|
Server : Apache System : Linux ecngx264.inmotionhosting.com 4.18.0-553.lve.el8.x86_64 #1 SMP Mon May 27 15:27:34 UTC 2024 x86_64 User : lonias5 ( 3576) PHP Version : 7.3.33 Disable Function : NONE Directory : /proc/self/root/lib/fixperms/ |
Upload File : |
"""Fixperms class for CWP"""
import os
from stat import S_ISLNK, S_ISREG, S_ISDIR
import cwp
from fixperms_base import PermMap
from fixperms_ids import IDCache
from fixperms_cli import Args
class CwpPermMap(PermMap):
"""Fixperms class for CWP"""
def __init__(self, ids: IDCache, args: Args, user: str):
super().__init__(
ids=ids,
args=args,
user=user,
all_docroots=list(cwp.get_docroots(user).values()),
docroot_chmod=0o750,
docroot_chown=(user, 'nobody'),
)
# pylint: disable=duplicate-code
# Order these rules more specific to less specific regex.
uid, gid = self.uid, self.gid
# sensitive passwords: ~/.pgpass, ~/.my.cnf
self.add_rule(r"\/\.(?:pgpass|my\.cnf)$", (0o600, None), (uid, gid))
# ~/.imh directory and contents
self.add_rule(r"\/\.imh(?:$|\/)", (0o644, 0o755), (0, 0))
# ~/.ssh directory and contents
self.add_rule(r"\/\.ssh(?:$|\/)", (0o600, 0o700), (uid, gid))
# ~/.pki dir and subdirs
self.add_rule(r"\/\.pki(?:$|\/)", (None, 0o740), (uid, gid))
# .cgi and .pl files
self.add_rule(r"\/.*\.(?:pl|cgi)$", (0o755, None), (uid, gid))
# homedir folder itself
self.add_rule("$", (None, 0o711), (uid, gid))
# restrict access to sensitive CMS config files
self.add_rule(
r"\/.+\/(?:(?:wp-config|conf|[cC]onfig|[cC]onfiguration|"
r"LocalSettings|settings)(?:\.inc)?\.php|"
r"local\.xml|mt-config\.cgi)$",
(0o640, None),
(uid, gid),
)
# web log stats
self.add_rule(r"\/cwp_stats\/.+\.html", (0o644, None), (0, 0))
# cwp user dashboard session dir
self.add_rule(r"\/tmp\/session$", (None, 0o751), (uid, gid))
# cwp user dashboard session files
self.add_rule(r"\/tmp\/session\/sess_.+", (0o600, None), (uid, gid))
# cwp user config dir
self.add_rule(r"\/\.conf$", (None, 0o755), (uid, gid))
# cwp user config dir items
self.add_rule(r"/\.conf/\..+\.sqlite$", (0o644, None), (0, 0))
self.add_rule(
r"/.conf/(?:cache|reseller)(?:\/.+\.json)?$", (0o644, 0o755), (0, 0)
)
# softaculous files
self.add_rule(r"\/.softaculous(?:$|\/)", (0o600, 0o711), (uid, gid))
# contents of homedir which do not match a previous regex
self.add_rule(r"\/", (0o644, 0o755), (uid, gid))
def fixperms(self) -> None:
super().fixperms()
if not self.args.skip_mail:
self.mailperms()
def iter_vmail(self):
"""Iterate all paths in the user's mail dirs"""
for top_dir in cwp.vmail_paths(self.user, check_exists=True):
yield from self.walk(str(top_dir))
def mailperms(self):
"""Fix permissions of a CWP user's mail dirs"""
uid = self.uid
gid = self.ids.getgrnam('mail').gr_gid
vmail_uid = self.ids.getpwnam('vmail').pw_uid
# fix the top-level vmail dir if needed
try:
stat = os.lstat('/var/vmail')
except FileNotFoundError:
self.log.warning("/var/vmail was missing; creating it.")
os.mkdir('/var/vmail', mode=0o770)
os.lchown('/var/vmail', vmail_uid, gid)
else:
self.lchown('/var/vmail', stat, vmail_uid, gid)
self.lchmod('/var/vmail', stat, 0o775)
# iterate each subdir owned by this user
for stat, path in self.iter_vmail():
if S_ISLNK(stat.st_mode):
self.log.warning("Skipping unexpected symlink at %s", path)
continue
if S_ISDIR(stat.st_mode): # directory
mode = 0o700
elif S_ISREG(stat.st_mode): # regular file
if os.path.basename(path).startswith('dovecot-uidvalidity.'):
mode = 0o444
else:
mode = 0o600
if self.uid != stat.st_uid and stat.st_nlink > 1:
self.hard_links.add(path, stat, (uid, gid), mode)
continue
else:
self.log.warning("Skipping unexpected path type at %s", path)
continue
self.lchown(path, stat, uid, gid)
self.lchmod(path, stat, mode)