# -*- coding: utf-8 -*- # CLSETUP python lib # # Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved # # Licensed under CLOUD LINUX LICENSE AGREEMENT # http://cloudlinux.com/docs/LICENSE.TXT # Classes: # # Kernel # check min kernel for securelinks # Setup: # # setup apache gid for securelinks # setup nagios import grp import os import pwd import subprocess import sys import cldetectlib from cl_proc_hidepid import remount_proc from clcommon.sysctl import SYSCTL_CL_CONF_FILE, SysCtlConf # Kernel Version Class class KernelVersion: _SECURELINKS_MIN_KERNEL = ['1','1','95'] _system_kernel = '' _cl_kernel = True def __init__(self): with subprocess.Popen( ['uname', '-r'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, ) as proc: out, _ = proc.communicate() if proc.returncode != 0: print('error: subprocess call error. Cant\'t get current kernel version') sys.exit(1) if out.find('lve') != -1: self._system_kernel = out.split('lve')[1].split('el')[0][:-1].strip().split('.') print(self._system_kernel) else: self._cl_kernel = False # Check if system kernel newer then securelinks min kernel def securelinks_kernel_requirement(self): if self._cl_kernel: return ( self._system_kernel >= self._SECURELINKS_MIN_KERNEL and os.path.isfile('/proc/sys/fs/symlinkown_gid') ) print('error: Feature is not supported on non CL kernel.') sys.exit(1) # return _SECURELINKS_MIN_KERNEL def get_securelinks_min_kernel(self): return 'lve' + '.'.join(self._SECURELINKS_MIN_KERNEL) sysctl = SysCtlConf(config_file=SYSCTL_CL_CONF_FILE) def set_securelinks_gid(apache_gid): """ Change /etc/sysctl.conf for apache gid :param apache_gid: id of apache's group :return: None """ symlink_command = 'fs.symlinkown_gid' sysctl.set(symlink_command, apache_gid) def _add_to_super_gid(user): """ Add user to the group specified by fs.proc_super_gid. If fs.proc_super_gid is 0 (means undefined) or group doesn't really exists then create "clsupergid" group, configure it as fs.proc_super_gid and add user to this group """ sgid_key = 'fs.proc_super_gid' try: # sysctl.get may return empty string in some cases like cldeploy # when CL kernel is not loaded yet and proc has no such param proc_super_gid = int(sysctl.get(sgid_key)) except ValueError: proc_super_gid = 0 try: # Check that group with this gid really exists, and if not, then reset # it to undefined so it will be replaced with clsupergid below grp.getgrgid(proc_super_gid).gr_name except KeyError: proc_super_gid = 0 if proc_super_gid == 0: # Create and configure group if it was undefined sgid_name = 'clsupergid' subprocess.run(f'groupadd -f {sgid_name}', shell=True, executable='/bin/bash', check=False) proc_super_gid = grp.getgrnam(sgid_name).gr_gid sysctl.set(sgid_key, proc_super_gid) # If user already in this group or it's primary group == proc_super_gid # this will do nothing subprocess.run(f'usermod -a -G {proc_super_gid} {user}', shell=True, executable='/bin/bash', check=False) def setup_nagios(do_remount_proc=True): """ Add nagios to configured fs.proc_super_gid group """ if not cldetectlib.get_nagios(): return # Nothing to do _add_to_super_gid('nagios') # CAG-796: use hidepid=2 when mounting /proc if do_remount_proc: remount_proc() def setup_mailman(): """ Detect "mailman" and add it to fs.proc_super_gid group """ if not os.path.isdir('/usr/local/cpanel/3rdparty/mailman'): return try: pwd.getpwnam('mailman') except KeyError: return _add_to_super_gid('mailman') def setup_supergids(): """ Configure "special" users to be in fs.proc_super_gid group, if it's necessary. If this GID was undefined(0) then create and setup special clsupergid group """ setup_nagios(do_remount_proc=False) setup_mailman() # CAG-796: use hidepid=2 when mounting /proc remount_proc()