a ‡e@sdZddlZddlZddlmZmZddlmZm Z ddl m Z m Z m Z ddlZddlmZddlmZddlmZGd d d eZdS) Fixperms class for cPanelN)quotejoin)CalledProcessError check_call)S_ISLNKS_ISREGS_ISDIR)PermMap)Args)IDCachecseZdZdZeeedfdd ZeedddZ dd Z d d fd d Z e j edfdd ZeedddZddZZS) CpanelPermMapr)idsargsuserc stj|||t|jd|dfdtjdk|_|jt j |j d|jt j |j dg|_ |j|j}}|dd||f|d d ||f|d d d |dd||f|dd||f|dd||f|dd||f|dd||f|dd ||ft j |j dt j |j dh|_d|jddg}td ||_|j t j d|jt j d |jt j d!|jd"d#d$d%d&h |_dS)'NiZnobody)rrrZ all_docrootsZ docroot_chmodZ docroot_chownZsharedmailetcz"\/\.(?:accesshash|pgpass|my\.cnf)$)Nz\/\.imh\/nginx(?:$|\/))iiz\/\.imh(?:$|\/))i)rrz\/\.ssh(?:$|\/))riz\/\.pki(?:$|\/))Niz\/.*\.(?:pl|cgi)$)rN$)Nizx\/.+\/(?:(?:wp-config|conf|[cC]onfig|[cC]onfiguration|LocalSettings|settings)(?:\.inc)?\.php|local\.xml|mt-config\.cgi)$)iNz\/z.cphorde/meta/latestZwwwz(?:z\/(?:etc|mail|logs)\/)z(?:.*\/\.ea-php-cli\.cache$)|z/usr/local/apache/domlogsz/etc/apache2/logs/domlogsz/var/log/apache2/domlogsz/home/shrusr/SharedHtDocsDirz/var/lib/mysql/mysql.sockz/var/run/postgres/.s.PGSQL.5432z/run/postgres/.s.PGSQL.5432z:/usr/local/cpanel/base/frontend/paper_lantern/styled/retro)super__init__radsZUserDataZ all_rootsZIMH_ROLE is_sharedskipaddospathrhomedir bad_linksuidgidZadd_rule safe_link_srcZhome_rerecompilesafe_link_src_rersafe_link_dest)selfrrrr!r"r& __class__%./usr/lib/fixperms/fixperms_cpanel.pyrsZ    zCpanelPermMap.__init__)rreturncCs|js dS||jvrdStj||jvr.dS|j|r>dSt|dtt |}|j ||j d|t|dS)z6Determine if a symlink is "unsafe" for a shared serverFz -> z*Potentially malicious symlink detected: %sT)rr#rrrealpathr'r&matchrreadlinkr appendlogwarningunlink)r(rZbad_linkr+r+r, link_unsafeTs    zCpanelPermMap.link_unsafec Cs|jjr dS|d|j|d|jdjddd|jg}|j dt ||jj r\dSz t |Wn*t tfy|jdt |Yn0dS) zRun /scripts/mailpermNrrz"/usr/local/cpanel/scripts/mailpermz--skiplocaldomainsz --skipmxcheckz Running: %szError running: %s)rZ skip_mail mailperm_fixr"rgetgrnamgr_gidrr2debugcmd_joinnooprrOSErrorerror)r(Zcmd_argsr+r+r, mailpermsds" zCpanelPermMap.mailpermsN)r-cst||dSN)rfixpermssend_strr>)r(r)r+r,r@ys zCpanelPermMap.fixperms)statrcs*t|jr||rdSt||dSr?)rst_moder5r check_path)r(rBrr)r+r,rD~szCpanelPermMap.check_path)subdirdir_gidc Cs(tj|j|}|jdj}|j|h}|j|ddD]\}}t |j r|j |j|fvr^d}n|j}|j |j kr|jdkr|j|||j |fdq6||||j |q6t|j r|j |vr||||j dn||||j |q6t|j r||rq6||||j |jq6|jd|q6q6dS)z6Fix permissions not caught by cPanel's mailperm scriptrT)Z ignore_skipsNz#Skipping unexpected path type at %s)rrrrrr7r8r"walkrrCst_gidr!st_uidst_nlinkZ hard_linksrlchownr rr5r2r3) r(rErFZtop_dirZmail_gidZdir_gidsrBrr"r+r+r,r6s,      zCpanelPermMap.mailperm_fixc Cs|js dSd|j}d}|jd|jjr2dSz(tjdd|j|d|dd WnDt y}z,|j t ||jd d |WYd}~n d}~00dS) zASend an email to str@imhadmin.net if malicious symlinks are foundN zFixperms detected and removed the following symlinks. While these symlinks have been removed from the account in question the account requires further investigationz/An STR will now be sent for review by T2S staffzstr@imhadmin.netzAUTO STR: bad symlinks on z T)Zto_addrZsubjectbodyZerrsz4Failed to send STR. An escalation must be sent to anz2available T2S. Include the following information ) r rr2inforr;rZ send_emailrr<r=str)r(r topexcr+r+r,rAs,     zCpanelPermMap.send_str)__name__ __module__ __qualname____doc__r r rQrboolr5r>r@r stat_resultrDintr6rA __classcell__r+r+r)r,r sDr )rWrr$Zshlexrrr: subprocessrrrBrrr rZ fixperms_baser Z fixperms_clir Z fixperms_idsr r r+r+r+r,s