| Dir : /usr/lib/fixperms/ |
| Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
| Dir : //usr/lib/fixperms/fixperms_cwp.py |
"""Fixperms class for CWP"""
import os
from stat import S_ISLNK, S_ISREG, S_ISDIR
import cwp
from fixperms_base import PermMap
from fixperms_ids import IDCache
from fixperms_cli import Args
class CwpPermMap(PermMap):
"""Fixperms class for CWP"""
def __init__(self, ids: IDCache, args: Args, user: str):
super().__init__(
ids=ids,
args=args,
user=user,
all_docroots=list(cwp.get_docroots(user).values()),
docroot_chmod=0o750,
docroot_chown=(user, 'nobody'),
)
# pylint: disable=duplicate-code
# Order these rules more specific to less specific regex.
uid, gid = self.uid, self.gid
# sensitive passwords: ~/.pgpass, ~/.my.cnf
self.add_rule(r"\/\.(?:pgpass|my\.cnf)$", (0o600, None), (uid, gid))
# ~/.imh directory and contents
self.add_rule(r"\/\.imh(?:$|\/)", (0o644, 0o755), (0, 0))
# ~/.ssh directory and contents
self.add_rule(r"\/\.ssh(?:$|\/)", (0o600, 0o700), (uid, gid))
# ~/.pki dir and subdirs
self.add_rule(r"\/\.pki(?:$|\/)", (None, 0o740), (uid, gid))
# .cgi and .pl files
self.add_rule(r"\/.*\.(?:pl|cgi)$", (0o755, None), (uid, gid))
# homedir folder itself
self.add_rule("$", (None, 0o711), (uid, gid))
# restrict access to sensitive CMS config files
self.add_rule(
r"\/.+\/(?:(?:wp-config|conf|[cC]onfig|[cC]onfiguration|"
r"LocalSettings|settings)(?:\.inc)?\.php|"
r"local\.xml|mt-config\.cgi)$",
(0o640, None),
(uid, gid),
)
# web log stats
self.add_rule(r"\/cwp_stats\/.+\.html", (0o644, None), (0, 0))
# cwp user dashboard session dir
self.add_rule(r"\/tmp\/session$", (None, 0o751), (uid, gid))
# cwp user dashboard session files
self.add_rule(r"\/tmp\/session\/sess_.+", (0o600, None), (uid, gid))
# cwp user config dir
self.add_rule(r"\/\.conf$", (None, 0o755), (uid, gid))
# cwp user config dir items
self.add_rule(r"/\.conf/\..+\.sqlite$", (0o644, None), (0, 0))
self.add_rule(
r"/.conf/(?:cache|reseller)(?:\/.+\.json)?$", (0o644, 0o755), (0, 0)
)
# softaculous files
self.add_rule(r"\/.softaculous(?:$|\/)", (0o600, 0o711), (uid, gid))
# contents of homedir which do not match a previous regex
self.add_rule(r"\/", (0o644, 0o755), (uid, gid))
def fixperms(self) -> None:
super().fixperms()
if not self.args.skip_mail:
self.mailperms()
def iter_vmail(self):
"""Iterate all paths in the user's mail dirs"""
for top_dir in cwp.vmail_paths(self.user, check_exists=True):
yield from self.walk(str(top_dir))
def mailperms(self):
"""Fix permissions of a CWP user's mail dirs"""
uid = self.uid
gid = self.ids.getgrnam('mail').gr_gid
for stat, path in self.iter_vmail():
if S_ISLNK(stat.st_mode):
self.log.warning("Skipping unexpected symlink at %s", path)
continue
if S_ISDIR(stat.st_mode): # directory
mode = 0o700
elif S_ISREG(stat.st_mode): # regular file
if os.path.basename(path).startswith('dovecot-uidvalidity.'):
mode = 0o444
else:
mode = 0o600
if self.uid != stat.st_uid and stat.st_nlink > 1:
self.hard_links.add(path, stat, (uid, gid), mode)
continue
else:
self.log.warning("Skipping unexpected path type at %s", path)
continue
self.lchown(path, stat, uid, gid)
self.lchmod(path, stat, mode)