Mini Shell
# coding=utf-8
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2018 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
import os
import pwd
import grp
import re
import subprocess
import tempfile
from stat import S_IRUSR, S_IRGRP
class NoSuchUser(Exception):
def __init__(self, user):
#message = 'No such user (%s)' % user
Exception.__init__(self, 'No such user (%s)' % (user,))
class NoSuchGroup(Exception):
def __init__(self, group):
message = 'No such group (%s)' % group
Exception.__init__(self, message)
class UnableToReadFile(Exception):
def __init__(self):
Exception.__init__(self, 'Cannot read sudoers file')
class UnableToWriteFile(Exception):
def __init__(self):
Exception.__init__(self, 'Cannot modify sudoers file')
SUDOERS_FILE = '/etc/sudoers'
ALIAS_LVECTL_CMDS = ["/bin/ps", "/bin/grep", "/sbin/service", "/usr/bin/getcontrolpaneluserspackages",
"/usr/sbin/lvectl", "/usr/local/directadmin/plugins/new_lvemanager/admin/GetDomains",
"/usr/share/l.v.e-manager/utils/cloudlinux-cli.py"]
ALIAS_LVECTL_USER_CMDS = ["/usr/share/l.v.e-manager/utils/cloudlinux-cli-user.py"]
ALIAS_SELECTOR_CMDS = ["/usr/bin/cl-selector", "/usr/bin/piniset", "/usr/sbin/lveps", "/usr/bin/selectorctl"]
DEFAULTS_REQUIRETTY = 'Defaults:%s !requiretty'
# Patterns for group
GROUP_LVECTL_SELECTOR = '%%%s ALL=NOPASSWD: LVECTL_CMDS, SELECTOR_CMDS'
GROUP_DEFAULTS_REQUIRETTY = 'Defaults:%%%s !requiretty'
class Clsudo:
"""
Adds CloudLinux users to sudoers file
"""
filepath = None
sudoers_list = []
has_action = False
has_group_action = False
has_alias = False
has_user_alias = False
has_rights = False
has_user_rights = False
has_selector_alias = False
has_selector_rights = False
has_cagefs_alias = False
has_cagefs_rights = False
@staticmethod
def add_user(user, sudoers_file=SUDOERS_FILE):
"""
Adds username to sudoers file (for lvemanager)
"""
# Update command lists for lvemanager
Clsudo.update_commands_list(sudoers_file)
Clsudo._check_user(user)
Clsudo._get_contents(user)
if not Clsudo.has_alias:
Clsudo.sudoers_list.append('Cmnd_Alias LVECTL_CMDS = ' + ", ".join(ALIAS_LVECTL_CMDS))
if not Clsudo.has_user_alias:
Clsudo.sudoers_list.append('Cmnd_Alias LVECTL_USER_CMDS = ' + ", ".join(ALIAS_LVECTL_USER_CMDS))
if not Clsudo.has_selector_alias:
Clsudo.sudoers_list.append('Cmnd_Alias SELECTOR_CMDS = ' + ", ".join(ALIAS_SELECTOR_CMDS))
if not Clsudo.has_rights:
Clsudo.sudoers_list.append('%s ALL=NOPASSWD: LVECTL_CMDS' % (user,))
if not Clsudo.has_user_rights:
Clsudo.sudoers_list.append('%s ALL=(ALL) NOPASSWD: LVECTL_USER_CMDS' % (user,))
if not Clsudo.has_selector_rights:
Clsudo.sudoers_list.append('%s ALL=NOPASSWD: SELECTOR_CMDS' % (user,))
if not Clsudo.has_action:
Clsudo.sudoers_list.append(DEFAULTS_REQUIRETTY % (user,))
Clsudo._write_contents()
@staticmethod
def add_cagefs_user(user, sudoers_file=SUDOERS_FILE):
"""
Adds username to sudoers file (for cagefs)
"""
Clsudo.filepath = sudoers_file
Clsudo._check_user(user)
Clsudo._get_contents(user)
if not Clsudo.has_cagefs_alias:
Clsudo.sudoers_list.append('Cmnd_Alias CAGEFS_CMDS = /usr/sbin/cagefsctl, '
'/bin/ps, /bin/grep, /sbin/service')
if not Clsudo.has_cagefs_rights:
Clsudo.sudoers_list.append('%s ALL=NOPASSWD: CAGEFS_CMDS' % (user,))
if not Clsudo.has_action:
Clsudo.sudoers_list.append(DEFAULTS_REQUIRETTY % (user,))
Clsudo._write_contents()
@staticmethod
def add_lvemanager_group(group_name, sudoers_file=SUDOERS_FILE):
"""
Adds group to sudoers file, grants access to LVE Manager
"""
# Update command lists for lvemanager
Clsudo.update_commands_list(sudoers_file)
Clsudo._check_group(group_name)
Clsudo._get_contents_group(group_name)
if not Clsudo.has_alias:
Clsudo.sudoers_list.append('Cmnd_Alias LVECTL_CMDS = ' + ", ".join(ALIAS_LVECTL_CMDS))
if not Clsudo.has_selector_alias:
Clsudo.sudoers_list.append('Cmnd_Alias SELECTOR_CMDS = ' + ", ".join(ALIAS_SELECTOR_CMDS))
if not Clsudo.has_action:
Clsudo.sudoers_list.append(GROUP_LVECTL_SELECTOR % (group_name,))
if not Clsudo.has_group_action:
Clsudo.sudoers_list.append(GROUP_DEFAULTS_REQUIRETTY % (group_name,))
# writes file
Clsudo._write_contents()
@staticmethod
def remove_user(user, sudoers_file=SUDOERS_FILE):
"""
Removes username from sudoers file
"""
Clsudo.filepath = sudoers_file
try:
f = open(Clsudo.filepath)
Clsudo.sudoers_list = f.read().splitlines()
f.close()
idx = 0
removed = False
while idx < len(Clsudo.sudoers_list):
line = Clsudo.sudoers_list[idx]
if (('%s ALL=NOPASSWD:' % (user,)) in line) or ((DEFAULTS_REQUIRETTY % (user,))in line):
Clsudo.sudoers_list.remove(line)
removed = True
continue
idx += 1
if removed:
Clsudo._write_contents()
except (IOError, OSError):
raise UnableToReadFile()
@staticmethod
def update_user(user, sudoers_file=SUDOERS_FILE):
"""
updates username in sudoers file
:param user: username for caching
:param sudoers_file: path to /etc/sudoers (only for tests)
:return: None
"""
# Update command lists
Clsudo.update_commands_list(sudoers_file)
# For backward compatibility
# Check user presence in system
Clsudo._check_user(user)
Clsudo._get_contents(user)
@staticmethod
def update_commands_list(sudoers_file=SUDOERS_FILE):
"""
Update command lists for lvemanager plugin
If any required command absent in file, add it
:param sudoers_file: path to /etc/sudoers
:return: None
"""
# Read /etc/sudoers
Clsudo.filepath = sudoers_file
Clsudo.temp_dir = os.path.dirname(Clsudo.filepath)
Clsudo._read_sudoers()
cmnd_dict = {"Cmnd_Alias LVECTL_CMDS": ALIAS_LVECTL_CMDS,
"Cmnd_Alias SELECTOR_CMDS": ALIAS_SELECTOR_CMDS}
is_sudoer_change = False
for idx in range(len(Clsudo.sudoers_list)):
command_string = Clsudo.sudoers_list[idx]
for aliase_key, aliase_list in cmnd_dict.items():
if aliase_key in command_string:
command_string = command_string.replace(aliase_key, "").strip()
cmnd_list = command_string.split(",")
for aliase_cmnd_item in aliase_list:
if aliase_cmnd_item not in cmnd_list:
is_sudoer_change = True
Clsudo.sudoers_list[idx] = "{0} = {1}".format(
aliase_key, ", ".join(aliase_list)
)
break
if is_sudoer_change:
Clsudo._write_contents()
@staticmethod
def _check_user(user):
"""
Checks passwd database for username presence
@param user: string
"""
try:
pwd.getpwnam(user)
except KeyError:
raise NoSuchUser(user)
@staticmethod
def _check_group(group_name):
"""
Checks grp database for group_name presence
@param group_name: string
"""
try:
grp.getgrnam(group_name)
except KeyError:
raise NoSuchGroup(group_name)
@staticmethod
def _read_sudoers():
i = open(Clsudo.filepath)
Clsudo.sudoers_list = i.read().splitlines()
i.close()
@staticmethod
def _get_contents(user):
"""
Reads file into list of strings
@param user: string
"""
# Clear all status flags
Clsudo.has_action = False
Clsudo.has_group_action = False
Clsudo.has_alias = False
Clsudo.has_user_alias = False
Clsudo.has_rights = False
Clsudo.has_user_rights = False
Clsudo.has_selector_alias = False
Clsudo.has_selector_rights = False
Clsudo.has_cagefs_alias = False
Clsudo.has_cagefs_rights = False
require_tty_pattern = re.compile(r'Defaults:\s*%s\s*!requiretty' % user)
try:
# Read sudoers file
Clsudo._read_sudoers()
for idx in range(len(Clsudo.sudoers_list)):
if "Cmnd_Alias LVECTL_CMDS" in Clsudo.sudoers_list[idx]:
Clsudo.has_alias = True
continue
if "Cmnd_Alias LVECTL_USER_CMDS" in Clsudo.sudoers_list[idx]:
Clsudo.has_user_alias = True
continue
if "Cmnd_Alias CAGEFS_CMDS" in Clsudo.sudoers_list[idx]:
Clsudo.has_cagefs_alias = True
continue
if "%s ALL=NOPASSWD: LVECTL_CMDS" % (user,) in Clsudo.sudoers_list[idx]:
Clsudo.has_rights = True
continue
if "%s ALL=(ALL) NOPASSWD: LVECTL_USER_CMDS" % (user,) in Clsudo.sudoers_list[idx]:
Clsudo.has_user_rights = True
continue
if "%s ALL=NOPASSWD: CAGEFS_CMDS" % (user,) in Clsudo.sudoers_list[idx]:
Clsudo.has_cagefs_rights = True
continue
if "requiretty" in Clsudo.sudoers_list[idx]:
pattern_match = require_tty_pattern.search(Clsudo.sudoers_list[idx])
if pattern_match:
Clsudo.has_action = True
continue
if "Cmnd_Alias SELECTOR_CMDS" in Clsudo.sudoers_list[idx]:
if 'piniset' not in Clsudo.sudoers_list[idx]:
Clsudo.sudoers_list[idx] = Clsudo.sudoers_list[idx].replace(
'/usr/bin/cl-selector', '/usr/bin/cl-selector, /usr/bin/piniset')
if 'lveps' not in Clsudo.sudoers_list[idx]:
Clsudo.sudoers_list[idx] = Clsudo.sudoers_list[idx].replace(
'/usr/bin/cl-selector, /usr/bin/piniset',
'/usr/bin/cl-selector, /usr/bin/piniset, /usr/sbin/lveps')
Clsudo.has_selector_alias = True
continue
if "%s ALL=NOPASSWD: SELECTOR_CMDS" % (user,) in Clsudo.sudoers_list[idx]:
Clsudo.has_selector_rights = True
continue
except (IOError, OSError):
raise UnableToReadFile()
@staticmethod
def _get_contents_group(group_name):
"""
Reads file into list of strings
@param group_name: string
"""
# Clear all status flags
Clsudo.has_action = False
Clsudo.has_group_action = False
Clsudo.has_alias = False
Clsudo.has_rights = False
Clsudo.has_selector_alias = False
Clsudo.has_selector_rights = False
Clsudo.has_cagefs_alias = False
Clsudo.has_cagefs_rights = False
group_prefix = "%%%s" % group_name
group_action = "Defaults:%%%s" % group_name
group_pattern = re.compile(r'%s\s*ALL=NOPASSWD:\s*LVECTL_CMDS,\s*SELECTOR_CMDS' % (group_name,))
try:
# Read sudoers file
Clsudo._read_sudoers()
for idx in range(len(Clsudo.sudoers_list)):
if "Cmnd_Alias SELECTOR_CMDS" in Clsudo.sudoers_list[idx]:
if 'piniset' not in Clsudo.sudoers_list[idx]:
Clsudo.sudoers_list[idx] = Clsudo.sudoers_list[idx].replace(
'/usr/bin/cl-selector', '/usr/bin/cl-selector, /usr/bin/piniset')
if 'lveps' not in Clsudo.sudoers_list[idx]:
Clsudo.sudoers_list[idx] = Clsudo.sudoers_list[idx].replace(
'/usr/bin/cl-selector, /usr/bin/piniset',
'/usr/bin/cl-selector, /usr/bin/piniset, /usr/sbin/lveps')
Clsudo.has_selector_alias = True
continue
if "Cmnd_Alias LVECTL_CMDS" in Clsudo.sudoers_list[idx]:
Clsudo.has_alias = True
continue
if "Cmnd_Alias CAGEFS_CMDS" in Clsudo.sudoers_list[idx]:
Clsudo.has_cagefs_alias = True
continue
if Clsudo.sudoers_list[idx].startswith(group_prefix):
pattern_match = group_pattern.search(Clsudo.sudoers_list[idx])
if pattern_match:
Clsudo.has_action = True
if Clsudo.sudoers_list[idx].startswith(group_action):
Clsudo.has_group_action = True
except (IOError, OSError):
raise UnableToReadFile()
@staticmethod
def _write_contents():
"""
Writes data to temporary file then checks it and rewrites sudoers file
"""
try:
temp_dir = os.path.dirname(Clsudo.filepath)
temp_prefix = 'lve_sudoers_'
fd, temp_path = tempfile.mkstemp(prefix=temp_prefix, dir=temp_dir)
fo = os.fdopen(fd, 'w')
fo.write('\n'.join(Clsudo.sudoers_list) + '\n')
fo.close()
mask = S_IRUSR | S_IRGRP
os.chmod(temp_path, mask)
if not Clsudo._is_file_valid(temp_path):
raise IOError
except (IOError, OSError):
try:
if os.path.exists(temp_path):
os.unlink(temp_path)
except:
pass
raise UnableToWriteFile()
try:
os.rename(temp_path, Clsudo.filepath)
except OSError:
raise UnableToWriteFile()
@staticmethod
def _is_file_valid(filename):
cmd = [
'/usr/sbin/visudo',
'-c',
'-f', filename
]
rv = subprocess.Popen(
cmd,
stdin=open('/dev/null'),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
close_fds=True)
rv.communicate()
if rv.returncode != 0:
return False
return True
Zerion Mini Shell 1.0