev/ptsz/usr/local/apache/domlogsz/procz /var/spool/atz /var/run/dbusz/usr/local/cpanel/varz /var/run/nscdnodejspythonz/var/lib/mysql/mysql.sockz/usr/local/lswsz/libz/usr/libz/lib64z /usr/lib64z /usr/includez/usr/share/localez/usr/share/terminfoz/usr/share/zoneinfoz/usr/share/vimz/usr/local/lib/perl5z/usr/local/lib/phpz/usr/local/cpanel/etcz/usr/local/cpanel/Cpanelz/usr/local/cpanel/3rdparty/perlz/usr/local/cpanel/3rdparty/libz /usr/local/cpanel/3rdparty/lib64z /usr/local/cpanel/3rdparty/sharez/usr/local/cpanel/3rdparty/phpz/usr/local/cpanel/installz/usr/local/cpanel/libz/usr/local/cpanel/htdocsz/usr/local/cpanel/sharedz/usr/local/cpanel/whostmgrz/usr/local/cpanel/sharez/usr/local/cpanel/phpz/usr/local/cpanel/libexecz/usr/local/cpanel/langz/usr/local/cpanel/cgi-privz/usr/local/cpanel/cpaddonsz/usr/local/cpanel/Whostmgrz/usr/local/cpanel/img-sysz!/usr/local/cpanel/modules-installz/usr/local/cpanel/localez/usr/local/cpanel/scriptsz/usr/local/cpanel/sbinz/usr/local/cpanel/basez/usr/local/cpanel/hooksz /usr/javaz /usr/saasez/usr/local/easyz/var/cpanel/ea4z/usr/share/manz/var/cpanel/userdatacCs tjtS)zT Return True when /dev/shm isolation is enabled see CAG-954 for details )r!r4r5DEV_SHM_OPTIONSr/r/r/r0is_dev_shm_isolatedJsrncCs:t|}x*tD]"}|ddkr||drdSqWdS)Nr/FT)rVaddslashMPDIRS startswith)r4tmpdirr/r/r0is_outside_mp_pathRs   rtc Cs>ytttttdWntdtdtYnXdS)Nicopyingto)rcZcopyfile ETC_MPFILE PREV_MPFILEr!r(rr*r/r/r/r0save_cagefs_mp_backupZs  ryFc Cs|stjtrttddStd}ttd}|dxXtD]P}t rV|dkrVqB|dkrft rfqB|ddkrBtj |rB|||d qBWdd l m }m}m}tj |rtj |r|d |ntj |r|d |n:tj |r |d |ntj |r(|d |tjttkrtjt}tj|} | d krtd td|tdtdtdtdt|r|tttdn6| dkrtj | rt| r|| |d tj tr|t|d |d|d|d|d|d|dtjd|d|d|dxzB# You can add personal (individual) mounts for users, like below. z_# Please, start line with "@" symbol, and then specify path and permissions (comma separated). z7# These directories will be virtualized for each user. z@/var/spool/cron,700 z@/var/run/screen,777 @z,700 z!@/var/cache/php-eaccelerator,777 z@/var/php/apm/db,777 zl# Please add exclamation sign at the beginning of the line if you want to mount path read-only, like below. !zi# Please add "%" sign at the beginning of the line if you want to "split" mount by username, like below. %)BOX_TRAPPER_DIRi)add_php_session_dir_plesk)&r!r4r5rwprintr"r#rarqr rnrJcagefsreconfigurer|r}r~realpath MYSQL_SOCKdirnamer'unlinkrErFrt LITESPEEDrVVAR_RUN_CAGEFSREAD_ONLY_MOUNTSSPLITTED_MOUNTSr rSPAMASSASSIN_DIRS_FOR_CAGEFSr(add_mounts_for_php_selectoradd_mounts_for_ea_php_sessionsrrxry) force exit_on_errorr,r]rsr|r}r~ZrpathZrdirrlinerr/r/r0 create_mpbs               "                      rc CsNxH|D]@}||kr|}yt||Wqttfk rDYqXqWdS)N)rYr! removedirsrBrA)mounts old_mounts base_pathmountr/r/r0remove_mount_pointss rc Cstjtrg}g}ttdd||d}|rg}g}t||d}t||t||t||tj}xL|D]D}||}t |j } | d} t |j |jt||| tqlWtdS)NT)mpfile skip_errorsskip_cpanel_checkpersonal_mountssplitted_mounts)rrz/.cagefs)r!r4r5rx read_mpfilerrclpwd get_user_dictrVrpw_dir set_user_permpw_uidpw_gid set_root_permry) Zold_personal_mountsZold_splitted_mountsrrrrr+r<rhomepathZ cagefspathr/r/r0remove_unused_mount_pointss*           rcCs(|ddkr|d}||dt|kS)Nro)len)Ztestdirjailr/r/r0 dirinjails rcCs|tjkS)N)rrr)r<r/r/r0 user_existssrz.savecCs:tjtr"tjtrdSdSntjtr2dSdSdS)Nrdz Enable Allz Disable AllzNot Initialized)r!r4rJ disabled_dir enabled_dirr/r/r/r0 get_user_modes   rcCs|dkrt}|dkr^|rttdtdtddtjdddtd d tjdd d ttd nn|dkr|rntt j t drtddtjdddtdtjdd d t ntdtjddtd dS)Nrdzboth directoriesandzexist. z+Please, run one of the following commands: rz --enable-all z(to enable all users, except specified inr{zor z--disable-all z)to disable all users, except specified inr>zNot Initializedz/binz mode has not been selected yet. z or z CageFS is not initialized. Use "z --init" to initialize CageFS) rrrr*rrrEargvrFr!r4rJrI)moderaise_exceptionr/r/r0check_mode_errors4      rcCstjtptjtS)N)r!r4rJrrr/r/r/r0cagefs_is_enabled0srcCs tjttptjttS)N)r!r4rJr save_postfixrr/r/r/r0save_dir_exists4src Csvtj|rrtj|tr0td|tnByt||tWn,ttfk rpt d|d|tYnXdS)Nz#Error : directory %s already existszfailed to renamerv) r!r4rJrrrCrenamerBrAr*)_dirr/r/r0save_dir8s rc Csrtj|trntj|r,td|nByt|t|Wn,ttfk rlt d|td|YnXdS)Nz#Error : directory %s already existszfailed to renamerv) r!r4rJrrrCrrBrAr*)rr/r/r0 restore_dirDs rcCs:tstddStttttts6tddS)NzCageFS is disabledzCageFS has been disabled)rrrrrrr/r/r/r0disable_cagefsPsrcCs:trtddSttttttr6tddS)NzCageFS is enabledzCageFS has been enabled)rrrrrrr/r/r/r0 enable_cagefs[srcCs^trZtr8|rttddtdttdn"|r@tt dt dtddS)Nz4CageFS is enabled, but "saved" lists of users exist zPlease, remove rr>zCageFS is disabled.z9Please, run "cagefsctl --enable-cagefs" to enable CageFS.) rrrrr* INIPREFIXrrErFr)rr/r/r0check_save_dirfs rcCstt}td|dS)NzMode:)rrr)rr/r/r0print_user_modexsrTc CstyttdWntttjfk r2YnXyttdWntttjfk r`YnX|ryttdWqtk rYqXn$yttdWntk rYnXt t dS)NFi) rrcrmtreerrBrArdrr check_excluder)Z enable_allr/r/r0 set_user_mode~s(rc Cs|tkrt|Sg}tj|rxt|D]}tj||}tj|r,|dkr,yDt|d}x,|D] }| }|dkr~qh| |qhW| Wq,t k rt d|Yq,Xq,W|t|<|S)Nz .htaccessrUZreading)exclude_user_list_cacher!r4rJlistdirjoinr5r# readlinesrYr9r'rArr*)Z exclude_path user_listZexclude_file_pathr4r]rr/r/r0get_exclude_user_lists&   rcCstt|ttS)N)listsetr)rr/r/r0 filter_userssrcCsXd}ytj|}Wn.tjk rBtd|tdYnX||}d|}|S)Ndzuser %s not foundr>z%02d)rrget_uidrNoSuchUserExceptionr*rErF)usernamebaseuidbprefixr/r/r0get_user_prefixsrc Cs|dkrt|}d|d|}|ryt||Wnttfk rNYnXt|d|yt|d|Wnttfk rYnXnryt|d|dWnttfk rYnXy&t||d t ||dWnttfk rYnXdS)Nroir`i) rr!rirArBremove_htaccessrmdirrr#r'r()rrenablerZfnamer/r/r0 toggle_files,rcCstt}t|ytj|}Wn$tjk rHtd|ddSX|j t krhtd|dt dStj |j }|dkrx>|D]}t t ||qWn$|dkrx|D]}t t|| qWdS)Nr<zdoes not existzshould have UID >=z Enable Allz Disable All)rrrrrget_pw_by_namerrr*rMIN_UID get_namesrrr)rrrr+Z username_listZ tmp_usernamer/r/r0 toggle_users$   rr;cCst|}|dkr||t||d}x6t||D]&}td||||d|q4Wtd||d|ddS)Nrr r>)rsortrranger)r;Zusers_per_linemessage users_countnamer/r/r0 print_userss &rcCsxg}tj}xdt|D]V}tjtj||rx:ttj||D]"}||krJ|t|krJ| |qJWqW|S)N) rrrr!rr4rJrrr9)rr;r+subdir_filer/r/r0!get_list_of_users_from_config_dirs rcCs&ttj}tt|}t||S)N)rrrrrr)rr;Z exc_usersr/r/r0get_list_of_users_from_passwds rcCsVt|t}t|||dkr6|r,ttSttSn|dkrR|rJttSttSdS)Nz Enable Allz Disable All)rrrrrrr)enabledrrr/r/r0get_list_of_userss  rcCstrtdSgS)NT)rrr/r/r/r0get_enabled_users.srcCs~tt}t||dkrH|r2tttddqzttttddn2|dkrz|rftttddnttttdddS)Nz Enable Allr>zenabled user(s)zdisabled user(s)z Disable All) rrrrrrrrr)rrr/r/r0 list_users6src CsLtr4tr0tddtdttdndSt}|dkrHt }tj }x>|D]6}||krX|dkrzt t |dqX|dkrXt t|dqXWt t}xF|D]>}||kr||kr|dkrt t |dq|dkrt t|dqWtjtrHtjts$yttd Wntk r"YnXd}zyxrttD]d}tjt|}tjt|}tj|r:tj|s:yt|Wntk rYnXq:Wtjtd }xNttD]@}tj||} ttjt|| t| tjt|qWWn.tttj fk r.td td tYnXWd|rFt!|dXdS) Nz4CageFS is enabled, but "saved" lists of users exist zPlease, remove rr>z Enable AllFz Disable AllTi)dirrurv)"rrrr*rrrErFrrrrrrrEXCLUDE_SAVE_PATHr!r4rJ EXCLUDE_PATHrrBrrr5rtempfileZmkdtemprccopyrrArdr) ex_listrr+rZ old_ex_listZtmp_dirr]r4 orig_pathtmp_pathr/r/r0rFs`       rc Csd}tj}tj|rxjt|D]Z}tjtj||r*xttj||D]}tj|||}tj|s| dstj |ryt |Wnt t fk rYnXq^tj |r |dtd }||ks|t|krNyt |Wnt t fk rYnXq^tj|r^||ksB|t|kr^t|dq^Wyttj||Wq*t t fk rYq*Xq*WdS)Nz /var/cagefsz.lockT)rrrr!r4rJrrislinkendswithr5rirBrArrrcrr)bdirpw_dbrrr4r/r/r0clean_var_cagefss4 " rcCst}tj}xpt|D]b}tjtj||rxFttj||D].}||krL||ksl|t |krLt ||d|qLWqWdS)NT) rrrrr!rr4rJrrr)rrrrrr/r/r0clean_config_dirs rcCs,tjtrtttjtr(ttdS)N)r!r4rJrrrr/r/r/r0clean_config_dirss  rcsdfddt|DS)Nrc3s|]}tVqdS)N)randomZchoice).0_)charsr/r0 szid_generator..)rr)sizerr/)rr0 id_generatorsrc Cs|dt}yt||Wn2ttfk rPtd|d|tdYnXyt |dWn.ttfk rtd|tdYnXtj }xZt |D]L}tj tj ||rx0t tj ||D]}||krt||dqWqWt|ddS) N.zfailed to renamervr>izfailed to createFT)rr!rrBrArr*rErFrrrrr4rJrrrcr)rZtemp_dirrrrr/r/r0migrate_config_dirs$  r cCstj}xttttttgD]p}tj|r x^t |D]P}tjtj ||rzsshd:[a-z_][a-z0-9_-]*[$]?@ptsr{r zCan`t get user name for UID )rLPopenPIPE communicaterBrr*rErFrcompile IGNORECASEsplitrrmatchrZextendrrr[r9rrrrr) ZplpatternZlstircommandrZsshd_setZ mounted_setZ result_setr/r/r0get_logged_in_usersCs0"    r,cCsPtdd}|dg}x.|D]&}t|d}|dkr"||q"W|S)Nz/proc/lve/listrUr)r#rpoprZr&r9)linesZlve_listrZlveidr/r/r0 get_lve_listds  r/c Cs||d}x|D]}t|dkr|ddkr|}y4tjtd|gtjtjd}||j dkrpd}Wqt k rt dtd|d}YqXqW|S)NFrroz-l)rstderrTz failed to run) rreverserrYrLr!UMOUNTr"r# returncoderBrr*)_listerrorrpr/r/r0 umount_listps    r7c Csby4ttdt|g}|dkr2tdt|dSWn(tk r\tdtdt|dSXdS)Nz-lrzfailed to unmountTz failed to runF)rLrMr2rIrr*rB)r4rPr/r/r0 umount_dirsr8c Csd}xvt|D]j}d}y:tjtdddgtjtjd}||jdkrLd}nPWqtk rvt d td d}YqXqW|rt td |S) zD Run lvectl apply all Returns True if error has occured FZapplyallz--force)rr0rTz failed to runz apply allzapply all failed) rrLr!LVECTLr"r#r3rBrr*)ATTEMPTSrr5r6r/r/r0 apply_alls   r=c Csd}xvt|D]j}d}y:tjtdddgtjtjd}||jdkrLd}nPWqtk rvt d td d}YqXqW|rt td |S) z@ Destroy all LVEs Returns True if error has occured r9FZdestroyr:z--force)rr0rTz failed to runz destroy allzdestroy all failed) rrLr!r;r"r#r3rBrr*)r<rr5r6r/r/r0 destroy_alls   r>cCs~d}d}x|D]}|t|d}qWy,tjtdgtjtjtjdd}||Wn&tk rxtdtdd}YnX|S)z Run lvectl destroy for specified uids :param uids: list of integers (UIDs) :type uids: iterable Returns True if error has occured Frr{z destroy-manyT)stdinrr0rz failed to run) rrLr!r;r"r#rBrr*)uidsr5srr6r/r/r0 destroy_lves   rBcCs~d}d}x|D]}|t|d}qWy,tjtdgtjtjtjdd}||Wn&tk rxtdtdd}YnX|S)z Run lvectl apply for specified uids :param uids: list of integers (UIDs) :type uids: iterable Returns True if error has occured Frr{z apply-manyT)r?rr0rz failed to run) rrLr!r;r"r#rBrr*)r@r5rArr6r/r/r0 apply_lves   rCc CsLtj}g}x8|D]0}y|||jWqtk rBwYqXqW|S)N)rrrr9rr:)r;rr@r<r/r/r0get_uidss   rDcCs(g}x|D]}||kr ||q W|S)N)r9)r4rr*r/r/r0remove_duplicatess  rEcCs:d}t|}t|}t|r d}tdt|r6d}|S)z Remount list of users. Skeleton should be mounted/unmounted before call of this function Returns True if error has occured :param users: list of usernames :type users: iterable FTr>)rDrErBtimesleeprC)r;r5r@r/r/r0remounts rHcCsBd}|r td}t|rd}|Str*d}tdtr>d}|S)NFTr>)rrHr>rFrGr=)enabled_users_onlyr5 enabled_usersr/r/r0 remount_all6s rKcCs&x |D]}tjt|sdSqWdS)NFT)r!r4rRrI)r4rr/r/r0 files_existMs rLcCsX|dkr t}tdd}x4|}|dkr*P||ddkr|dSqW|dS)Nz /proc/mountsrUrrorTF)rIr#rXfindr')Zskeletonrrr/r/r0skeleton_is_mountedUs rNcCs trtdgStddgSdS)Nz/var/log/messagesz /etc/passwd)rTrLr/r/r/r0cagefs_fuse_is_mountedds rOc Csd}xt|D]}d}y4tjdd|gtjtjd}||jdkrHd}Wn*tk rttd|d d}YnX|d krt rd}Pqd }d}q|d krt rd}Pqd}q|d krt sd}Pqd}qPqW|rtd d|d |S)Nr9Fz /sbin/servicez cagefs-fuse)rr0rTz#failed to run "service cagefs-fuse "startrestartstop executingz"service cagefs-fuse) rrLr!r"r#r3rBrr*rO)r+r<rr5r6r/r/r0 cagefs_fusems@   rUcCstjtjtdS)NZsocket)r!r4r?rPROXYEXEC_SOCKET_DIRr/r/r/r0proxyexecd_is_socketsrWcCsd}yttjdd|gtjtjd}||jdkr6d}|dksF|dkrvtjddd gtjtjd}||jdkrvd}Wn*tk rtd |d d}YnX|rtd d |d |S)NFz /sbin/serviceZ proxyexecd)rr0rTrQrRstatusz"failed to run "service proxyexecd rPrTz"service proxyexecd) rLr!r"ZSTDOUTr#r3rBrr*)r+r5r6r/r/r0cagefs_proxyexecds&     rYc Cstd}x|D]|}tjt|rPytt|Wnttfk rNYnXtjt|syt t||Wqttfk rYqXqWt|dS)Nr) r!r"r4rrIrrArBrJr)r4rr,r4r/r/r0create_mount_pointss   r[cCsVtjts4ts*tdtddtjddt dt t}t |rRt t|dS)Nfilez not found z Please, run rz --create-mpr>)r!r4r5rwrDrr*rErrFrVr add_new_line write_file)Zmp_filer/r/r0 check_mp_files   r_c Cs,yttWnttfk r&YnXdS)N)r!riSERVICE_CAGEFS_LOCKrArBr/r/r/r0remove_service_lockfilesrac Cs0yttdWnttfk r*YnXdS)Nr`)r#r`r'rArBr/r/r/r0create_service_lockfilesrbcsfdd}|st|}|r&ttjdr|rP|rtd|pL|}nD|rttdx.t d D]}|rrtd|dd qrW|S) Ncs@d}x,tdD] }t}|s&d}Pt|qWttg|S)NTr F)rrVget_mounted_dirsr7rI)r5rr)all_cagefs_mountsr/r0unmounts   z umount_skeleton..unmountz/usr/bin/systemctlz/bin/umount -l /usr &>/dev/nullr>z/bin/ps --no-headers -xao pidz/usr/bin/nsenter -m -t z8 /bin/bash -c 'if /bin/grep -q cagefs /proc/mounts; thenz6 /usr/sbin/cagefsctl --unmount-cur-ns; fi' &>/dev/null) ra lvectl_startr!r4r5systemr>rFrGExecuter&) save_mountsrdcurrent_namespace_onlyall_namespacesrer5pidr/)rdr0umount_skeletons(       rmc Csyt|tjWn$ttfk r6td|YnXy |Wnttfk r\YnXyt |Wnttfk rYnXdS)Nzfailed to unlock) fcntllockfZLOCK_UNrArBrr*r'r!r)lockfilelocknamer/r/r0unlocks rrcCst|}|S)N)r!popenread)r+Zhandler/r/r0rhs rhc CsyLt|d}|rtd|s0t|tjtjBt|tj|rJtd|Sttfk r|s|stt d ddkrt dn t d|t dYnXdS) Nr`z!Acquiring lock... Please wait... z Lock acquiredzps aux | grep cagefsctlr{r>z5cagefsctl is already running. please try again later.zfailed to acquire lock file)r#rrnroZLOCK_EXZLOCK_NBrArBrrhr&rr*rErF)rqwaitquietrpr/r/r0 acquire_locks    rwc Cs t|dkr|ddkr|}tj|sRttd|d|rHdSt dt |gt t dddd |t|g}|r|dkrt t ddd |t|g}nF|dkr|d krt t ddd |t|g}nt t ddd |t|g}|dkrtd|t ddS)Nrrozfile contains incorrect path -z$is NOT a directory or does NOT existr>z-nz-orHz--rbindzremount,ro,nosuid,bindz/dev/shmz remount,nosuid,noexec,nodev,bindzremount,nosuid,bindzfailed to mount)rrYr!r4rJrr*rwrErFr[rLrMrKrI)r read_only ignore_errorsrPr/r/r0 mount_dir-s&     rzcCs.tdtdtdtdtdtddS)NzaPlease ensure that the following option in cPanel/WHM is set to blank value (not default "home"):r>zdWHM -> Server Configuration -> Basic cPanel/WHM Setup -> Basic Config -> Additional home directorieszZWhen this option is set to "home", cPanel can create home directories in incorrect places.)rrCrDr/r/r/r0print_cpanel_home_warningFsr{cCs8|dr|dkr4|rdStd|d|tddS)NroTzInvalid mount pointzin filer>F)rrrr*rErF)r4rrrr/r/r0check_mpfile_lineMs  r|c Cs^|dkr g}|dkrg}|dkr$g}|s|tkr|t|d|t|d|t|d|r~t|d|||fSt|dSg}ynt|d} xT| D]J} | drq| } | dks| dd ks| d r|rqtd | d |t d| d r^| d} | d kr,| d| } n | dd} | } t | | ||rRq| | q| dr| dd} t | | ||rq| | q| dr| dd} t | | ||rq| | | | dq| dr| | dqW| WnLttfk rJ|r0|r,ggggfSgStd|t dYnX|strxT|D]L} | } | dd kr`tr`td|d| dtdtPq`Wtd|kr|tdtd|kr| tdgt|<t| |ddt| |ddt| |ddt| |dd|rZ||||fS|S)Nr>rr9rrU#roz/../rz/..zInvalid mount pointzin filer,rrr{zfailed to readhomezWarning: file z contains line "rP) mpfile_cacher(r#rrrYrMrrr*rErFrfindr|r9r'rArBr invalid_homes_existrCrDr{PROXYEXEC_SOCKET_DIR_OLDrirV) rrrrread_only_mountsr ignore_cacheZreturn_all_mountsrZ mp_file_objrposr4r/r/r0rYs                        rcCsttddS)Nz start > /dev/null 2>&1)rhr;r/r/r/r0rfsrfcCsB|drdSt|}x$|D]}t|}||rdSqWdS)z Return True when path is included in one of the read-only paths :param path: mount path to check :type path: string :param read_only_mounts: list of read-only mounts from cagefs.mp file :type read_only_mounts: list z/opt/cpanel/ea-phpTF)rrrVrp)r4rrr/r/r0mount_should_be_readonlys     rcCsjtjdd}ttdd|}|r&dSg}t|dtjdd}x$|D]}t|}t||rFdSqFWdS)z Search CageFS for mounts that do not have 'nosuid' option Also search for read-write mounts that should be read-only Return True when found, False otherwise For details see CAG-526, CAG-634 T)without_nosuidcSsd|kS)Nz/proc/sys/fs/binfmt_miscr/)xr/r/r0z%unsafe_mounts_exist..)r)rw_mounts_onlyF)rVrcrfilterr strip_pathr)Z no_suid_dirsr rw_mountsrr4r/r/r0unsafe_mounts_exists      rcCsd dd}|ttttjdd}x*|D]"}t|}|||t||dq*Wttjdd|}x.|D]&}t|}t||rj|||ddqjWdS) z Remount all CageFS "unsafe" mounts, so that they become "safe". Make all mounts "nosuid", and make some mounts "read-only" (when needed) For details see CAG-526, CAG-634 FcSsR|r ttdddd||g}nttdddd||g}|dkrNtd|dS)Nz-nz-ozremount,ro,nosuid,bindz(/usr/share/cagefs/not-existing-directoryzremount,nosuid,bindrzfailed to mount)rLrMrKrr*)oldnewrxrPr/r/r0 remount_dirs z*remount_unsafe_mounts..remount_dirT)r)rx)rN)F)rIrrVrcrr)rrZ wo_nosuidZpath_newZpath_oldrr/r/r0remount_unsafe_mountss       rz/etcz/var/logz/var/run/screenz/var/spool/cronz/var/cache/php-eacceleratorz /var/.cagefscCs$y t|Stk rYnXdS)zs Return value of symlink or None when error occurs :param path: path to symlink :type path: string N)r!readlinkrB)r4r/r/r0 read_symlink s  rc Cstj|st|sdStj|}t|}tj|}|d}tj||}tj |dddtj |rxtj ||st |yt ||Wnftk r}zHtj|rtj ||std|d|dt|td dSWdd}~XYnXtj t|dddd t|}||krt |yt||Wn`tk r}z@t|}||krtd |d|dt|td dSWdd}~XYnX|rt||dS) a7 Mount one separate file to CageFS using hardlink & mount :param path: path to file :type path: string :param do_mount: when True mount directory with hardlink to CageFS :type do_mount: bool :param read_only: when True mount read-only, read-write otherwise :type read_only: bool Nz.cagefsiF) allow_symlinkz!Error: failed to create hardlink z to z : r>)r update_permz Error: failed to create symlink )r!r4r5r rrIbasenamerrVmake_dirr?samefilerlinkrBrrCrrDrsymlinkrz) r4do_mountrxZ skel_pathfilenamedir_pathZ hardlink_pathrspathr/r/r0 mount_files:    &   &r)rreturncCsZts dStt|dtjtd}tj|sBtj |ddddt ttj|ddS)z| Mount socket of systemd-journal into CageFS :param do_mount: when True mount directory with hardlink to CageFS N)rZdeviF)r4Zpermrrlog) rrrr!r4rrIrRrVrr )rZskeleton_dev_dirr/r/r0_mount_systemd_journal_socketBs"  rc Csttdtt|s ts2tdr2tdtdgtddt t ddd d t t g}|d krrt d t g}g}t||d t_t|td }xFttjD]8}|}|dkr|dkr|dst|||kddqWyhd}x^t|D]P}tj||}tj|rt|d"} x| D]} t| q$WWdQRXqWWn0tk rz} zt d| Wdd} ~ XYnXtddt t!dddt"ddtdt#|ttt|t|t$|rt%t&ddt't(t)dS)z Function remounts skeleton and all users !!WARNING!!: part of this logic is duplicated in jail.c from kmoc-lve project :param remount_users: when True, destroy&create LVE&namespaces for all users :type remount_users: bool z,/bin/mount --make-rprivate / >/dev/null 2>&1rRr>z/tmpF)riz-nz-orHz--rbindrzfailed to mount)rrz/procz/tmp/T)rxryz/etc/cagefs/empty.dirsrUNzError while reading file.)r)rrx)rI)*r_rhr[ MOUNT_POINTSrWrYrErFrmrLrMrKrIrr*rrVrr!r"sortedrYrrrzrr4rr5r#rQrAsetup_cpanel_multiphprLICENSE_TIMESTAMP_FILErrrfrrKrremove_remount_flagrb) remount_usersrPrrr,rZemptied_dirs_pathrZemptied_configZemptied_dirs_fileZ emptied_dirrr/r/r0mount_skeletonfsZ         $    rcCslxf|D]^}tj|}|d}|tdrtd|dt|}||krZtd|dt dqWdS)Nror4z is incorrectz (it refers to)r>) r!r4rrrrIrr*rVrrErF)pathsr4path2r/r/r0 verify_pathss   rc@s>eZdZddZdddZddZdd Zd d Zd d ZdS) cagefs_initcCs"g|_g|_g|_g|_g|_dS)N)didfiles didsections diddevicesdidusers didgroups)selfr/r/r0__init__s zcagefs_init.__init__rc CsB|r>t|tj|||d|dd|dd||j|dd |_dS)Nrverboser>hardlinkupdate)Z check_libsZ try_hardlinkZ retain_ownerZtry_glob_matchingZ handledfilesr)rrVZcopy_binaries_and_libsr)rconfigchrootrtry_globr/r/r0 update_pathsszcagefs_init.update_pathscCst}||||dS)N)rVZget_alt_php_libsr)rrrrr/r/r0update_alt_php_libsszcagefs_init.update_alt_php_libsc Cs|ddkr|dd}tj|sFtd|t|dt|dt||d}x8|D]0}t||j krZ| |||||j |qZWt||d}|dkry| dWnt k rYnX|t||d }|t||d }|t||d }|t||d }|j|||d dt||d}|j|||d dt||d} x(| D] } tj|| |dd dd dqVWg} g} t||d} x$| D]}||jkr| |qWt||d} x$| D]}||jkr| |qWtt| | |dtt| | |dttjd| | |dttjd| |d|j| |_|j| |_t||d}xZ|D]R}||jkrptj|tj||dd dd dt|||d|j |qpWdS)NrrozCreating jail iincludesectionsrZ directadminz/usr/local/awstats/ libraries executables regularfiles directoriesr>)r paths_w_owner emptydirsrr)copy_permissionsZ allow_suidcopy_ownershipr;groupsz/etcdevices)r!r4rRrrr(rVconfig_get_option_as_listrrhandle_cfg_sectionr9rir[rcreate_parent_pathrinit_passwd_and_groupFUSE_DIRZinit_safe_users_and_groupsETC_TEMPLATE_NEW_DIR init_shadowrrrZ copy_device)rrrcfgsectionsectionstmprrrZedirr;rtmplistrr/r/r0rsd                  "zcagefs_init.handle_cfg_sectioncCs|rt|t|dS)N)rrVZ copy_to_etc)rrr/r/r0update_etc_paths'szcagefs_init.update_etc_pathsc Csrt||d}x0|D](}||jkr|||||j|qWt||d}|t||d}|t||d}|t||d}|t||d}||t||d}||g}g} t||d} x | D]}||jkr||qWt||d } x$| D]}||jkr| |qWttjd || |d t tjd ||d |j||_|j| |_ dS) Nrrrrrrrr;rz/etcr) rVrrupdate_etc_from_sectionr9rrrrrr) rrrrrrrrr;rrr/r/r0r,s6         z#cagefs_init.update_etc_from_sectionN)r) __name__ __module__ __qualname__rrrrrrr/r/r/r0rs  @rc Csx|D]}tjt|rtjt|sytt|dWntttj fk rZdSXy&t d}t t|t |Wqttfk rYqXqWdS)NFTr) r!r4rJrIrrcrrArBrdr"r)r4r4r,r/r/r0mount_points_busyRs    rcCs"tdgrtdtddS)Nz/tmpz6failed to unmount CageFS - skeleton directory is busy.r>)rrr*rErFr/r/r/r0check_skeleton_not_busycs  rcCsbt|ddtdtr0tdtd|r^trDtdt td|r^t dS)NT)rdrkr>z!failed to unmount cagefs-skeleton) rmrFrGrNrr*rErFrKrr)r check_busyrdr/r/r0 unmount_allks      rcCsdtt_t||rdS|dkr(t}ttj|}x$|D]}t|}|||r@dSq@WdS)NTF) rrVrmounts_are_foundrcrpr!r4r)r4 proc_mounts comparatorrrr/r/r0r~s    rcCst||tjdS)N)rr)rrVZ$path_includes_mount_point_comparator)r4rr/r/r0path_includes_mount_pointsrcCst||tjdS)N)rr)rrVZpath_is_mounted_comparator)r4rr/r/r0path_is_mountedsrc CsLyttdWn4tk rF}ztdtt|Wdd}~XYnXdS)Nr`zfailed to create)r# REMOUNT_FLAGr'rArr*r)rr/r/r0create_remount_flagsrcCs(yttWntk r"YnXdS)N)r!rrrBr/r/r/r0rsrcCs tjdS)Nz$/etc/cagefs/disable.home.dirs.search)r!r4r5r/r/r/r0home_dirs_search_is_disabledsrc Cstr dSt}|sdSt}t}d}x|D]}t|}y|rRtj|rBtj |r|dkr|st dddd}t |t |dnNzfailed to creater)rrVget_homeN_dirsrcrrIr!r4r?rrrrrrrJrremove_file_or_dirrrrcrrBrr*rr) homesrZ!always_home_mounting_mode_enabled unmountedrr4 skel_link_tolink_tor.r/r/r0create_homeN_dirs_in_skeletons                      *rc Cstjtr ts ts ts$dStjdd}x|D]}t|}y`tj|rtj|rtj |}|dd}t t |}||krt |t ||Wq6tk r}ztd|dt|Wdd}~XYq6Xq6WdS)zu Update symlinks /usr/share/cagefs-skeleton/home*, so they point to the same location as in real file system NT)Zuse_globr>zfailed to process symlinkr)r!r4rJrIrrrVrrrrrrrrBrr*r)rrr4rrr.r/r/r0!update_homeN_symlinks_in_skeleton s      rcCsd}t|ts$d}t|ts$t|}t}xz|D]r}tj|}|dr0tj|}xJ|dkr||kr||kr|||rd||<n ||tj|}qXWq0W| t |dS)zP Add parent directories to list_of_files if they do not present in set_of_files TFror>N) isinstancedictrr!r4normpathrrrrr(r) list_of_filesZ set_of_filesZis_dictparentsrparentr/r/r0 add_parents s$          rcCsti}ttj}x6tt|D]&}||ddd||<d|||<q"Wt|||t d}t t d}x|D]}| d|qxW|t |t t ddS)Nz/etcrr>rzr`z%s i)rrrV white_listrrreplacerrr!r"r#FUSE_WHITE_LISTrar'r()rZwhite_list_copyZindr,rrr/r/r0save_etc_white_list6 s      rcCsttjatjatttdS)N)rrV files_list list_copyrr/r/r/r0add_parents_to_listsQ s rc Cst|dkrt}|td}y2ttd}x|D]}|d|q6W|Wn<t k r}zt dtdt |Wdd}~XYnXt|yt tdWn<tk r}zt dtdt |Wdd}~XYnXdS)Nrr`z%s zFailed to write z : iz Failed to change permissions of )rrrr!r"r# FILES_LISTrar'rArr*rr(rB)rr,r]rrr/r/r0save_list_of_files_in_skeletonY s"    , rcCsyt|d}Wntk r"dSXxX|}|dkr8P|ddkr&|}|dkrl|ddkrl||q&td|dq&W|dS)NrUrrr{ror4z is relative)r#rArXrYr9rr*r')rr4rrr/r/r0 load_listn s  rcCsg}t|}d}x||kr||}||kr|s:tj|}|sF||kr|||d7}x4||kr|||dr||||d7}qZWq|d7}qW|S)Nrr>ro)rr!r4rr9rr)rrZignore_realpathZdiffZold_lenitemrr4r/r/r0 compare_lists s"      rc Cs~t|ddks|ddkr"dSg}tt|t|t}t}x4|D]*}tt|t|}t |}| dsJt ||sJ|ddkrt d|t|dqJtj|rtj|sy"t|dt d |tdWn0tttjfk rt d |tdYnXqJtj|rJy t|t d |tdWqJttfk rtt d |tdYqJXqJWdS) Nreinitr>initz/dev/z dont-cleanz Skipping rFzRemoved directory zError while removing directory z Removed file zError while removing file )rrrrrrVrcZdel_libs_from_listrprIrrrrrCrDr!r4rJrrcrrBrArdr?r)rZold_listfiles_to_deleterrfile2r4r/r/r0delete_files_from_skeleton s8        rcCs,x&tdD]}tt|tjqWdS)Nz/sbin/pidof cagefs-fuse)rhr&r!killrZsignalSIGUSR1)rlr/r/r0reload_fuse_conf sr cCstj|rtj|sdSy6tjtd||gtjtjd}||jdkrPdSWn6t k rt dtd|d|t d YnXdS) NFz-r)rr0rTzfailed to run z -r  r>) r!r4rJrLr!DIFFr"r#r3rBrrCrD)Zdir1Zdir2r6r/r/r0are_dirs_equal s (rc Csxtjtjd|}t|}yt||WnDtk rr}z&t d|d|t |t dWdd}~XYnXdS)z Create symlink to NodeJS/Python/etc selector config directory inside template for user etc directory For details see CAG-797, CAG-828 :param selector_name: name of selector: nodejs, python, etc z etc/cl.{}zError while creating symlink z to r>N) r!r4rrVrformatSELECTOR_CONF_DIR_TEMPLATEr rBrrCrrD)Z selector_nameZ temp_pathrrr/r/r0&create_symlink_for_selector_config_dir s  rc Cs"ttjddtdtdttjtj drt tj d}t tj dtjd|stj tjdtj dddrdSt tjd|d nt tjdd ttj ddyttjdtj dWnFttfk rtd tjd tj dtd td YnXdS) Nz /etc/mailTrkrlz /etc/passwdz/etcF)Zshallowr>z Error moving z/etc to )rcrrVrrremove_blacklisted_filesr!r4r5ETC_TEMPLATE_DIRr_rgrrbrrBrArrCrDrErF)force_update_etcZold_etc_versionr/r/r0compare_etc_templates s" "rc Cstd}tj||ryDtj||rNtj||sNt||dnt||WnLt t tj fk r}z&t d||dt|tdWdd}~XYnXtj||rt d||dtdtd|d}tj|rzy8tj|r"tj|s"t|dn t|WnJt t tj fk rx}z"t d|dt|tdWdd}~XYnXtj|rt d|dtddS) Nz/usr/share/cagefs-skeletonFzError: failed to remove z : r>zError: z exists. Please remove manually.z /var/cagefs)rr!r4r?rJrrcrrrBrArdrrCrrDrErF)rIrrr/r/r0remove_nested_skeleton s, 4 0rc Cs~tt}t}tttd}t tj ddtj tj dsyt tj ddWn0tk rtdtj dtdYnXx$|D]}||||tqW|ttj|r*xTtjD]F\}}tj |} | drtj| ddst|rtd |dSqWtt|t t!t"|d d |dkrnt#|dd n t#||d dS)Nrz/etcTicreatingr>z/etc/)etcz CloudLinux Selector setup, path:zforce-update-etc)r) all_users)r;F)$rjr read_configrVread_native_confload_black_listr!r"rcrrr4rJrrBrr*rErFrrrrr orig_binariesvaluesitemsrrrmove_to_alternatives is_mandatory!remove_unwanted_users_from_groups#create_files_for_symlink_protection"create_dirs_for_symlink_protectionr update_etc) rr;print_selector_errorscirr,raliasr orig_path2r/r/r0update_etc_only% sB        r+cCst\}}tj|tj||rtt_t}xttjD]j}tj |r>t |}t ||s>tj |rxt |q>tj |s>tjt tj |dddt |q>WdS)Nr>)rr)build_wrappers_dictsrVwrappersrwrappers_namesrrrcr!r4r5rIrZinstall_wrapperrRrr)update_wrappersr-r.rrr4r/r/r0 load_wrappersc s         r0cCs6||kr dS||}t|dkr&dS|d|dfS)N)NNrrr>)r&r)Z separatorrZ line_partsr/r/r0check_separatorx s   r1cCs8|dk r,t|}||}|dkr(dSdS|r4dSdS)NFT)rr$r')Zregexpart can_be_noneZ regexp_compZp1r/r/r0validate_with_regex s  r4cCs|ds|rdStd|\}}|dks4|dkr8dSd|krPtd|\}}n|}d}d|krptd|\}}n|}d}|dks|dkrdStj|sdS|ddkrdStd |dd sdStd |dd sdStd |dd sdSdS) z+ Return False if line is corrupted r}T=NFrrroz^[a-z][-a-z0-9]*$)r3z^[a-zA-Z][-a-zA-Z0-9_]*$z^[a-zA-Z.][-a-zA-Z0-9_.]*$)rrisspacer1r!r4isabsstripr4)rZ alias_wrapperZ user_commandr)wrapperr<r+r/r/r0check_proxy_line s4 r:c Cs4d}t}i}i}x|D] }t|sX|rBtdt|dqtdt|dq|drdq|dd}t|dkr|dd d}t|dkr|dd krq|d}t|dkr|d} n|} |d d d kr|d} n |dd d} | d} ||| <| || <qW||fS) Nzcagefs.proxy.programzWarning: Found corrupted line:z . Skip line.r}r5r>rrrZ noproceedr) load_wrappers_commandsr:r)rrrrr8r&rrM) rZDEFAULT_PROXY_NAMEcommandsr-r.rZwordsZ words_leftr)Z wrapper_namer+Z words_rightr/r/r0r, s8      r,cCshtjt}tjt}g}xFt|D]8}tj||}||r(tj|r(| t |q(W|S)N) r!r4rPROXY_COMMANDSrrrrr5r(rVr)Zproxy_commands_dirZproxy_commands_namer<rr4r/r/r0r; s  r;c CsZt}xJtjD]>}t|dkr(q|d}|rBtj|}nt|}tj |r|st ||r|t d|dt dqt||rt d|dt dqyFtj|rtj|st|dn t|t d|t tWnJtttjfk r.}z"t d |d t|t dWdd}~XYnXtj |rt d|d t dqWdS) Nz/usr/local/cpanel/bin/jailshellz/etc/zWarning: blacklisted path z is mountedr>z includes mount pointFzRemoved zError: failed to remove z : z exists. Please remove manually.)rVrc black_listrrrrrIr!r4r?rrrCrDrrJrrcrrVERBOSErBrArdr)rZblack_list_fileZ is_in_etcr4rr/r/r0r s4      0 rcCstjt}tjt}gt_xt|D]}tj||}| |r*tj |r*t |}x|D]z}t | }|drb|dks|ddks| drtd|d|qb|dstj|}|tjkrbtj|qbWq*Wtt_|rtdS)Nroz/../rz/..z Invalid pathzin filez/etc/)r!r4rBLACK_LIST_FILErrVr>rrrr5rrrYrrrMrr*rr9rrr)riZblack_list_dirZblack_list_namerr4r>rr/r/r0r s(         rc Csddg}d}x|D]}ttj|}t|}tj|rtj|stj|r`tj|ddyt ||Wqt t fk rt d|d|tdYqXqWdS) Nz/usr/local/cpanel/bin/jailshellz/usr/local/psa/bin/chrootshz /bin/bashT)Z check_mountszcreating symlinkrvr>)rIr!r4rrJrr?rVrrrBrArr*rErF)Zbin_listrNZbin_nameZ parent_dir link_namer/r/r0replace_jailshell. s  rBc Cs.x(||D]}||||||q WdS)N)optionsrget)rerrf new_sectionZoptionr/r/r0 copy_options@ srFcCs||r||s:|dkr:||t||||nXd}x,tdD] }|t|}||sHd}PqHW|rz|t}||t||||dS)NdefaultTrF)Z has_sectionlowerZ add_sectionrFrrr)rerfrr5numrEr/r/r0 copy_sectionE s      rJcCstjdd}i}xttD]}|drt|}tjdd}|||rxR|D]F}||krt d|d||d|t dt dqV|||<qVWx|D]}t |||qWqWtjtrxttD]}|drtjt|}tjdd}|||rlxV|D]J}||kr^t d|d||d|t dt dn|||<qWx|D]}t |||qvWqW|S) NF)strictz.cfgzError: duplicated section [z ] in files z and r>z.work) configparserZRawConfigParserr!r CONFIG_DIRrrtrrrCrDrErFrJr4rJWORK_CONFIG_DIRr)Zfail_if_sections_are_duplicatedrrrr4rrr/r/r0rW s<    &      & rc CsZttd}tj|sVytd|Wn*ttfk rTt d|t dYnXdS)Nz/var/tmpz/tmpzError while creating symlink r>) rrIr!r4r?rrBrArrCrD)r4r/r/r0create_var_tmp_symlink s rOc Csn|ddkr8|ddkr8ts8ts4tdtddStttt}|ddkrhtdd d t t_ t }t t t|d dkr|ddkrtttjrRtjrRtjtd rRtd dd dttd d}t|}|td|rRtdttjtdt|tddd dyNxH|D]@}x8||D],}|tj|krNtdtd|PqNWq@WWn8tk r}ztdtd|Wdd}~XYnXyPxJtjD]@}x8tj|D]*}|||krtdtd|PqWqWWn8tk rH}ztdtd|Wdd}~XYnXtdt d t!t"d}t#t$%tj&dd tj'tj&dsyt(tj&ddWn2t)k rtdtj&dt*+dYnXx.|,D]"} t#|-|t.|| t/qW|0|t.t1tj23|4|t.t5t6t7t"|tj8t.dddd dt9t.dddt:ddgt;t<|t=t>t?@t.tAtBttjrDttd d!} x2tCtjD]$}| Dd"|dEtj|fqW| td#dd dttd d!} | DtFtj| tdtGtHtIrxtJsjtK|n tK|d d$n|ddkrtL|d dkrd%|krtMtNtOtPtQdd&tRtSdd&tTtUdd&tV} tW|d dks|ddkr8tJs8tXd d} tjd'r8tYd(| rFtXd tZrbt[d)tdt\t]dS)*Nrr>z force-updaterzWcagefs-skeleton has been updated recently, if you want to force the update, please run:z"cagefsctl --force-update"rFT)rrz /libs.datzLoading libs.datr )endflushrUZDonez Pickle lenzEval lenZ Comparingrz : NOT EQUALz : Key Errorz/etcirz/rootih)rrz/passwdz/groupz /libs.txtr`z%s : %s zSaving libs.dat)rcagefs_was_enabled)rz/usr/bin/systemctlz/usr/bin/systemctl start cagefszUpdating statuses of users ...)^rVZ#update_of_cagefs_skeleton_is_neededrDrupdate_rpm_packages"add_default_rpm_packages_to_cagefsrjrrrrrrr$r%Z load_libs LIBS_LIST debug_optionZ libs_listr!r4r5LIBDIRr#evalrtr'rrr*linenor:r0rr"rrcrrrJrrBrErFrrrIrrrrrrr#r[rr set_ownerZsave_etc_safe_listrrrBrO cagefs_da_lib create_symlink_to_php_ini_for_DArZ save_libsrrarreprrrrTrr&r rrGZcreate_utmp_in_skeletoncreate_utmp_for_all_usersrrrZadd_syslog_socketrrrrrhrrCupdate_users_statusZsave_last_update_time) rr(rZrtfZtdkeyrrr,rZtf2Ztfrr/r/r0 update_cagefs s   "  & &      $    $racCs`t|dddtrtddSxzPlease, reply with yes or no)rdo_not_ask_optionrEr?rXrF)rrr/r/r0confirmV s  rccCstdtddddttddttddtddtd td dddtddd rvtd t d t d td tddddt rtdt d t d td ttrtdt d trtdn&tdtdddttdtdtdtdddttdtdtd}tj|rt|std|dddt|dtddS)NzWARNING: If you continue, CageFS will be disabled, and all related files and directories will be removed. Do you want to continue (yes/no)? zDisabling CageFS r T)rPrQzusers.disabledz users.enabled) disable_allz[DONE]zUnmounting skeleton )rdrkzunmounting skeletonr>zUnmounting users zunmounting usersz!failed to unmount cagefs-skeletonzPUsers with invalid pathes to home directories exist! DO NOT REMOVE /var/cagefs !z Removing z [DONE]z.old)rcrrcrrr_rmrr*rErFrFrGrKrrN repair_homesrrrIr!r4rJ)Zold_skelr/r/r0 remove_allg sF              rfcCstdtdttjddtdtdtdtdtd td td td td tdtdtdtdtdtdtdtdtdtdtdtdtdtdtdtdtdtdtdtd ttjdd!tdtd"td#td$td%td&td'td(td)td*td+td,ttd-ttd.td/td0td1td2td3td4tdtd5td6td7td8td9td:td;td<td=td>td?td@tdtdAtdBtdCtdDtdEtdFtdGtdHtdItdJtdKtjdLtdMtdNtdOtdPtdQtddS)RNrz&Use following syntax to manage CageFS:rz [OPTIONS]zOptions:zU -i | --init : initialize CageFS (create CageFS if it does not exist)zT -r | --reinit : reinitialize CageFS (make backup and recreate CageFS)z\ -u | --update : update files in CageFS (add new and modified files to CageFS,z5 remove unneeded files)z] -f | --force : recreate CageFS (do not make backup, overwrite existing files)z_ -d | --dont-clean : do not delete any files from skeleton (use with --update option)z8 -k | --hardlink : use hardlinks if possibleze --create-mp : Recreates /etc/cagefs/cagefs.mp file with default set of mount points.zr WARNING: Any previous changes made to file by admin or by any software will be lostz> --mount-skel : mount CageFS skeleton directoryz@ --unmount-skel : unmount CageFS skeleton directoryzY --remove-all : disable CageFS, remove templates and /var/cagefs directoryzx --sanity-check : perform basic self-diagnistics of common cagefs-related issues(mostly useful for support)zp --addrpm : add rpm-packages into CageFS (run "cagefsctl --update" in order to apply changes)zj : only package name should be specified (without package version and release)zF : example: cagefsctl --addrpm ImageMagickzs --delrpm : remove rpm-packages from CageFS (run "cagefsctl --update" in order to apply changes)zM --list-rpm : list rpm-packages that are installed in CageFSz? -e | --enter : enter into user's CageFS as rootzV --update-list : update specified files only (paths are read from stdin)zM --update-etc : update etc directory of all or specified usersz[ --set-update-period : set min period of update of CageFS in days (default = 1 day)zO --force-update : force update of CageFS (ignore period of update)zS --force-update-etc : force update of /etc directories for users in CageFSz` --reconfigure-cagefs : configure CageFS integration with other software (control panels,z5 database servers, etc)z%Use following syntax to manage users:z$ [OPTIONS] username [more usernames]z5 -m | --remount : remount specified user(s)zK -M | --remount-all : remount CageFS skeleton directory and all userszP (use this each time you have changed cagefs.mp file)z5 -w | --unmount : unmount specified user(s)z? | --unmount-dir : unmount specified dir for all userszK -W | --unmount-all : unmount CageFS skeleton directory and all usersz= -l | --list : list users that entered in CageFSzE --list-logged-in : list users that entered in CageFS via SSHz6 --enable : enable CageFS for the userz7 --disable : disable CageFS for the userzA --enable-all : enable all users, except specified inzB --disable-all : disable all users, except specified inzP --display-user-mode : display current mode ("Enable All" or "Disable All")zE --toggle-mode : toggle mode saving current lists of userszR (lists of enabled and disabled users remain unchanged)z. --list-enabled : list enabled usersz/ --list-disabled : list disabled userszP --user-status : print status of specified user (enabled or disabled)z3 --getprefix : display prefix for userzPHP Selector related options:zW --setup-cl-selector : setup PHP Selector or register new alt-php versionszp --remove-cl-selector : unregister alt-php versions, switch users to default php version when neededzq --rebuild-alt-php-ini : rebuild alt_php.ini file for specified users (or all users if none specified)zi --validate-alt-php-ini : same as --rebuild-alt-php-ini but also validates alt_php.ini options zt --cl-selector-reset-versions: reset php version for specifed users to default (or all users if none specified)z --cl-selector-reset-modules : reset php modules (extensions) for specific users to defaults (or all users if none specified)zL --create-virt-mp : create virtual mount points for the userzM --create-virt-mp-all : create virtual mount points for all userszP --remount-virtmp : create virtual mount points and remount userzh --apply-global-php-ini : use with 0, 1 or 2 arguments from the list: error_log, date.timezonezh without arguments applies all global php options including two abovezCommon options:z4 --enable-cagefs : enable CageFSz5 --disable-cagefs : disable CageFSzP --cagefs-status : print CageFS status (enabled or disabled)ze --check-cagefs-initialized : properly checks whether CageFS is initialized and print resultz2 --set-min-uid : Set min UIDzF --get-min-uid : Display current MIN_UID settingzW --print-suids : Print list of SUID and SGID programs in skeletonzj --do-not-ask : assume "yes" in all queries (should be the first option in command)zf --clean-var-cagefs : clean /var/cagefs directory (remove data of non-existent users)zT --set-tmpwatch : set tmpwatch command and parameters (save to z file)zz --tmpwatch : execute tmpwatch (remove outdated files in tmp directories in CageFS for all users)zC --toggle-plugin : disable/enable CageFS pluginz5 -v | --verbose : verbose outputz --wait-lock : wait for end of execution of other cagefsctl processes (when needed) before execution of the commandz3 -h | --help : this message)rrErrrrVZ CAGEFS_INIr/r/r/r0usage s  rgcCsFts6tdtdtdtjddtdttddS)N directoryzdoes NOT exist or is empty.zUse "rz --init" to create CageFSr>i) check_cagefs_skeletonrr*rIrErrFr!r(r/r/r/r0check_skeleton s  rjcCsPg}xF|D]>}t|}d}x|D]}||r"d}Pq"W|s ||q W|S)NFT)rVrprrr9)rresultr4rrrr/r/r0remove_parent_dirs s    rlc Cst}ddlm}||}|dkr4|s0td|dStj|syt|dWqtt fk r|t d|t dYqXn$tj|st d|dt dtd }tj||d }t|d }|d |d |dd}t|}t|}x|D]z} | ds| ds| ds| ds| ds| ds|dkrf|d| n || |d}qW|d|t|dS)Nr)get_package_fileszPackage %s not installedizfailed to creater>r4zshould be directoryrz.workr`[z] zpaths=z/usr/share/man/z/usr/share/locale/z/usr/share/doc/z/usr/share/info/z/usr/lib/.build-id/z/usr/share/licenses/z, r{)rNZ simple_rpmrmrr!r4r?rrBrArr*rErFrJr"rr#rarErlrrr') pkg_namesilentWORK_DIRrmZ package_filesr, WORK_FILEZaFiler*rr/r/r0addrpm sF             rsc Cst}tj||d}tj|s4|s2td|ntj|sLtj|sZt |dnyt |Wn$t t fk rt d|YnX|t kryFg}tjtrtt}|d|kr||dtt|dWn$t t fk rt dYnXdS)Nz.workz!Rpm %s is not installed in CageFSzshould be regular filezfailed to remover{Fzfailed to write package list)rNr!r4rr?rrr5rr*rirBrA STD_PACKAGESrRSTD_PACKAGES_FILErVrr9r^)rorprqrrpackagesToExcluder/r/r0delrpm6 s*     rwcCsjt}g}tj|rDx.t|D] }|d|d}||q W||sfx|D] }t|qVW|S)Nr) rNr!r4rJrrr9rr)rprqrpmsZwork file_namepackager/r/r0list_rpmS s   r{cCsBx<|D]4}t|s.tjtjt|dst|ddqWdS)Nz.workT)rp)rr!r4r5rrNrs)args overwriterpmr/r/r0add_rpm_packages_to_cagefsa s rcCsx|D]}t|ddqWdS)NT)rp)rw)r|r~r/r/r0remove_rpm_packages_from_cagefsh s rcCsNg}tjtrtt}g}x"tD]}|d|kr$||q$Wt|dS)Nr{) r!r4rRrurVrrtr9r)rvZ packagesToAddZpackNamer/r/r0rTm s    rTcCs ttdd}t|dddS)NT)rp)r})rr{r)rxr/r/r0rS{ s rScCs|t|}|dkr$tdtd|ay,ttd}t dt}| || Wn"tdttdYnXdS)NrzMIN UID should be >= 100r>rr*zwritting MIN UID to file) rZrr*rErFrr#MIN_UID_FILENAMEstructpackrar')valueZbuf_valbinfiledatar/r/r0 set_min_uid s       rc CsXy t}Wn<tk rF}ztt|ttdWdd}~XYnX|dk rT|adS)Nr>) read_min_uidr[rr*rrrErFr)rrr/r/r0 get_min_uid s rcCstjtsdSy*ttd}td}||}|Wnt dYnXt ||krdt dt d|}t |dkr|ddkr|dSdS)zg Gets minuid from file and returns unpacked value if no errors happened otherwise None Nr2r*z failed to read MIN UID from filezreading MIN UID from filerr) r!r4r5rr#rcalcsizertr'r[runpack)rZintsizerrIr/r/r0r s       rcCs~tt}t||dkrFtd}tdxL|D]}t|dq2Wn4|dkrzttd}tdx|D]}t|dqhWdS)Nz Enable AllTFz Disable All)rrrrrrr)rrJr<disabled_usersr/r/r0 toggle_mode s   rcCst|}yt|}Wn$tdt|dtddSt|j |ds|d}td|dd|t|dyd|dd t|d d }t |tkrt |dkr||}|d }t |d }| ||Wn4tk rtd|dd|tddSXdS)Nz(Warning: getgrgid() failed for group id z skipping...r>rz /etc/groupz adding group z to rz:x:rrr{azERROR: failed to write group )rVrgrpZgetgrgidrrCrrDZtest_group_existZgr_nametyperr#rar'rA)rgroup_idr<rgrrrfdr/r/r0addgrouptojail s* "   rcCst||||}|dkrdSyJ|d}t|d}|}x(t|dkrb|d}t|dkrXt|d|krX|dddd } || kr|d Std |d |dt |d | } | } | | t|t| d kr| ddkr|g} n | ||dd|dd} d | } | | d| 7} || |d S|}qz Adding user z to group rrz:x:r{zERROR: failed to add user z in )rr#rXrr&rZr'rrCrDtellrtseekr9rrarAr)rrr<rrPrrrZsplittedr;rZbufrZtmp2r/r/r0addusertogroupinjail s@   "   &rc Cs\|d}y6t|d}|d|d|t|dWnttfk rVYnXdS)Nz /.htaccessr`z#CageFS autogenerated file zdeny from all i)r#rar'r!r(rArB)r4ryrr/r/r0create_htaccesss   rc Cs4|d}yt|Wnttfk r.YnXdS)Nz /.htaccess)r!rirArB)r4ryr/r/r0r#s rc Cstj|}t|}tjd}td|d|d} | d} |rxXdD]P} tj|| | | dddkrHtd|| d | | t d|sHt d qHWn|dkrt || }|d dks|d dks|rxyHt | d tj|| d |ddkrtdt|gdrtd|WnZtk rt} z:td|d | dt| t d|sdt d Wdd} ~ XYnXnRtj|| d d |ddkst|gdrtd|d | t d|st d tdkrtjdotjdatdtryF| d} | d}tj|sBtj| s6t| dtd|WnRtk r} z2td|dt| t d|st d Wdd} ~ XYnXtj|j}t }x2|D](}ynt!| dd}|"|j#dt|d d t|d!d |d"d |d#d |d$d%|$Wn4td&|j#d't d|sZt d YnXt%| |d!d|s|st d xD|D]<}|j#|j&krt'| |j(|j#|}|s|st d qWt)| |j#|d(qWdS))Nz/etcror)z/passwdz/shadowF)create_parent_dirr>zError copying z to rrrT)skip_dst_fileszcopytree() failed)r;z%Failed to setup cl-selector for user zError while copying z: )rrz/usr/local/apache/domlogsz/etc/apache2/logs/domlogsz /apache2/z /apache2/logsz/apache2/logs/domlogsizError while creating z : z/passwdrz:x:rr9rrrr{zError while adding user z to passwd filer)*rrrrrVrr copy_filerCrDrErFget_custom_etc_files_for_userrcrcopytreer)create_etc_alternativesr domlogs_foundr!r4rJ SPECIAL_PATHSr9r?rrrB get_pw_by_uidrrZgetgrallr#rapw_namer'rZgr_memrgr_gidZadd_user_to_shadow)r<rryrecreate passwd_onlycustom_etc_filesZpw_linerZetcskelrZetcuserZcfrZ logs_dir_pathZ domlogs_pathrrr+rrrPr/r/r0copyetc-s   "  &    T   rc Csyt|}Wnttfk r&dSXt|jry"t|dt d|t dWqtttj fk rt d|t dYqXnLy t |t d|t dWn*ttfk rt d|t dYnXdS)NFzRemoved directory r>zError while removing directory z Removed file zError while removing file )r!lstatrBrAstatS_ISDIRst_modercrrrCrDrdr)r4Zsbufr/r/r0remove_file_or_directorys   rz/mail/rocCs xtD]}||rdSqWdS)NFT)rrr)r4Z spec_pathr/r/r0check_special_pathss  rc Csts|tkrPi}tj|d||ddt|}|t||}|t|<nt|}|dkrpt||d}x^|D]V} t| } |d| } | |krvt | rv|ddkrt d| t |dqvt | qvWdS)Nz/etc)cut_pathz dont-cleanr>z Skipping r)rVZcustom_etc_presentfiles_to_delete_cacheadd_tree_to_listrrrrrprrrCrDr) r<userdiretc_skelretc_user_versionrZetc_userZ etc_user_listrrrr4r/r/r0 clean_etcs$      rcCsttjS)N)rrrrr/r/r/r0get_all_users_from_passwdsrc Cstdtdt||}t}ttjd}tjt dddd}xR|D]H}t |}t d|} d|d|} t | } | d} t| drqHt| drqHt || } t | | }t| }|ds||krxtd |d tdt j| d r|d dks|d dkr&t|||| dnNt|||| d|dkr`i}tjtjd|tjddt|| |||| dnd}||krtd |d tdd}t|||ddt||}|rz|std |d td|dkri}tjtjd|tjddd}xV|D]N}||krZ| |}|ddkrPtd|t|dqt|nd}qW|rzt|||| dt|| t||qHWdS)NzUpdating users ...r>z/etciT)rrozforce-update-etczUpdating user z ...z /etc/passwdrr)r)rF)rz dont-cleanz Skipping r)rrCrDget_cagefs_usersr=r_rVrrrrrrr!r4r5rrrZget_custom_etc_files_to_deleter update_custom_etc_files_for_usersave_custom_etc_log)rr;ryrZmodified_usersZetc_skel_versionrr<rZ prefixdirrr user_etc_pathrcustom_etc_files2rZmessage_printedZcustom_files_to_deleteZcopyetc_neededr4Zfullpathr/r/r0r&sj      .         r&cCs0|dkrttd}x|D]}t|dqWdS)NT)rrr)rJr<r/r/r0+enable_cagefs_for_users_with_duplicate_uidss  rcCs|rt}t|dnj|dk rB|dk rB|r4t|}t||n@ttd}tj|d|d|rjt|td}tj|d|d|dk rt|dS)NFT) fix_owner)rrVZ update_statusrrr(reload_php_for_users_with_changed_status)rdr;rXrold_enabled_usersrJrr/r/r0r_s r_cCs$t}tt||}t|dS)z Filter users and reload php process only if status was REALLY changed :param old_enabled_users: enabled users before any status change :return: N)rrrsymmetric_differencereload_php_for_users)rZnew_enabled_usersZusers_to_kill_processr/r/r0r.srcCs*|dkr|rt}n td|}t|}|S)NT)rrr)r;rrr/r/r0r=s  rcCs&x tddD]}tj|ddq WdS)zz Create user's personal /home/user/.cagefs/var/run/cagefs/utmp file for all users For details see CAG-706 T)rF)rN)rrVcreate_utmp_for_user)r<r/r/r0r^Hsr^cCs&t||}x|D]}td|qWdS)Nphp)rr)r;rr<r/r/r0rRs  rc Cs|stj|syt|Wnttfk r6YnXyt||Wnvtttfk r}zR|rt d||t | ddft dn$td||t | ddftjddSd}~XYnXdS) Nz.Error : failed to create symlink %s to %s : %sErrnozErr coder>z-Error : failed to create symlink %s to %s: %s)r\TF)r!r4rrrBrArrr rrCrrrDrrEr0) dest_pathrA write_logrrr/r/r0switch_symlinkXs&$rcCsLtdkrHtjddd}y |d}Wntk r:dadSX|dkatS)z Return True if modules selected via PHP Selector (alt_php.ini) must be used always (never use modules selected in cPanel MultiPHP Manager) See CAG-511 for details Nz/etc/cl.selector/symlinks.rulesT)ryzphp.d.locationFZselector) use_selectorrZ load_oncer:rH)Z syml_rulesvalr/r/r0selector_modules_must_be_usedks  rcCs8tr4t}|r4y|ddStk r2YnXdS)z Return True when default system php version selected via MultiPHP Manager in cPanel WHM is ea-php (not alt-php) For details see CAG-774 rGzea-phpT)rread_cpanel_ea4_php_confrrr:)confr/r/r0!multiphp_system_default_is_ea_php|srcs<fdd}d}t}x|D]}||r$d}q$W|S)a~ Switch symlink so it will point to directory with modules for alt-php For details see CAG-447 Returns True if error has occured Should be called as user (not root)! :param php_vers: alt-php version selected for an user (for example 'native' or '5.6') :type php_vers: string :param force: recreate symlinks even when they exist :type force: bool c stjd|d}tj|}tj|sXytj|dddWnttfk rVYnXd dd}t s||ks|t sd |}ntjt j d |}t||S) Nz.cagefs/opt/altz link/confiT) recursiverrrz/opt/alt/%s/etc/php.dzalt-)r!r4rrr?rrrBr rrrrVETC_CL_PHP_PATHr)php_dir link_pathrZselected_php_dirr)rhomedirphp_versrr/r0switch_symlink_for_dirs   z>switch_symlink_for_alt_php_ini..switch_symlink_for_dirFT)rV get_alt_dirs)rrrrrr5 alt_php_dirsrr/)rrrrr0switch_symlink_for_alt_php_inis  rz/etc/cpanel/ea4/php.confc Csftdkrby ttd}t|a|Wn8tjtfk r`iay |Wn YnXdSXtS)z Read /etc/cpanel/ea4/php.conf, return something like {'default': 'ea-php54', 'ea-php56': 'suphp', 'ea-php54': 'cgi', 'ea-php55': 'suphp'} Return None if error has occured NrU)EA4_PHP_CONF_CACHEr# EA4_PHP_CONFyamlr6r'Z YAMLErrorrA)r]r/r/r0rs    r)rz*/opt/cpanel/%s/root/usr/bin/php-cgi.cagefs)zphp-cliz&/opt/cpanel/%s/root/usr/bin/php.cagefs)zphp.iniz&/opt/cpanel/%s/root/etc/php.ini.cagefs)lsphpz(/opt/cpanel/%s/root/usr/bin/lsphp.cagefs)z%s/etc/cl.selector/ea-phpz%s/etc/cl.selector/ea-php-cliz%s/etc/cl.selector/ea-php.iniz%s/etc/cl.selector/ea-lsphpc Csts dSytdj}Wntk r.dSXt}|s>dSd}td}x|D]}|drRxt D]z}y:|d|}t |d}| d| t|d|Wqjtk r}ztd |d t|d }Wd d }~XYqjXqjWqRWt||S) z Configure symlink protection for symlinks created for integration with cPanel MultiPHP Return True if error has occured Flinksaferzzea-phpr>r`z'CageFS integration for cPanel MultiPHP rzfailed to create filerTN)rrgetgrnamrr:rr!r"rrSYMLINKSrr#rar'chownrBrr*r) linksafe_gidrr5Z umask_oldr)r4Z file_pathr]rr/r/r0r$s2       r$c sfdd}tsdSt}|s$dSy |d}Wntk rDdSX|dsTdS|j}tdt|d||s|}|dk rd }||krd}d} xVtD]J\} } | } |d krt | d || ||p| } qt | d | ||p| } qW| S) a Switch symlinks that are used for integration with cPanel MultiPHP: when selected_php_vers == alt-php version, then create symlinks like /etc/cl.selector/ea-php -> php; when selected_php_vers == native version, then create symlinks like /etc/cl.selector/ea-php -> /opt/cpanel/ea-phpXX/root/usr/bin/php.cagefs; For details please see CAG-445 Return True if error has occured :param pw: password file entry for an user :type pw: as defined in standard pwd module :param selected_php_vers: alt-php version selected for an user (for example 'native' or '5.6') :type selected_php_vers: string :param write_log: write error messages to log or not :type write_log: bool :param force: recreate symlinks even when they exist :type force: bool csDytd}Wntk r&dSX|dr@|ddSdS)z Return string like ea-phpXX when symlinks have been created already and native version is selected Return None otherwise z%s/etc/cl.selector/ea-php.iniNz/opt/cpanel/ea-phpror9)r!rrBrrr&)r)user_cagefs_pathr/r0#get_default_native_version_selecteds zPswitch_symlink_for_cpanel_multi_php..get_default_native_version_selectedFrGTzea-phproNnativer>r) rrr:rrrrrrr r) r+Zselected_php_versrrrr default_phprZold_eaphp_defaultr5Zsympathrrr/)rr0#switch_symlink_for_cpanel_multi_phps6   rc Cstj|j}tj|jd}|r>t|d|j|j|rdSnRtj |syt |dWn4t t fk r}ztdt|dSd}~XYnX|rt|j|jt||j||} |rt||||p| } |rt| S)a  Create .cagefs directory in home directory of an user (if that dir does not exist), and create symlinks to modules for alt-php For details see CAG-447 Also switch symlinks that are used for integration with cPanel MultiPHP For details please see CAG-445 drop_perm should be True when called as root, otherwise drop_perm should be False Returns True if error has occured :param pw: password file entry for an user :type pw: as defined in standard pwd module :param php_vers: alt-php version selected for an user (for example 'native' or '5.6') :type php_vers: string :param write_log: write error messages to log or not :type write_log: bool :param force: recreate symlinks even when they exist :type force: bool z.cagefsiTzError :N)r!r4rrrrVZ make_userdirrrr?rrrBr rrrrrrr) r+rrZ drop_permrZconfigure_multiphpZ real_homepathr4rr5r/r/r0configure_alt_php0s& rcCs|dkr dS|tkS)NrF)rVget_alt_versions)rr/r/r0php_version_is_removedZsrcCs|dko||ko|| S)Nr/)rcl_alt_def_php_stater/r/r0php_version_is_disabled`src&Cst||}d}td}x|D]~}tj|}t|} d| d|} t| } tj | r t j } | | } t | drzq t | |j|j| t j}t |drq t ||j|jt \}}}}t |j|j|j\}}}}|}|dks|dkrDt|st||rD|dks:|dkr@t|s:t||r@d}n|}d}xt jD]}|}|dkrrt |}n&t ||}|dkr|}n t |}t j d|}| |}tj|szError: failed to read symlink z /opt/alt/php)r)*rr!r"rrrrrr4rJrVETC_CL_ALT_PATHrrZrrrread_cl_alt_defaultsread_cl_alt_backup_as_userrrrrget_usr_selector_path get_alt_confrrrrBrArCrrrDrrrr&rZselect_default_php_modulesr[Zcreate_php_ini_for_DAr)&r;rrepair_symlinksreset_modules_to_defaultrebuild_alt_php_inir5r,r<r+rrrLINK_DIRlink_dirZ user_php_dircl_alt_def_verscl_alt_def_modulesrcl_alt_def_otherdef_vers php_modulesphp_state_ignored other_ignoredZ def_vers_oldchangedr)rZLINK_TOZalt_pathZ LINK_NAMErArrZlink_to_dirnameZlink_to_filenameZ_dirnameZ _filenameZrepairedr/r/r0res               "    " rcCs$|sd}t|dddt|ddS)NT)r;rr)r;)rr)r;r/r/r0rsrcCs$|sd}t|dddt|ddS)NT)r;rr)r;)rr)r;r/r/r0rsrcCs*|sd}dt_t|dddt|ddS)NT)r;rr)r;)rVZvalidate_alt_php_inirr)r;r/r/r0check_php_ini_optionss rcCs8|r4|ddkr4|dddkr4|dd7<dSdS)Nrrrr{TFr/)r.r/r/r0r]s r]cCsB|r>tt}t|||tt|ttdtdS)Ni) rVrrwr]r(r^r!r(r) new_linesr.r/r/r0write_cagefs_mps    rcCsztjdrvtjtrvg}tdd|ddg}td}x2|D]*}||kr@tj|r@d|}||q@Wt|dS)zf Add mount points like "@/var/cpanel/php/sessions/ea-php56,700" to /etc/cagefs/cagefs.mp file z/var/cpanel/php/sessionsT)rrrrz/var/cpanel/php/sessions/ea*z@%s,700 N) r!r4rJr5rwrglobr9r)rrZphp_dirsr mount_strr/r/r0r s  rcCsg}tdd|ddt_g}dtjkrDdtjkrDtjd|dt}xP|D]H}d|}d|}||krx||d|}d|}||krR||qRWt|d S) zU Add mount points for php selector and alt-php to /etc/cagefs/cagefs.mp file T)rrrrz /opt/alt z/opt z/opt/alt/%s/linkz@/opt/alt/%s/link,700 z/opt/alt/%s/var/lib/php/sessionz%@/opt/alt/%s/var/lib/php/session,700 N)rrVrr9rr)rrrrZ mount_pathrr/r/r0rs"    rcCstddtD}|ddtDtt}g}td}d}xR|D]J}||}|r| d|ks~| d|kr| |qd}qP| |qPW|rt t|t td td S) z^ Remove mount points for uninstalled alt-php versions from /etc/cagefs/cagefs.mp file cSsg|] }d|qS)z/opt/alt/%s/linkr/)rrr/r/r0 :sz2remove_mounts_for_php_selector..cSsg|] }d|qS)z/opt/alt/%s/var/lib/php/sessionr/)rrr/r/r0r;szB@(/opt/alt/php\d\d/link),|@(/opt/alt/php\d\d/var/lib/php/session),Fr>rTiN)rrVrrrrwrr$r'rr9r^r!r(r)Z needed_mountsr.rr)rrrr/r/r0remove_mounts_for_php_selector6s"       rcCsxtjtsdSd}g}tdd|d}||krt||krttt}t||d|t t|t tdt dS)zJ Adds mount point for default location of PHP APM DB :return: Nz/var/php/apm/dbT)rrrz@%s,777 i) r!r4r5rwrrVrr]r9r^r(r)Z path_to_addrrr.r/r/r0add_mount_for_php_apmOs    rc Csytdj}Wntk r$dSXt}d}x|D]}d|}d|}yDtj|sdt |dt |d|t |d t |d|Wq8t k r}ztdd t|d }Wd d }~XYq8Xq8W|S) z Cretate /etc/cl.php.d/alt-phpNN directories for all alt-php versions (in real filesystem) with group owner 'linksafe' for details see CAG-532, CAG-454 Return True if error has occured rFz/etc/cl.php.d/alt-%sz /etc/cl.php.d/alt-%s/alt_php.iniirr`zfailed to configure linksaferTN)rrrr:rVrr!r4rRrrr#r'rBrr*r)rrr5rZ etc_php_dirZ alt_php_inirr/r/r0r%fs&   r%cCsxxrt|D]d}|drq tj||}tj||}tj|sNt|q tj|r tj|s t ||q WdS)z Delete from cagefs_dir files/dirs that do not exist in orig_dir :param cagefs_dir: path to dir in CageFS (dir to delete files from) :type cagefs_dir: string :param orig_dir: path to original dir :type orig_dir: string z.cagefsN) r!rrr4rr?rrJrclean_dir_recursive) cagefs_dirZorig_dirryrZ cagefs_pathr/r/r0rs   rc Csts dSddddd}d}d}t}|s.dSy |d }Wntk rNdSXx|D] }|d rXx|D]}||} d t| f} d || f} tj| rptj| stt | d rt t d |r0ttdddd| | g} | dkrttddd| | g} | dkrbtd| t d qpx.t| D]} | drTq>tj| | }tj| | }tj|rt j||ddr>td|d|td t d q>||kr| |krt|| |rt | t|| |rt d |d7}t j||dddr>t | t j||ddr>td|d|td t d q>WqpWqXW|s~t|dd|dk r|st jt}tj|rt j t|ddrt!|dS)z Setup CageFS for integration with cPanel MultiPHP For details please see CAG-445 :param do_mount: when True, do mounting; when False, do copying files to CageFS :type do_mount: bool Nz/etc/cl.selector/ea-phpz/etc/cl.selector/ea-php-cliz/etc/cl.selector/ea-php.iniz/etc/cl.selector/ea-lsphp)zphp-cgirzphp.inirz"/usr/share/cagefs/.cpanel.multiphp)z/opt/cpanel/%s/root/usr/binz/opt/cpanel/%s/root/etcrGzea-phpz%s%sir>z-nz-orHz--rbindrzremount,ro,nosuid,bindzfailed to mountz.cagefsT)rzError copying z to F)rr)rz /opt/cpanel)Z use_cache)"rrr:rrrIr!r4rJrrVrrrErFrLrMrKrr*rrrrrCrDrZkill_phprrrrr5Zis_update_neededr+)rrZ SYMLINK_NAMESZCAGEFS_PHP_BASEDIRZ DIRS_TO_MOUNTrrr)r4ZoptdirZ cagefs_optdirrrPryrZ dest_fileZphp_confr/r/r0rsz                   rc Cs|tt}tp|}ttttj dsXtj drXtj d}t |dt }|rddlm}m}|||tjdsytddtWn,ttfk rtdtdYnXttt td d d t r t|d d p |}x"t j !D]\}}tj |} |"d sptj#|rpt $|spt |t|dkrpd }t%r|d kr| "d stj&| rt $| st | t| dkrd }t '|rd }q| "d st $| rt| dd }n,t j(| ddst )|rtd|d }qW|rN|sNddl*} | +t,d|d|dsjt-|sxt.ddS)Nz/usr/local/bin/lsphpz/usr/local/lsws/fcgi-bin/lsphp5r)litespeed_configure_selectorreplace_alt_settingsz/opt/altiz#failed to create directory /opt/altr>T)rr)r'z/etc/)rzphp-clirzphp.iniz@is mounted to CageFS. CloudLinux Selector will not be available.F)rz)CloudLinux Selector setup error for path:)rrzskip-php-reloadz%CloudLinux Selector setup: successful)/rjr$r%r[r\rIZ"configure_selector_for_directadminr!r4r5rrVrrrrrr?rrrBrArr*rErFrrrrZis_etc_in_native_confr+rr rrrrrrRZcreate_php_stubr!r"cagefs_ispmanager_libZ!configure_selector_for_ispmanagerrrr) rrCr5Z lsphp_pathZaltrrr)rr*r r/r/r0 setup_cl_altsl             ""         r c Cst||}t\}}}}t}t|}|dkr:d} nF|dkrHd} n8||ks`||kr|||s|d} td| |dd||n|} d} |dkrd|kr|dsd} d} xX|D]N} tj| } t | }d|d| }t |}tj }||}t j |rd}xt| D]~}t|}| dkr*|}nt| |}|dkrDq |d|}t j |s|dkrld}t|yt ||Wn0ttfk rtd|tdd} YnXnyt |}Wn4ttfk rtd |tdd} w YnX||kr>| dkr>| s|r>|dkr,d}t||rd} nJ|||fkr |sj||ksjt j |s |dkrxd}t||r d} q Wt| | |d rd} |rtd | t| j| j | j!\}}}}|dks|| kr|rt| j| || j | j!qW| S) NrrFTrozphp.inizError while creating symlink r>zError: failed to read symlink )rr)"rrVrrZ get_alt_pathsZwrite_cl_alt_to_backuprrrrrrr!r4rJZget_alt_aliasesrrrrrrBrArCrDrrr?rrrrrr)r;rrrrrrZ alt_versionsZ alt_pathsZ dest_versZnative_php_is_disabledr5r<r+rrrrrrrZ native_pathrrArrrrrr/r/r0remove_etc_alternatives9s                ,    r cCs<y"tdd}|}|t|Stk r6dSXdS)Nz/proc/lve/listrUF)r#rXr'boolrA)r]rr/r/r0kernel_is_supporteds r cCs$ts ttdtddS)Nz.Error: current running kernel is NOT supportedr>)r rjrrCrErFr/r/r/r0 check_kernels rcCs ttdS)N)ra config_copyr/r/r/r0 do_profilingsrcCsltjtsdSy0ttdg}|dkr>tdttddSWn&t k rftdttddSXdS)NFz--toggle-pluginrzError: r>TzError: failed to run ) r!r4r5 PLUGIN_STATErLrMrrCrDrB)rPr/r/r0run_toggle_plugin_utilitys rcCs tdS)N)rr/r/r/r0 toggle_pluginsrcCs:tr$|tdkr$tdtdtdtddS)NTEnabledrDisabledr>)rrrrErF)r<r/r/r0print_user_statuss   rcCs.trtdtdtdtddS)Nrrrr>)rrrErFr/r/r/r0print_cagefs_statuss  rcCsBtjddd}y||Wntjk r2gSXt||dS)z, Read paths separated by commas from a file NF)Z interpolationrKr)rLZ ConfigParserrtrdrVr)rrr/r/r0read_paths_from_files rc Cst|}t|}td}yt|d}|d||rF|d||dx>tt|D].}|dkr~|d||q^|||q^W|d|Wn<t k r}zt d |d t |Wd d }~XYnXt|d S) z! Write paths from list to a file rr`z[%s] z comment=%s zpaths=rz, r{zFailed to write z : N) rErlr!r"r#rarrr'rArr*r)rrcommentr,r]indexrr/r/r0write_paths_to_files$     ,rc Cs4ttjtjds,tdt dt t_ tj }d}x|D]}|drHd}PqHW|rttjddtjtjdsyttjddWn0tk rtdtjdt dYnXttjdtjdddkrtd t dd}g}x|D]}|}|d rtj|sFtj|r|drtj|tj|dd st|d}||n4t|stj|t|dd st|||qW|rttstrt |t!d }t"|}|#|t$||d g}t%t&|t'|||#|t(|dS)zH Read paths from stdin and updates appropriate files in cagefs-skeleton z/etcz&skeleton of etc directory is not foundr>Fz/etc/Tirz.Error while creating skeleton of etc directoryro)rzcagefsctl-update-list.cfgz0Files added by "cagefsctl --update-list" commandN))rjr!r4rJrVrrr*rErFrrr?rrrrcrrrrBrr8r5rrrr9rrIrrrTr&rMrr(rrrrr) rfilesZ etc_foundrZ etc_modifiedZ copied_filesZUPDATE_LIST_CFG_FILErrr/r/r0 update_listsb         (        rcsfdd}|S)NcsttdS)N)r!setgidsetuidr/)gidrr/r0funcFs zdemote..funcr/)rr r!r/)r rr0demoteEsr"c Cstj}t}tt}|dtj dr>|dt snt snt }x|D]}|d|qXWtdd}x|D]}|}||}tj |jd} tj | r~|| x6|D].} tj |jd| } tj | r|| qWtj|||t|j|j|jdq~WdS) Nz/var/cache/php-eacceleratorz/var/lib/php/sessionz/opt/alt/%s/var/lib/php/sessionz /dev/nullr`z .cagefs/tmpz.cagefs)r0rZ preexec_fncwd)rrrrVZget_tmpwatch_paramsrZget_tmpwatch_dirsrr!r4rJr r rr#r&rrr9rLrMr"rr) r+Ztmpwatch_commandZ tmpwatch_dirsrrZdev_nullr<rOrrZdir_namerr/r/r0tmpwatchLs,             r$cCs2t}x$|D]}||jddkrdSqWdS)Nzcagefs-skeletonrTF)rr rrM)r+r<r/r/r0rks  rcCsBg}x8|D]0}t|r"||q td|dtdq W|S)Nr<zdoes not existr>)rr9rr*rErF)r|r;rr/r/r0get_users_from_argsvs  r%cCsytj|}Wntjk r&dSXt|}t|tkrtj t rntj t dt |d|rndStj t rtj t dt |d|sdSdS)z, Check that cagefs enabled for user FroT)rrrrrrrrr!r4rRrrr)rrZ user_prefixr/r/r0is_user_enableds,,r&cCsbtdt|d|d}t||}t||}t||dd|dt||t||dS)Nroz/etcF)ryrr)rrrVrrrrr)rrrrrr/r/r0cpetc_for_users    r'c CsytjtsdSttd}|}|dd|D}x2tD]*}d|}||kr@tj|r@| |q@Wdd|D}ttd}| ||Wn6t k r}zt dt |tjdWdd}~XYnXdS) NrUcSsg|] }|qSr/)r8)rlr/r/r0rsz0add_spamassassin_dirs_cpanel..rcSsg|] }|dqS)r{r/)rr(r/r/r0rsr`zError:)r\)r!r4r5rwr#rr'rrJr9 writelinesrBrrrEr0)r]Zcagefs_mp_linesrZline_to_check_and_writerr/r/r0add_spamassassin_dirs_cpanels"      r*cCsVxP|D]H}tjtt||gtjtjdd}|\}}|jrt| t t qWdS)z Unmount path for users. Enter to LVE and unmount director without destroy LVE. :param: path `str` path for unmount :param: users_list `list` list of mounted users uid for process unmount :return: None T)rr0rN) rLr! LVE_UMOUNTrr"r#r3rrCr8rDr?)r4 users_listZuser_uidr6rZstrerrr/r/r0 unmount_dirs  r-cCsytj|}Wn$tjk r4td|ddSXt|}tj t ||d}tj |}t |dt|ddd}t|grtd|dSdd t|jd d g}ytj|d d Wntk rtj|dSXd S)z Unmount CageFS for user. Return True if error has occured :param user_name: name of user :type user_name: str ZUserzdoes not existsTz.locki)rurvz$Failed to destroy/apply LVE for userz/bin/lve_suwrapperz-mekz/usr/sbin/cagefsctlz--unmount-cur-nsF)shell)rrrrrr*rr!r4rrrrVrrwrHrrrLrMrB)Z user_namer+rZ lock_pathrrrOr/r/r0 unmount_users(     r/cCstjtjtdS)z= Checks that cagefs skeleton exists and is not empty bin)r!r4rJrrIr/r/r/r0risricCs$tstttdttdS)Nr>)rirSKELETON_NOT_INITIALIZEDrErFSKELETON_INITIALIZEDr/r/r/r0print_cagefs_skeleton_statuss r3c Csddl}|tdy tWnntk rT}zttt|Wdd}~XYn<t k r}zt j |j ddtdWdd}~XYnXdS)NrZ cagefsctlT)levelZincludetracebackr>) syslogZopenlogr main_func SystemExitrErFrZrr)rVprint_exceptionZLOG_ERR)r5rr/r/r0mains "r9cCsttt_ttdt_dS)N)Zmin_uid)rrrrrr/r/r/r0 init_min_uid sr:c$bCsyttjdddddddddd d d d d dddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]d^d_g^\}}WnDtjk r }z"ttd`t|tdWdd}~XYnXdadl}dadl }dadbl m }|t }| i}da|d<x|D]\}} |dckrttdanl|ddkrtttdanN|dekrttdan2|dfkrd|d<dadt_n|dgkr`dadt_q`Wtdakrtdhtdiytjtatt_Wn*tjdjtdktdYnXda|dl<da|dm<da|d<da|d<da|d<da|d <da|d<da|d<da|d<da|d <da|d <da|d!<da|d)<da|dV<dn|d4<dn|dF<dn} dn} do} dn} x|D ]\}} |dpkr tt| tdaq|dqkr:d|d<do} q|drkrt|dakrftdstdtx|D]}y?nt@dodn|dkdtdaq|dkrt|dakrtdtdttAtB}x|D]}tC||qWtdaq|dkrtDtdaq|dkrtE| t4tdaq|dkrttFtdaq|dkr:tG| tdaq|dkrbd|dV<d|d<do} tHq|dkrtItdaq|dkrtJdodtdaq|dkrtKdodtdaq|dkrtLtdaq|dkrtMt_NtOttdaq|dkr,tPtdaq|dkrJtQtdaq|dkrpt4tR| tdaq|dkrtStdaq|dkrtTtdaq|dkrtU}tVtWdo|dtXtdaq|dk r2|dk rtBdodtY r$tU}t4tW|dk|dtdaq|dk r| rtZ}|dk rtU}x|D]}t[|do q^WtW|do|dn8|dk rtU}x|D]}t[|dn qWtW|dn|dtdaq|dk rt\tdaq|dk rtHtMt_Nt]t^tdaq|dk r*dn} q|dk rzihvVfurdkwW?lmMe:rz dont-cleanrhelpversionrrrrz remove-allz set-tmpwatch=r$rrez unmount-dirz unmount-allzunmount-really-allrZdisablez enable-allz disable-allzdisplay-user-modez list-enabledz wait-lockz list-disabledz create-mpzcheck-mpz mount-skelz unmount-skelz remount-allrHrsrwzenter=z enable-cagefszdisable-cagefsz do-not-askdebugZ profilingzmigrate-prefixesz getprefix=zlist-rpmzapply-global-php-iniz set-min-uid=z get-min-uidz toggle-moderpZcpetcz update-etczforce-update-etczcheck-kernel-versionzupdate-wrapperszremove-blacklistedzdetect-postgresz toggle-pluginz print-suidsz hook-installz hook-removezreconfigure-cagefszconfigure-litespeedzclean-var-cagefsz user-status=z cagefs-statusz update-listzrebuild-alt-php-inizvalidate-alt-php-inizsetup-cl-selectorzskip-php-reloadzcheck-for-unsafe-mountszremove-cl-selectorzcl-selector-reset-versionsz setup-cl-altz remove-cl-altzcl-selector-reset-moduleszupdate-users-statuszupdate-users-status-fix-ownerzset-default-user-statuszremove-unused-mount-pointszcreate-homeN-dirs-in-skeletonzunmount-cur-nsz enable-cagefs-without-etc-updatez without-lockzset-update-period=z force-updatezadd-default-rpm-packageszcreate-virt-mpzcreate-virt-mp-allzremount-virtmpzlist-logged-inzclean-config-dirsz"create-dirs-for-symlink-protectionz sanity-checkzcheck-cagefs-initializedz Error:r) ClAuditLog)z-hz-?z--help)z-Vz --version)z--check-kernel-version)z-vz --verbose)z--silentz root privileges required. Abort.rz8Error while determining real path to skeleton directory r{zdry-run interactiveFT)z --getprefix)z-dz --dont-clean)z--cpetczno username or UID specifiedrz user or UIDzdoes not exist)z--clean-config-dirs)z--skip-php-reload)z$--create-dirs-for-symlink-protection)z--sanity-check)z--hook-install)z --hook-remove)z--reconfigure-cagefs)z--configure-litespeed)z--list-enabledz--list-disabledz--list-enabled)z--cl-selector-reset-modules)z--rebuild-alt-php-ini)z--validate-alt-php-ini)z--cl-selector-reset-versionsz--remove-cl-selectorz--remove-cl-altz--cl-selector-reset-versions)r;r)rr)z-Wz --unmount-allz--unmount-really-allz/etc/cagefs/etc.safez--unmount-really-all)rrrd)z --unmount-dirz!no directory to unmount specified)z--migrate-prefixes)z --set-min-uid)z --get-min-uid)z--set-update-period)z--force-update)z--clean-var-cagefs)z--update-wrappers)r/)z--remove-blacklisted)ri)z--detect-postgres)z --print-suids)z--toggle-plugin)z--display-user-mode)z --user-status)z--cagefs-status)z--check-cagefs-initialized)z--disable-cagefs)rdr)z--update-users-statusz--update-users-status-fix-ownerz--update-users-status-fix-owner)r)rr)z--set-default-user-statusz Enable All)r;rXrz Disable All)z--remove-unused-mount-points)z--create-homeN-dirs-in-skeleton) z-wz --unmountz-mz --remountz--enablez --disablez --mount-skelz--unmount-skelz--without-lock)z --wait-lock)z"--enable-cagefs-without-etc-update)r)z--add-default-rpm-packages)z --tmpwatch)z--set-tmpwatch)z--create-virt-mpr9zNo username provided)z--create-virt-mp-all)z--remount-virtmp)z--enterz-ez#You are entering to CageFS for userzas superuser (root).zNNOTE: You can use "su -s /bin/bash - {}" instead to enter to CageFS as user {}z/sbin/cagefs_enter_userz--rootz /bin/bash)r.z!executing /sbin/cagefs_enter_user)z --check-mp)z--check-for-unsafe-mounts)z-lz--listz#CageFS currently mounted for users:)z--list-logged-inz)Users currently logged in CageFS via ssh:)z--unmount-cur-ns)rirdrj)rurrz /var/cpanel)z --mount-skel)z--unmount-skel)z--debug)z --profiling)z --do-not-ask)z-wz --unmount)z--enable-cagefs)z--enable)z --disable)z --remove-all)z-Mz --remount-all)z-mz --remount)z --enable-all)z --disable-all)z --toggle-mode)z-fz--force)z-uz--update)z-iz--initz/binzYError : directory %s already exists. Use "%s --reinit" if you want to reinitialize CageFSrdzNot Initialized)z-rz--reinit)z-kz --hardlink)z --create-mp)z--addrpm)z--delrpm)z --list-rpm)z --update-list)z --update-etcz--force-update-etcz--force-update-etc)r;)z--setup-cl-selectorz--setup-cl-alt)z--apply-global-php-ini)rCz& Error: incompatible options specifiedzaborted, no username specifiedzuser z does not existz is excludedz&No options specified. Nothing to do...z aborted.. z;cannot specify --dont-clean with --init or --reinit optionszLyou should specify one of the --init, --reinit, --update or --force options z WARNING: zCageFS currently mounted.zBIf you proceed, CageFS will be temporarily disabled and unmounted.z"Do you want to continue (yes/no)? rR)rd)rrz.oldizcagefsctl.do_profiling()z/profiling.logz&--------------------------------------zCumulative time:Z cumulativez Total time:rF)getoptrErZ GetoptErrorrgrrrFr virtmp_mountclcommonr> INFO_LOG_FILEZinfo_log_writecagefs_versionrr?rVZ VERBOSE_FLAGrDrZ SILENT_FLAGr!geteuidr*r4rrIr0rarrrrrZr'rrr[rrrrr%r$ sanity_checkZcheck cagefshooksZ HooksInstallZ HooksRemoveZreconfigure_cagefsZlitespeed_configurerrr%rrrr rrRr=reZ umount_allrrDrr-r rrZset_update_periodrjrr0rZdetect_postgresrrZ print_suidsrrrrr3rrr_rKrrrrrrrrrrrTr$Zset_tmpwatch_paramsZ create_virtmprrrLrMr)r_rrrr,rmrwrrMrJrr{rVrbrTr&rfrrrCrrrsrwr{rr+r rrunshareZ CLONE_NEWNSr/r9rHKeyboardInterruptrcrrrST_MODErcrrrBrArdrrrprofilerunrWpstatsZStatsZ sort_statsZ print_statsra)$Zoptsr|rrrBr>rrorZmanage_user_flagZbuild_jail_flagZlock_is_requiredZ wait_lockrrr+rGr;r,rhrrrprZ user_moder~r5Z usernamesrZcount_of_modesrZjbufrLrNr6r/r/r0r6sv                                                                                                                                                                                                         r6__main__)N)NN)F)NF)F)T)N)rr;)F)N)F)F)N)rZ)TFFF)FF)FF)F)FFF)N)N)N)F)F)NF)F)F)F)F)F)F)F)F)FFFN)N)NTF)N)FNNFN)NFF)NF)TT)TT)TT)TTTT)NFFFF)N)N)N)FN)N)NFF)N(dZ __future__rrrrZfuturerZinstall_aliasesbuiltinsZ future.utilsrr!r7rrErLrAstringrcrLrrrFrnrrr r%r[rrrZ cldetectlibr r Zclcommon.utilsr r r rrCrrrrZclcommon.clfuncrrrVrrrrrHrrIr;r2rKr+rrIZ SKELETON_NAMErWrZ MP_PREFIXrMrwrxZLOCKNAMErZFUSE_SAFE_LISTrrrUr$rNrrrrr`rSrrrVr@rr@rur=rrDrrrmrrr2r1r&rtrEr4r9reZsignals_handlersrrrr1r8r=rGrQrTr_rbrgrhrDr?rjrrqZMYSQL_SOCK_DIRrrrrrnrtryrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrZascii_uppercaseZdigitsrr r r r r rrrr,r/r7r8r=r>rBrCrDrErHrKrLrNrOrUrWrYr[r_rarbrmrrrhrwrzr{r|rrrfrrrrrrrr rrrobjectrrrrZmounts_are_found_comparatorrrrrrrrrrrrrrrrrrr rrrrr+r0r1r4r:r,r;rrrBrFrJrrOrarbrcrfrgrjrlrsrwr{rrrTrSrrrrrrrrrrrrZ CL_ALT_NAMEZCL_PHP_DIR_NAMErrrrr&rr_rrr^rrrrrrrrrrr$rrrrrrrrr]rrrrrr%rrr r r rrrrrrrrrrr"r$rr%r&r'r*r-r/rir3r9r:r6rr/r/r/r0 s                  d '            E     6!      +    $   _     )$_       [        % > *+  #0 C6W, & T(O  (!>*| NVj   E   %