/usr/share/cagefs/scriptlets
#!/usr/bin/bash # Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2021 All Rights Reserved # # Licensed under CLOUD LINUX LICENSE AGREEMENT # http://cloudlinux.com/docs/LICENSE.TXT # Note: Also called from Debian # Arguments: # RPM # $1 == 1 - install package # $1 == 2 - upgrade package # DEB # $1 == configure - RPM post/posttrans rhel=$2 cl_venv_path=$3 if [[ $rhel -gt 6 ]]; then systemctl daemon-reload fi # kill "cagefsctl --update" ps --no-headers -A -o 'pid,command'|grep cagefsctl|grep update|awk '{print $1}'|xargs --no-run-if-empty kill # CAG-764 if ps --no-headers -A -o 'pid,command'|grep cagefsctl|grep unmount-cur-ns &>/dev/null; then ps --no-headers -A -o 'pid,command'|grep cagefsctl|grep mount|awk '{print $1}'|xargs --no-run-if-empty kill -9 ps --no-headers -A -o 'pid,command'|grep cagefsctl|grep unmount-cur-ns|awk '{print $1}'|xargs --no-run-if-empty kill -9 fi # check for update for LIBLVE-20 UPDATES='/etc/sysconfig/lve_updates' if [ -f "$UPDATES" ]; then . "$UPDATES" else LIBLVE20='0' fi if [ "$LIBLVE20" != '1' ]; then # we should force remount of CageFS touch /usr/share/cagefs/need.remount sed -i -e '/LIBLVE20/d' "$UPDATES" > /dev/null 2>&1 echo 'LIBLVE20="1"' >> "$UPDATES" fi # create directories needed when link protection is enabled /usr/sbin/cagefsctl --create-dirs-for-symlink-protection # remove old skeleton rm -rf /usr/share/securelve-skeleton # Migrate to new prefixes /usr/sbin/cagefsctl --migrate-prefixes # SecureLVE: change shell of all jailed users, enable all jailed users in CageFS /usr/share/cagefs/migrate.sh # Set fs.proc_can_see_other_uid to 0 if it is absent in /etc/sysctl.conf and move it to /etc/sysctl.d/90-cloudlinux.conf "$cl_venv_path"/bin/cl_sysctl migrate --parameter fs.proc_can_see_other_uid --default-value 0 # CAG-976: /proc should be remounted with hidepid=2 after installation of cagefs package /usr/share/cloudlinux/remount_proc.py # cagefs 3.0 is NOT installed yet (old version of cagefs is installed) ? if [ ! -e /etc/cagefs/etc.safe ]; then # etc directory in skeleton is copied (NOT mounted) ? if ! grep -m 1 /usr/share/cagefs-skeleton/etc /proc/mounts > /dev/null then rm -rf /usr/share/cagefs-skeleton/etc fi # var/log directory in skeleton is copied (NOT mounted) ? if ! grep -m 1 /usr/share/cagefs-skeleton/var/log /proc/mounts > /dev/null then rm -rf /usr/share/cagefs-skeleton/var/log fi # search for users with invalid home dirs and repair them if [ -d "/scripts" ] then /usr/share/cagefs/repair_homes.py --do-not-ask fi /usr/share/cagefs/repair_homes.py --rename-var-cagefs /usr/share/cagefs/repair_homes.py --uninstall_cagefs_etc touch /usr/share/cagefs/need.remount fi #install plugin for control panel /usr/share/cagefs-plugins/install-cagefs-plugin.py --install # Fix rights on update chmod 0750 /usr/share/cagefs/exclude.d # Create exclude users lists /usr/share/cagefs/exclude_users_cleaner.py # Create lists of safe users and groups if [ -e "/etc/cagefs/etc.safe/passwd" ]; then if [ ! -e "/etc/cagefs/etc.safe/safe.users" ]; then echo -n "" > /etc/cagefs/etc.safe/safe.users while read line do echo "$line" | cut -f1 -d: >> /etc/cagefs/etc.safe/safe.users done < /etc/cagefs/etc.safe/passwd chmod 0600 /etc/cagefs/etc.safe/safe.users fi fi if [ -e "/etc/cagefs/etc.safe/group" ]; then if [ ! -e "/etc/cagefs/etc.safe/safe.groups" ]; then echo -n "" > /etc/cagefs/etc.safe/safe.groups while read line do echo "$line" | cut -f1 -d: >> /etc/cagefs/etc.safe/safe.groups done < /etc/cagefs/etc.safe/group chmod 0600 /etc/cagefs/etc.safe/safe.groups fi fi # Copy proxyexec to skeleton if [ -e "/usr/share/cagefs-skeleton" ]; then if [ -e "/usr/sbin/proxyexec" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/sbin/ cp -f /usr/sbin/proxyexec /usr/share/cagefs-skeleton/usr/sbin/proxyexec fi if [ -e "/usr/lib64/libbsock.so" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib64/ cp -f /usr/lib64/libbsock.so /usr/share/cagefs-skeleton/usr/lib64/libbsock.so 2> /dev/null fi if [ -e "/usr/lib64/libbsock_preload.so" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib64/ cp -f /usr/lib64/libbsock_preload.so /usr/share/cagefs-skeleton/usr/lib64/libbsock_preload.so 2> /dev/null fi if [ -e "/usr/lib/libbsock.so" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib/ cp -f /usr/lib/libbsock.so /usr/share/cagefs-skeleton/usr/lib/libbsock.so 2> /dev/null fi if [ -e "/usr/lib/libbsock_preload.so" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib/ cp -f /usr/lib/libbsock_preload.so /usr/share/cagefs-skeleton/usr/lib/libbsock_preload.so 2> /dev/null fi if [ ! -e "/usr/share/cagefs-skeleton/usr/lib/bsock" ]; then if [ -e "/usr/lib/bsock" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib/ ln -s libbsock.so /usr/share/cagefs-skeleton/usr/lib/bsock fi fi if [ ! -e "/usr/share/cagefs-skeleton/usr/lib64/bsock" ]; then if [ -e "/usr/lib64/bsock" ]; then mkdir -p /usr/share/cagefs-skeleton/usr/lib64/ ln -s libbsock.so /usr/share/cagefs-skeleton/usr/lib64/bsock fi fi if [ -e /usr/bin/crontab.cagefs ]; then mkdir -p /usr/share/cagefs-skeleton/usr/bin/ cp -f /usr/bin/crontab.cagefs /usr/share/cagefs-skeleton/usr/bin/crontab.cagefs fi fi if [ -e /usr/share/cagefs-skeleton ]; then if [ ! -e /usr/share/cagefs-skeleton/var/spool/cron ]; then mkdir -p -m 0755 /usr/share/cagefs-skeleton/var/spool/cron fi if [ ! -e /usr/share/cagefs-skeleton/var/run/screen ]; then mkdir -p -m 0755 /usr/share/cagefs-skeleton/var/run/screen fi if [ ! -e /usr/share/cagefs-skeleton/var/cache/php-eaccelerator ]; then mkdir -p -m 0755 /usr/share/cagefs-skeleton/var/cache/php-eaccelerator fi if [ ! -e /usr/share/cagefs-skeleton/opt/suphp/sbin ]; then mkdir -p -m 0755 /usr/share/cagefs-skeleton/opt/suphp/sbin fi fi # Add packages to CageFS /usr/sbin/cagefsctl --add-default-rpm-packages > /dev/null 2>&1 find /etc/cagefs/users.enabled -type d 2> /dev/null | xargs --no-run-if-empty chmod 0751 find /etc/cagefs/users.enabled.save -type d 2> /dev/null | xargs --no-run-if-empty chmod 0751 find /etc/cagefs/users.disabled -type d 2> /dev/null | xargs --no-run-if-empty chmod 0751 find /etc/cagefs/users.disabled.save -type d 2> /dev/null | xargs --no-run-if-empty chmod 0751 chmod 0751 /etc/cagefs/filters > /dev/null 2>&1 chmod 0600 /etc/cagefs/filters/* > /dev/null 2>&1 chmod 0751 /etc/cagefs/conf.d > /dev/null 2>&1 chmod 0600 /etc/cagefs/conf.d/* > /dev/null 2>&1 chmod 0751 /etc/cagefs/etc.safe > /dev/null 2>&1 chmod 0600 /etc/cagefs/etc.safe/* > /dev/null 2>&1 chmod 0751 /etc/cagefs/exclude > /dev/null 2>&1 chmod 0600 /etc/cagefs/exclude/* > /dev/null 2>&1 chmod 0600 /etc/cagefs/cagefs.ini > /dev/null 2>&1 chmod 0600 /etc/cagefs/black.list > /dev/null 2>&1 chmod 0644 /etc/cagefs/cagefs.min.uid > /dev/null 2>&1 chmod 0600 /etc/cagefs/cagefs.mp > /dev/null 2>&1 chmod 0600 /etc/cagefs/cagefs.base.home.dirs > /dev/null 2>&1 chmod 0600 /etc/cagefs/*proxy.commands > /dev/null 2>&1 chmod 0700 /usr/share/cagefs/conf.d > /dev/null 2>&1 chmod 0600 /usr/share/cagefs/conf.d/* > /dev/null 2>&1 chmod 0600 /usr/share/cagefs/skeleton.files.list > /dev/null 2>&1 chmod 0600 /usr/share/cagefs/skeleton.libs.list > /dev/null 2>&1 chmod 0751 /etc/cagefs chown root:root /etc/cagefs mkdir -p /var/cagefs chmod 0751 /var/cagefs chown root:root /var/cagefs mkdir -p /usr/share/cagefs/.cagefs.empty chmod 0755 /usr/share/cagefs/.cagefs.empty chown root:root /usr/share/cagefs/.cagefs.empty # exclude /home/user/.cagefs directory from backup for CPBACKUP_CONF in /usr/local/cpanel/etc/cpbackup-exclude.conf /etc/cpbackup-exclude.conf; do if [ -e $CPBACKUP_CONF ]; then if ! grep "\.cagefs" $CPBACKUP_CONF > /dev/null 2>&1 ; then echo '.cagefs*' >> $CPBACKUP_CONF fi fi done if [ -e /etc/cagefs/cagefs.mp ]; then # Add new line if needed /usr/sbin/cagefsctl --check-mp # Add /opt mount if needed if [ -d /opt ]; then if ! grep -m 1 -P '^/opt$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo "/opt" >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Add /var/spool/at if needed if [ -d /var/spool/at ]; then if ! grep -m 1 -P "^/var/spool/at$" /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo "/var/spool/at" >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Add /var/run/dbus if needed if [ -d /var/run/dbus ]; then if ! grep -m 1 -P "^/var/run/dbus$" /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo "/var/run/dbus" >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Remove /var/cpanel from cagefs.mp if grep -m 1 -e '^/var/cpanel$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then sed -i -e '/^\/var\/cpanel$/d' /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi # Add /var/cpanel/userdata to cagefs.mp if [ -d /var/cpanel/userdata ]; then if ! grep -m 1 -e '^%/var/cpanel/userdata$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo '%/var/cpanel/userdata' >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Remove /var/run/proxyexec/cagefs.sock from cagefs.mp if grep -m 1 -P '^/var/run/proxyexec/cagefs.sock$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then sed -i -e '/\/var\/run\/proxyexec\/cagefs.sock/d' /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi # Remove /var/www/cgi-bin from cagefs.mp on Plesk if cldetect --detect-cp | grep Plesk >/dev/null 2>&1; then if grep -m 1 -P "^/var/www/cgi-bin$" /etc/cagefs/cagefs.mp >/dev/null 2>&1; then sed -i -e '/\/var\/www\/cgi-bin/d' /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Add /tmp/clamd to cagefs.mp if [ -d /tmp/clamd ]; then if ! grep -m 1 -e '^/tmp/clamd$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo '/tmp/clamd' >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi # Add default mount points (user's personal) if ! grep -m 1 -P '^@/var/spool/cron,' /etc/cagefs/cagefs.mp > /dev/null 2>&1; then echo '# You can add personal (individual) mounts for users, like below.' >> /etc/cagefs/cagefs.mp echo '# Please, start line with "@" symbol, and then specify path and permissions (comma separated).' >> /etc/cagefs/cagefs.mp echo '# These directories will be virtualized for each user.' >> /etc/cagefs/cagefs.mp echo '@/var/spool/cron,700' >> /etc/cagefs/cagefs.mp echo '@/var/run/screen,777' >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi if ! grep -m 1 -P '^@/var/cache/php-eaccelerator,' /etc/cagefs/cagefs.mp > /dev/null 2>&1; then echo '@/var/cache/php-eaccelerator,777' >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi # Remove /var/lib/dav, /var/www/html, /var/www/cgi-bin from cagefs.mp if they are not present for dir in /var/lib/dav /var/www/html /var/www/cgi-bin; do if [ ! -d $dir ]; then if grep -m 1 -P "^$dir$" /etc/cagefs/cagefs.mp >/dev/null 2>&1; then sed -i -e "/^${dir////\\\/}$/d" /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi done # Add /var/lve/php.dat.d to cagefs.mp if [ -d /var/lve/php.dat.d ]; then if ! grep -m 1 -e '^!/var/lve/php.dat.d$' /etc/cagefs/cagefs.mp >/dev/null 2>&1; then echo '!/var/lve/php.dat.d' >> /etc/cagefs/cagefs.mp touch /usr/share/cagefs/need.remount fi fi fi # configure CageFS /usr/sbin/cagefsctl --reconfigure-cagefs # CAG-1087: remove duplicate lines from /etc/cagefs/cagefs.base.home.dirs file # https://stackoverflow.com/questions/1444406/how-to-delete-duplicate-lines-in-a-file-without-sorting-it-in-unix if [[ -f /etc/cagefs/cagefs.base.home.dirs ]]; then awk '!seen[$0]++' /etc/cagefs/cagefs.base.home.dirs > /etc/cagefs/cagefs.base.home.dirs.$$ if ! diff /etc/cagefs/cagefs.base.home.dirs /etc/cagefs/cagefs.base.home.dirs.$$ &>/dev/null; then mv -f /etc/cagefs/cagefs.base.home.dirs.$$ /etc/cagefs/cagefs.base.home.dirs else rm -f /etc/cagefs/cagefs.base.home.dirs.$$ fi fi /usr/sbin/cagefsctl --update-users-status-fix-owner if [ -e /usr/share/cagefs-skeleton/bin ]; then if [ ! -e /usr/share/cagefs/etc.update.done ]; then /usr/sbin/cagefsctl --force-update-etc fi /usr/sbin/cagefsctl --setup-cl-selector /usr/sbin/cagefsctl --update-wrappers /usr/sbin/cagefsctl --remove-blacklisted /usr/sbin/cagefsctl --create-homeN-dirs-in-skeleton fi # CAG-526, CAG-634 /usr/sbin/cagefsctl --check-for-unsafe-mounts &>/dev/null if [ -e /usr/share/cagefs-skeleton/bin ]; then if [ -e /usr/share/cagefs/need.remount ]; then /usr/sbin/cagefsctl --remount-all --without-lock else if ! grep -P "cagefs-skeleton\s" /proc/mounts > /dev/null 2>&1; then /usr/sbin/cagefsctl --remount-all --without-lock else /sbin/service proxyexecd restart > /dev/null 2>&1 fi fi /usr/share/cagefs-plugins/install-cagefs-plugin.py --install-plesk-wrapper else /sbin/service proxyexecd restart > /dev/null 2>&1 fi rm -f /usr/share/cagefs/need.remount rm -f /usr/share/cagefs/etc.update.done rm -f /usr/share/cagefs/skip.cagefs.restart # Remove /var/cpanel mountpoint from skeleton if [ -e /usr/share/cagefs-skeleton/var/cpanel ]; then rmdir /usr/share/cagefs-skeleton/var/cpanel > /dev/null 2>&1 fi # CAG-416 if [ -f /var/lib/mysql/.cl.selector/defaults.cfg ]; then rm -f /var/lib/mysql/.cl.selector/defaults.cfg > /dev/null 2>&1 rmdir /var/lib/mysql/.cl.selector > /dev/null 2>&1 fi # install hooks # CAG-377 - Reinstall hooks on Plesk if cldetect --detect-cp | grep Plesk >/dev/null 2>&1; then /usr/sbin/cagefsctl --hook-remove fi /usr/sbin/cagefsctl --hook-install /usr/sbin/cagefsctl --create-virt-mp-all # CAG-913: remove "fix" of support. /var/.cagefs should not exist in real file system rmdir /var/.cagefs &>/dev/null rm -f /var/.cagefs # Revert "LVEMAN-1425: PHP breaks after updating" rm -f /var/log/cagefs-cl-setup-selector.log # configure CageFS for OpenLiteSpeed nohup /usr/sbin/cagefsctl --configure-openlitespeed &>/dev/null & /usr/share/cagefs-plugins/install-cagefs-plugin.py --fix-services-without-lve # synchronize CageFS features /usr/share/cagefs/feature_manager.py sync exit 0
.
Edit
..
Edit
rpm_at_trigger.sh
Edit
rpm_httpd_trigger.sh
Edit
rpm_post.sh
Edit
rpm_posttrans.sh
Edit
rpm_preun.sh
Edit
rpm_suphp_trigger.sh
Edit
rpm_systemd_trigger.sh
Edit