Mini Shell
# -*- coding: utf-8 -*-
# CLSETUP python lib
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
# Classes:
#
# Kernel
# check min kernel for securelinks
# Setup:
#
# setup apache gid for securelinks
# setup nagios
from __future__ import print_function
from __future__ import absolute_import
import sys, subprocess, os, grp, pwd
import cldetectlib
from cl_proc_hidepid import remount_proc
from clcommon.sysctl import SysCtlConf, SYSCTL_CL_CONF_FILE
# Kernel Version Class
class KernelVersion:
_SECURELINKS_MIN_KERNEL = ['1','1','95']
_system_kernel = ''
_cl_kernel = True
def __init__(self):
p = subprocess.Popen(['uname', '-r'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = p.communicate()
if (p.returncode != 0):
print('error: subprocess call error. Cant\'t get current kernel version')
sys.exit(1)
if (out.find('lve') != -1):
self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.')
print(self._system_kernel)
else:
self._cl_kernel = False
# Check if system kernel newer then securelinks min kernel
def securelinks_kernel_requirement(self):
if self._cl_kernel:
if (self._system_kernel >= self._SECURELINKS_MIN_KERNEL) and os.path.isfile('/proc/sys/fs/symlinkown_gid'):
return True
else:
return False
else:
print('error: Feature is not supported on non CL kernel.')
sys.exit(1)
# return _SECURELINKS_MIN_KERNEL
def get_securelinks_min_kernel(self):
return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL)
sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE)
def set_securelinks_gid(apache_gid):
"""
Change /etc/sysctl.conf for apache gid
:param apache_gid: id of apache's group
:return: None
"""
symlink_command = 'fs.symlinkown_gid'
sysctl.set(symlink_command, apache_gid)
def _add_to_super_gid(user):
"""
Add user to the group specified by fs.proc_super_gid.
If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists
then create "clsupergid" group, configure it as fs.proc_super_gid and
add user to this group
"""
sgid_key = 'fs.proc_super_gid'
try:
# sysctl.get may return empty string in some cases like cldeploy
# when CL kernel is not loaded yet and proc has no such param
proc_super_gid = int(sysctl.get(sgid_key))
except ValueError:
proc_super_gid = 0
try:
# Check that group with this gid really exists, and if not, then reset
# it to undefined so it will be replaced with clsupergid below
grp.getgrgid(proc_super_gid).gr_name
except KeyError:
proc_super_gid = 0
if proc_super_gid == 0:
# Create and configure group if it was undefined
sgid_name = 'clsupergid'
os.system('groupadd -f ' + sgid_name)
proc_super_gid = grp.getgrnam(sgid_name).gr_gid
sysctl.set(sgid_key, proc_super_gid)
# If user already in this group or it's primary group == proc_super_gid
# this will do nothing
os.system('usermod -a -G {} {}'.format(proc_super_gid, user))
def setup_nagios(do_remount_proc=True):
"""
Add nagios to configured fs.proc_super_gid group
"""
if not cldetectlib.get_nagios():
return # Nothing to do
_add_to_super_gid('nagios')
# CAG-796: use hidepid=2 when mounting /proc
if do_remount_proc:
remount_proc()
def setup_mailman():
"""
Detect "mailman" and add it to fs.proc_super_gid group
"""
if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'):
return
try:
pwd.getpwnam('mailman')
except KeyError:
return
_add_to_super_gid('mailman')
def setup_supergids():
"""
Configure "special" users to be in fs.proc_super_gid group, if it's
necessary.
If this GID was undefined(0) then create and setup special clsupergid group
"""
setup_nagios(do_remount_proc=False)
setup_mailman()
# CAG-796: use hidepid=2 when mounting /proc
remount_proc()
Zerion Mini Shell 1.0