# -*- coding: utf-8 -*-
# CLSETUP python lib
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
# Classes:
#
# Kernel
# check min kernel for securelinks
# Setup:
#
# setup apache gid for securelinks
# setup nagios
import grp
import os
import pwd
import subprocess
import sys
import cldetectlib
from cl_proc_hidepid import remount_proc
from clcommon.sysctl import SYSCTL_CL_CONF_FILE, SysCtlConf
# Kernel Version Class
class KernelVersion:
_SECURELINKS_MIN_KERNEL = ['1','1','95']
_system_kernel = ''
_cl_kernel = True
def __init__(self):
with subprocess.Popen(
['uname', '-r'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
) as proc:
out, _ = proc.communicate()
if proc.returncode != 0:
print('error: subprocess call error. Cant\'t get current kernel version')
sys.exit(1)
if out.find('lve') != -1:
self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.')
print(self._system_kernel)
else:
self._cl_kernel = False
# Check if system kernel newer then securelinks min kernel
def securelinks_kernel_requirement(self):
if self._cl_kernel:
return (
self._system_kernel >= self._SECURELINKS_MIN_KERNEL
and os.path.isfile('/proc/sys/fs/symlinkown_gid')
)
print('error: Feature is not supported on non CL kernel.')
sys.exit(1)
# return _SECURELINKS_MIN_KERNEL
def get_securelinks_min_kernel(self):
return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL)
sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE)
def set_securelinks_gid(apache_gid):
"""
Change /etc/sysctl.conf for apache gid
:param apache_gid: id of apache's group
:return: None
"""
symlink_command = 'fs.symlinkown_gid'
sysctl.set(symlink_command, apache_gid)
def _add_to_super_gid(user):
"""
Add user to the group specified by fs.proc_super_gid.
If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists
then create "clsupergid" group, configure it as fs.proc_super_gid and
add user to this group
"""
sgid_key = 'fs.proc_super_gid'
try:
# sysctl.get may return empty string in some cases like cldeploy
# when CL kernel is not loaded yet and proc has no such param
proc_super_gid = int(sysctl.get(sgid_key))
except ValueError:
proc_super_gid = 0
try:
# Check that group with this gid really exists, and if not, then reset
# it to undefined so it will be replaced with clsupergid below
grp.getgrgid(proc_super_gid).gr_name
except KeyError:
proc_super_gid = 0
if proc_super_gid == 0:
# Create and configure group if it was undefined
sgid_name = 'clsupergid'
subprocess.run(f'groupadd -f {sgid_name}',
shell=True, executable='/bin/bash', check=False)
proc_super_gid = grp.getgrnam(sgid_name).gr_gid
sysctl.set(sgid_key, proc_super_gid)
# If user already in this group or it's primary group == proc_super_gid
# this will do nothing
subprocess.run(f'usermod -a -G {proc_super_gid} {user}',
shell=True, executable='/bin/bash', check=False)
def setup_nagios(do_remount_proc=True):
"""
Add nagios to configured fs.proc_super_gid group
"""
if not cldetectlib.get_nagios():
return # Nothing to do
_add_to_super_gid('nagios')
# CAG-796: use hidepid=2 when mounting /proc
if do_remount_proc:
remount_proc()
def setup_mailman():
"""
Detect "mailman" and add it to fs.proc_super_gid group
"""
if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'):
return
try:
pwd.getpwnam('mailman')
except KeyError:
return
_add_to_super_gid('mailman')
def setup_supergids():
"""
Configure "special" users to be in fs.proc_super_gid group, if it's
necessary.
If this GID was undefined(0) then create and setup special clsupergid group
"""
setup_nagios(do_remount_proc=False)
setup_mailman()
# CAG-796: use hidepid=2 when mounting /proc
remount_proc()