ok
Direktori : /opt/imunify360/venv/bin/ |
Current File : //opt/imunify360/venv/bin/imunify360_pam.py |
#!/opt/imunify360/venv/bin/python3 # # imunify360-pam Python script to manage imunify360 pam module # enabled/diabled state. # import argparse import os import re import shutil import signal import subprocess import sys import traceback from collections import OrderedDict from configparser import ConfigParser from contextlib import closing, suppress from distutils.version import LooseVersion from enum import Enum from functools import lru_cache, wraps from pathlib import Path from string import Template from typing import Iterable, Tuple import yaml from pam_i360.internals import getLogger, logger_init, pam_imunify_config CONFIG_DOVECOT = "/etc/dovecot/dovecot.conf" CONFIG_DOVECOT_DATASTORE = "/var/cpanel/conf/dovecot/main" CONFIG_DOVECOT_BASEDIR = "/var/cpanel/templates/dovecot" CONFIG_DOVECOT_DEFAULT_SUFFIX = "2.3" CONFIG_DOVECOT_TMPL = "main.default" CONFIG_DOVECOT_LOCAL = "main.local" CONFIG_PAM_DOVECOT = "/etc/pam.d/dovecot_imunify" CONFIG_PAM_DOVECOT_DOMAINOWNER = "/etc/pam.d/dovecot_imunify_domainowner" CONFIG_PROFTPD = "/etc/proftpd.conf" CONFIG_PAM_PROFTPD = "/etc/pam.d/proftpd_imunify" CONFIG_PUREFTPD = "/etc/pure-ftpd.conf" CONFIG_TEMPLATE_PUREFTPD = "/var/cpanel/conf/pureftpd/local" CONFIG_PAM_PUREFTPD = "/etc/pam.d/pure-ftpd" CONFIG_IMUNIFY360 = "/etc/sysconfig/imunify360/imunify360-merged.config" LEVELDB = "/opt/i360_pam_imunify/db/leveldb" PAM_UNIX_REGEX = re.compile(r"auth\s+.+?\s+pam_unix\.so") # logger late init in order to let sigterm_handler() to break # logger_init() if needed logger = None class DovecotState(Enum): DISABLED = 0 PAM = 1 NATIVE = 2 DOVECOT_STATES = { "disabled": DovecotState.DISABLED, "pam": DovecotState.PAM, "native": DovecotState.NATIVE, } class Output: def status_changed(self, services): enabled = [] already_enabled = [] disabled = [] already_disabled = [] services = OrderedDict(sorted(services.items(), key=lambda x: x[0])) for key, value in services.items(): enabled_prev, enabled_now = value if enabled_now: if enabled_prev: already_enabled.append(key) else: enabled.append(key) else: if not enabled_prev: already_disabled.append(key) else: disabled.append(key) message = None if len(enabled) > 0: message = "imunify360-pam (%s) is now enabled." % ", ".join(enabled) if len(already_enabled) > 0: message = "imunify360-pam (%s) is already enabled." % ", ".join( already_enabled ) if len(disabled) > 0: message = "imunify360-pam (%s) is now disabled." % ", ".join(disabled) if len(already_disabled) > 0: message = "imunify360-pam (%s) is already disabled." % ", ".join( already_disabled ) if message: self._print(message) def status(self, services): services = OrderedDict(sorted(services.items(), key=lambda x: x[1])) enabled = [key for key, value in services.items() if value] if len(enabled) > 0: self._print("status: enabled (%s)" % ", ".join(enabled)) else: self._print("status: disabled") def warning(self, *args, **kwargs): self._print("[WARNING]", *args, **kwargs) def error(self, *args, **kwargs): self._print("[ERROR]", *args, **kwargs) def run_and_log(self, *args, **kwargs): subprocess.run(*args, **kwargs) def flush(self): pass def _print(self, *args, **kwargs): print(*args, **kwargs) # duplicate to pam.log if args[0] == "[WARNING]": logfun = logger.warning args = args[1:] elif args[0] == "[ERROR]": logfun = logger.error args = args[1:] else: logfun = logger.info logfun(" ".join(args)) class YamlOutput(Output): def __init__(self): self._buffer = {} def flush(self): print(yaml.safe_dump(self._buffer, default_flow_style=False)) # duplicate to pam.log for k in ["status_changed", "status"]: if k in self._buffer: logger.info("%s=%r", k, self._buffer[k]) def status_changed(self, services): for service, value in services.items(): enabled_prev, enabled_now = value self._buffer.setdefault("status_changed", {})[service] = { "from": "enabled" if enabled_prev else "disabled", "to": "enabled" if enabled_now else "disabled", } def status(self, services): for service, enabled in services.items(): self._buffer.setdefault("status", {})[service] = ( "enabled" if enabled else "disabled" ) def warning(self, *args, **kwargs): self._buffer.setdefault("warnings", []).append(" ".join(args)) logger.warning(" ".join(args)) def error(self, *args, **kwargs): self._buffer.setdefault("errors", []).append(" ".join(args)) # catch message and backtrace for sentry logger.error(" ".join(args)) def run_and_log(self, cmd, *args, **kwargs): proc = subprocess.run( cmd, *args, **kwargs, stdin=subprocess.DEVNULL, # capture and combine both streams into one stdout=subprocess.PIPE, stderr=subprocess.STDOUT ) if proc.returncode != 0: self.warning("%s exit code %d" % (" ".join(cmd), proc.returncode)) if ( proc.returncode != 0 or options.verbose or pam_imunify_config().getboolean("verbose") ): self._buffer.setdefault("subprocess_call", []).append( { "cmd": " ".join(cmd), "returncode": proc.returncode, # .decode('ascii', errors='ignore') is to suppress # cPanel tools output colors "output": proc.stdout.decode("ascii", errors="ignore"), } ) # This function get CP name only @lru_cache(1) def get_cp_name(): panel = "generic" # cPanel check if os.path.isfile("/usr/local/cpanel/cpanel"): panel = "cpanel" # Plesk check elif os.path.isfile("/usr/local/psa/version"): panel = "plesk" # DirectAdmin check elif os.path.isfile("/usr/local/directadmin/directadmin"): panel = "directadmin" return panel def readlink_f(filename): """ Pythonic way of doing /bin/readlink --canonicalize filename and is needed for cPanel /etc/pam.d symlinks. """ try: result = os.readlink(filename) except OSError: # not a symlink return filename if os.path.isabs(result): return result else: return os.path.join(os.path.dirname(filename), result) def detect_conffiles(output=None): if not output: output = Output() if os.path.exists("/etc/pam.d/common-auth"): # debian, ubuntu conffiles = ("/etc/pam.d/common-auth",) else: conffiles = "/etc/pam.d/password-auth", "/etc/pam.d/system-auth" if not all(os.path.exists(conf) for conf in conffiles): output.error("PAM configuration file(s) not found: %s" % " ".join(conffiles)) sys.exit(1) return [readlink_f(fn) for fn in conffiles] def atomic_rewrite(filename, content): """ Atomically rewrites filename with given content to avoid possible "No space left on device" or unintenrional PAM module break. Backup original file content to {filename}.i360bak """ if os.path.exists(filename): shutil.copy(filename, filename + ".i360bak") tmp = filename + ".i360edit" with open(tmp, "wb" if isinstance(content, bytes) else "w") as tf: tf.write(content) try: st = os.stat(filename) except FileNotFoundError: pass else: os.fchmod(tf.fileno(), st.st_mode) os.fchown(tf.fileno(), st.st_uid, st.st_gid) ext = 3 while ext > 0: try: os.rename(tmp, filename) except OSError: ext = ext - 1 if ext == 0: output.error("Trouble in renaming of %s to %s" % (tmp, filename)) sys.exit(1) else: ext = 0 class i360RPatch: def __init__(self, conf_filename, output=None): self._conf_filename = conf_filename self.output = Output() if not output else output def filename(self): return os.path.join( os.path.dirname(self._conf_filename), ".%s.i360patch" % os.path.basename(self._conf_filename), ) def create_upon(self, content): cmd = ["/usr/bin/diff", "--unified=1", self._conf_filename, "-"] proc = subprocess.Popen( cmd, stdin=subprocess.PIPE, stdout=open(self.filename(), "w") ) proc.communicate(content.encode()) if proc.returncode != 1: # not a big deal: will use .i360bak as the last resort self.output.warning("'diff -u' error", file=sys.stderr) os.unlink(self.filename()) def apply(self): """ :raise CalledProcessError: """ cmd = ["/usr/bin/patch", "--reverse", self._conf_filename] subprocess.check_call( cmd, stdin=open(self.filename()), stdout=open("/dev/null", "w") ) os.unlink(self.filename()) def pam_unix_patch_around(pamconfig_lines, pam_unix_ln): match_offset = re.search( r"success=(\d)\s+default=ignore", pamconfig_lines[pam_unix_ln] ) patch_simple(pamconfig_lines, pam_unix_ln) pam_unix_ln += 1 if match_offset: fix_offset(pamconfig_lines, pam_unix_ln, int(match_offset.group(1))) def dovecot_manyconfigs_basedir() -> Tuple[Iterable[str], str]: """ As per DEF-18259 it comes out that dovecot config main.default and main.local files may reside in a directory /var/cpanel/conf/dovecot/main refers it via '_use_target_version: ...' :return: dovecot multiple configs basedir list and warning message if any """ result = set() warning_msg = None def check_and_use(path_): # unwind '/var/cpanel/templates/dovecot -> /var/cpanel/templates/dovecot2.3' path_ = readlink_f(path_) if os.path.exists(os.path.join(path_, CONFIG_DOVECOT_TMPL)): result.add(path_) return True return False check_and_use(CONFIG_DOVECOT_BASEDIR) check_and_use(CONFIG_DOVECOT_BASEDIR + CONFIG_DOVECOT_DEFAULT_SUFFIX) try: with open(CONFIG_DOVECOT_DATASTORE) as f: target_version = yaml.safe_load(f)["_use_target_version"] except (FileNotFoundError, UnicodeError, yaml.YAMLError) as e: warning_msg = "%s: %s" % (CONFIG_DOVECOT_DATASTORE, e) except KeyError: pass else: path_ = CONFIG_DOVECOT_BASEDIR + target_version if not check_and_use(path_): warning_msg = ( "%s '_use_target_version: %s' refers a non existent " "configuration file %r" % (CONFIG_DOVECOT_DATASTORE, target_version, path_) ) return result, warning_msg def insert_imunify_passdb(data, output=None): imunify_passdb_template = Template( "passdb {\n" " driver = imunify360\n" " args = key=/opt/i360_pam_imunify/key \\\n" " secret=/opt/i360_pam_imunify/secret \\\n" " socket=/opt/i360_pam_imunify/pam_imunify360.sock" "$check_only" "$result_action\n" "}" ) if not output: output = Output() if not re.search( r"passdb\s*\{\s*driver\s*=\s*imunify360.*?}", data, re.DOTALL ): # passdb is already in config match = re.search( r"passdb\s*\{\s*driver\s*=\s*dict.*?}", data, re.DOTALL ) # find default passdb if match: data = ( data[: match.end()] + "\n" + imunify_passdb_template.substitute( check_only="\n", result_action=" result_success = continue" ) + "\n" + data[match.end() :] ) # insert imunify passdb after default passdb return ( data[: match.start()] + "\n" + imunify_passdb_template.substitute( check_only=" \\\n check_only=1\n", result_action=" result_failure = return-fail\n", ) + "\n" + data[match.start() :] # insert imunify passdb before default passdb ) else: # default passdb missing output.error("PAM configuration file parse error: passdb missing") sys.exit(1) def patch_dovecot_config_template(dovecot_state: str, config_basedir: str): config_template = os.path.join(config_basedir, CONFIG_DOVECOT_TMPL) config_local = os.path.join(config_basedir, CONFIG_DOVECOT_LOCAL) passdb_regex = re.compile(r"^\s*passdb\s*\{.*?\}\s*$", re.DOTALL | re.MULTILINE) if dovecot_state == DovecotState.PAM or dovecot_state == DovecotState.NATIVE: def passdb_replace(match): repl = None if dovecot_state == DovecotState.PAM: repl = re.sub(r"driver\s*=.*", "driver = pam", match.group(0)) repl = re.sub( r"args\s*=.*", r"args = " r"[% IF allow_domainowner_mail_pass %]" r"dovecot_imunify_domainowner" r"[% ELSE %]dovecot_imunify[% END %]", repl, ) if dovecot_state == DovecotState.NATIVE: repl = re.sub( r"result_internalfail\s*=.*", "result_success = continue-ok", match.group(0), ) repl = re.sub( r"result_failure\s*=.*", "result_failure = continue-fail", repl ) return repl data = Path(config_template).read_text() data = re.sub(passdb_regex, passdb_replace, data) if dovecot_state == DovecotState.NATIVE: data = insert_imunify_passdb(data) if not options.dry: with open(config_local, "w") as f: f.write(data) else: return elif dovecot_state == DovecotState.DISABLED: with suppress(FileNotFoundError): os.unlink(config_local) def change_dovecot_state(dovecot_state, output=None): """ Enable or disable pam_imunify support for Dovecot """ if not output: output = Output() manyconfigs, warn = dovecot_manyconfigs_basedir() if warn: output.warning(warn) if len(manyconfigs) == 0: output.error("Dovecot config template file not found. Aborting.") sys.exit(1) for config_basedir in manyconfigs: patch_dovecot_config_template(dovecot_state, config_basedir) if not options.norestart: if os.path.isfile("/scripts/builddovecotconf"): output.run_and_log(["/scripts/builddovecotconf"]) if os.path.isfile("/scripts/restartsrv_dovecot"): output.run_and_log(["/scripts/restartsrv_dovecot"]) def service_incompatibility_panic(msg): """ So far we decided to report service incompatibility error as warning, with the only exception for --dry-run option. Otherwise we break agent PAM subsystem loop with the error when a client copied imunify360-merged.config from one server to another server in a case when the first server is compatible with that PAM integration feature but the second server is not capable with. """ if options.dry: output.error(msg) sys.exit(1) else: output.warning(msg) sys.exit(0) def cpanel_only_feature(service): def decorator(fun): @wraps(fun) def wrapper(*args, **kwargs): if get_cp_name() != "cpanel": service_incompatibility_panic( "%s is not supported for %s." % (service, get_cp_name().capitalize()) ) else: return fun(*args, **kwargs) return wrapper return decorator def toggle_proftpd_support(enable=True, output=None): """ Enable or disable pam_imunify support for ProFTPd """ conf = CONFIG_PROFTPD if not os.path.isfile(conf): output.error("ProFTPD config file not found. Aborting.") sys.exit(1) if enable: version_output = subprocess.check_output( [ "in.proftpd" if get_cp_name() == "plesk" else "proftpd", "--version-status", ], stderr=subprocess.DEVNULL, ).decode(sys.stdout.encoding) if "mod_auth_pam" not in version_output: service_incompatibility_panic( "ProFTPD built without PAM support. " "pam_imunify for FTP is NOT enabled." ) version_regex = re.compile(r"ProFTPD Version:\s([0-9a-z\.]+)") version_found = version_regex.search(version_output) if version_found: version = LooseVersion(version_found.group(1)) if version < LooseVersion("1.3.6c") or version.vstring.startswith( "1.3.6rc" ): if get_cp_name() == "cpanel": service_incompatibility_panic( "ProFTPD needs to be upgraded to " "cPanel version 88 or higher. " "pam_imunify for FTP is NOT enabled." ) else: service_incompatibility_panic( "ProFTPD needs to be upgraded. " "pam_imunify for FTP is NOT enabled." ) if not output: output = Output() authpam_imunify = ( "AuthOrder mod_auth_pam.c* mod_auth_file.c\n" "AuthPAM on\n" "AuthPAMConfig proftpd_imunify\n" ) authpam_regex = re.compile(r"(^AuthPAM.*\n?)+", re.MULTILINE) data = open(conf).read() authpam_found = authpam_regex.search(data) if enable: if authpam_found: authpam_span = authpam_found.span() data = data[: authpam_span[0]] + authpam_imunify + data[authpam_span[1] :] else: data = authpam_imunify + "\n" + data if not options.dry: atomic_rewrite(conf, data) else: return else: conf_bak = conf + ".i360bak" if os.path.isfile(conf_bak): os.rename(conf_bak, conf) else: output.error( "Failed to disable proftpd integration: %s not found" % conf_bak ) sys.exit(1) if os.path.isfile("/scripts/restartsrv_ftpd"): output.run_and_log(["/scripts/restartsrv_ftpd"]) def file_patchline(config: str, pattern, repl: bytes, reverse: bool): """ Patch config file line inplace and backup config to '%s.i360bak' % config :param config: file path :param pattern: re.compile(b'...') result type :param reverse: revert back the previos operation on the same config file """ if reverse: # lookup replacement in config_i360bak try: with open("%s.i360bak" % config, "rb") as f: repl = next(ln for ln in f if re.match(pattern, ln)) except (FileNotFoundError, StopIteration): # there were no such entry before us repl = b"" if os.path.exists(config): with open(config, "rb") as f: conf_before = f.read() conf_after = re.sub(pattern, repl, conf_before, count=1) if conf_after == conf_before and not repl in conf_after: conf_after = ( conf_before + (b"" if conf_before.endswith(b"\n") else b"\n") + repl ) if conf_after != conf_before: atomic_rewrite(config, conf_after) else: atomic_rewrite(config, repl) def is_pureftpd_supported(): # Pure-FTPd writes output to stdin, so we have to use # pipes to read from stdin afterwards... pipe_r, pipe_w = map(os.fdopen, os.pipe()) def finalize(): pipe_w.close() pipe_r.close() try: subprocess.check_output( ["pure-ftpd", "-l", "pam"], stdin=pipe_w, stderr=subprocess.STDOUT, timeout=1, ) except subprocess.CalledProcessError: # after pipe_w.close() we can do pipe_r.read() pipe_w.close() with closing(pipe_r): # 421 Unknown authentication method: pam if pipe_r.read().startswith("421 "): return False except subprocess.TimeoutExpired: # This could happen if pam is supported # and pure-ftpd has started finalize() else: finalize() return True def is_pureftpd_enabled(): """ Check if pure-ftpd.conf contains /var/run/ftpd.imunify360.sock """ if not os.path.isfile(CONFIG_PUREFTPD): return False imunify360_regex = re.compile( rb"^(?!#).*\/var\/run\/ftpd.imunify360.sock", re.MULTILINE ) return imunify360_regex.search( open(CONFIG_PUREFTPD, "rb").read()) is not None def toggle_pureftpd_conf_support(enable, output): extauth_regex = re.compile(rb"^\s*ExtAuth\s.*$", re.MULTILINE) extauth_imunify = b"ExtAuth /var/run/ftpd.imunify360.sock" file_patchline(CONFIG_PUREFTPD, extauth_regex, extauth_imunify, reverse=enable is False) if not options.norestart_pureftpd and \ os.path.isfile("/scripts/restartsrv_ftpd"): output.run_and_log(["/scripts/restartsrv_ftpd"]) def toggle_pureftpd_cpanel_support(enable, output): extauth_regex = re.compile(rb"^\s*ExtAuth:\s.*$", re.MULTILINE) extauth_imunify = b"ExtAuth: /var/run/ftpd.imunify360.sock" file_patchline(CONFIG_TEMPLATE_PUREFTPD, extauth_regex, extauth_imunify, reverse=enable is False) if os.path.isfile("/scripts/setupftpserver"): output.run_and_log(["/usr/local/cpanel/scripts/setupftpserver", "--force", "pure-ftpd"]) def disable_ftp_protection(): if not os.path.exists(CONFIG_IMUNIFY360): return ftp_protection_pattern = re.compile( rb"^(?!#)([^\S\r\n]*ftp_protection:[^\S\r\n])*true", re.MULTILINE ) def replacement(match): return match.group(1) + b'false' with open(CONFIG_IMUNIFY360, "rb") as f: contents = f.read() if ftp_protection_pattern.search(contents): disabled_ftp_content = re.sub( ftp_protection_pattern, replacement, contents, count=1 ) atomic_rewrite(CONFIG_IMUNIFY360, disabled_ftp_content) def toggle_pureftpd_support(enable=True, output=None): """ Enable or disable pam_imunify support for PureFTPd """ conf = CONFIG_PUREFTPD if not os.path.isfile(conf): output.error("Pure-FTPd config file not found. Aborting.") sys.exit(1) if enable: if not is_pureftpd_supported(): service_incompatibility_panic( "Pure-FTPd built without PAM support. " "pam_imunify for FTP is NOT enabled." ) # ensure that ftp_protection is disabled in imunify360-merged.config if enable is False: disable_ftp_protection() if not output: output = Output() if options.dry: return toggle_pureftpd_conf_support(enable, output) def toggle_sshd_support(conffiles, enable=True, output=None): """ Enable or disable pam_imunify module for sshd authentication """ if not output: output = Output() if enable: for conf in conffiles: lines = open(conf).readlines() try: pam_unix_ln = next( ln for ln, line in enumerate(lines) if PAM_UNIX_REGEX.search(line) ) except StopIteration: output.error("PAM configuration file %s parse error" % conf) sys.exit(1) pam_unix_patch_around(lines, pam_unix_ln) content = "".join(lines) i360RPatch(conf, output).create_upon(content) if not options.dry: atomic_rewrite(conf, content) else: for conf in conffiles: rpatch = i360RPatch(conf, output) if os.path.exists(rpatch.filename()): try: rpatch.apply() continue except subprocess.CalledProcessError as e: output.warning( "'patch -R' was not successful: %s" % e, file=sys.stderr ) else: output.warning( "File not found: %s" % rpatch.filename(), file=sys.stderr ) atomic_rewrite(conf, open(conf + ".i360bak").read()) def set_panel_integration(confs, output=None): imunify_regex = re.compile(r"auth\s+sufficient\s+pam_imunify\.so") assert get_cp_name() == "cpanel", "The only supported integration so far." if not output: output = Output() for conf in confs: lines = open(conf).readlines() try: imunify_ln = next( ln for ln, line in enumerate(lines) if imunify_regex.search(line) ) except StopIteration: output.error("PAM configuration file %s parse error" % conf) sys.exit(1) match_count = 0 def panel_replace(match): nonlocal match_count if match.group() in ["cpanel", "plesk", "directadmin"]: match_count += 1 return get_cp_name() return match.group() lines[imunify_ln] = re.sub(r"\b([^\s]+)\b", panel_replace, lines[imunify_ln]) if match_count == 0: lines[imunify_ln] = "%s %s\n" % (lines[imunify_ln].strip(), get_cp_name()) content = "".join(lines) atomic_rewrite(conf, content) os.unlink(conf + ".i360bak") def patch_simple(pamconfig_lines, pam_unix_ln): pamconfig_lines.insert(pam_unix_ln + 1, "auth\trequired\tpam_imunify.so\n") pamconfig_lines.insert(pam_unix_ln, "auth\trequired\tpam_imunify.so\tcheck_only\n") def fix_offset(pamconfig_lines, pam_unix_ln, pam_unix_success_offset): bump_to = pam_unix_success_offset + 1 pamconfig_lines[pam_unix_ln] = re.sub( r"success=\d", "success=%d" % bump_to, pamconfig_lines[pam_unix_ln] ) def dovecot_state(): pam_dovecot_enabled = ( os.path.isfile(CONFIG_DOVECOT) and "dovecot_imunify" in open(CONFIG_DOVECOT).read() ) native_dovecot_enabled = ( os.path.isfile(CONFIG_DOVECOT) and "imunify360" in open(CONFIG_DOVECOT).read() ) if pam_dovecot_enabled: return DovecotState.PAM elif native_dovecot_enabled: return DovecotState.NATIVE else: return DovecotState.DISABLED class Cmd: @classmethod def enable(cls, conffiles, output=None): if not output: output = Output() if any("pam_imunify.so" in open(conf).read() for conf in conffiles): cls._cphulk_check() output.status_changed({"sshd": (True, True)}) return toggle_sshd_support(conffiles, True, output) if not options.dry: cls._cphulk_check(output) output.status_changed({"sshd": (False, True)}) @staticmethod @cpanel_only_feature("Dovecot") def set_dovecot(conffiles, output=None): if not output: output = Output() target_dovecot_state = DOVECOT_STATES[options.dovecot_state] if target_dovecot_state: prev_dovecot_state = dovecot_state() if prev_dovecot_state != target_dovecot_state: set_panel_integration( [CONFIG_PAM_DOVECOT, CONFIG_PAM_DOVECOT_DOMAINOWNER], output ) change_dovecot_state(target_dovecot_state, output) if target_dovecot_state in [DovecotState.PAM, DovecotState.NATIVE]: output.status_changed( { "dovecot-{}".format(options.dovecot_state): ( prev_dovecot_state == target_dovecot_state, True, ) } ) else: output.status_changed( {"dovecot": (prev_dovecot_state != target_dovecot_state, False)} ) else: output.error("Unexpected dovecot state {}".format(options.dovecot_state)) @staticmethod @cpanel_only_feature("ProFTPd") def enable_proftpd(conffiles, output=None): if not output: output = Output() set_panel_integration([CONFIG_PAM_PROFTPD], output) proftpd_enabled = ( os.path.isfile(CONFIG_PROFTPD) and "proftpd_imunify" in open(CONFIG_PROFTPD).read() ) if not proftpd_enabled: toggle_proftpd_support(True, output) if not options.dry: output.status_changed({"ftp": (proftpd_enabled, True)}) @staticmethod @cpanel_only_feature("Pure-FTPd") def enable_pureftpd(conffiles, output=None): if not output: output = Output() panel = get_cp_name() pureftpd_enabled = is_pureftpd_enabled() if not pureftpd_enabled: toggle_pureftpd_support(True, output) if not options.dry: output.status_changed({"ftp": (pureftpd_enabled, True)}) @staticmethod def disable_all(conffiles, output=None): if not output: output = Output() dovecot_enabled = dovecot_state() != DovecotState.DISABLED proftpd_enabled = ( os.path.isfile(CONFIG_PROFTPD) and "proftpd_imunify" in open(CONFIG_PROFTPD).read() ) pureftpd_enabled = is_pureftpd_enabled() sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles) if dovecot_enabled: change_dovecot_state(DovecotState.DISABLED, output) if proftpd_enabled: toggle_proftpd_support(False, output) if pureftpd_enabled: toggle_pureftpd_support(False, output) if sshd_enabled: toggle_sshd_support(conffiles, False, output) output.status_changed( { "sshd": (sshd_enabled, False), "dovecot": (dovecot_enabled, False), "ftp": (proftpd_enabled or pureftpd_enabled, False), } ) @staticmethod def disable(conffiles, output=None): if not output: output = Output() sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles) if sshd_enabled: toggle_sshd_support(conffiles, False, output) output.status_changed({"sshd": (sshd_enabled, False)}) @staticmethod def disable_proftpd(conffiles, output=None): if not output: output = Output() proftpd_enabled = ( os.path.isfile(CONFIG_PROFTPD) and "proftpd_imunify" in open(CONFIG_PROFTPD).read() ) if proftpd_enabled: toggle_proftpd_support(False, output) output.status_changed({"ftp": (proftpd_enabled, False)}) @staticmethod def disable_pureftpd(conffiles, output=None): if not output: output = Output() pureftpd_enabled = is_pureftpd_enabled() if pureftpd_enabled: toggle_pureftpd_support(False, output) output.status_changed({"ftp": (pureftpd_enabled, False)}) @staticmethod @cpanel_only_feature("FTP service") def enable_ftp(conffiles, output=None): if not output: output = Output() with open("/var/cpanel/cpanel.config", "r") as cpcfg: data = cpcfg.read() if "ftpserver=proftpd" in data: Cmd.enable_proftpd(conffiles, output) elif "ftpserver=pure-ftpd" in data: Cmd.enable_pureftpd(conffiles, output) else: service_incompatibility_panic("No supported FTP found.") @staticmethod def disable_ftp(conffiles, output=None): if not output: output = Output() proftpd_enabled = ( os.path.isfile(CONFIG_PROFTPD) and "proftpd_imunify" in open(CONFIG_PROFTPD).read() ) pureftpd_enabled = is_pureftpd_enabled() if proftpd_enabled: toggle_proftpd_support(False, output) if pureftpd_enabled: toggle_pureftpd_support(False, output) output.status_changed({"ftp": (proftpd_enabled or pureftpd_enabled, False)}) @classmethod def status(cls, conffiles, output=None): if not output: output = Output() dovecot_enabled = dovecot_state() != DovecotState.DISABLED sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles) proftpd_enabled = ( os.path.isfile(CONFIG_PROFTPD) and "proftpd_imunify" in open(CONFIG_PROFTPD).read() ) pureftpd_enabled = is_pureftpd_enabled() if dovecot_enabled or sshd_enabled or proftpd_enabled or pureftpd_enabled: cls._cphulk_check(output) output.status( { "sshd": sshd_enabled, "dovecot-pam": dovecot_state() == DovecotState.PAM, "dovecot-native": dovecot_state() == DovecotState.NATIVE, "ftp": proftpd_enabled or pureftpd_enabled, } ) @staticmethod def state_reset(*_): subprocess.check_call(["service", "imunify360-pam", "stop"]) shutil.rmtree(LEVELDB) logger.info("rm -rf %s", LEVELDB) subprocess.check_call(["service", "imunify360-pam", "start"]) @staticmethod def _cphulk_check(output=None): if not os.path.isfile("/usr/sbin/whmapi1"): return if not options.verbose and not pam_imunify_config().getboolean("verbose"): return if not output: output = Output() proc = subprocess.run( ["whmapi1", "servicestatus", "service=cphulkd"], stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, ) if proc.returncode != 0: # we expect err dump is printed to stderr return try: status = yaml.safe_load(proc.stdout) if status["data"]["service"][0]["enabled"]: output.warning("cPHulk is enabled", file=sys.stderr) except (yaml.YAMLError, IndexError, KeyError) as e: output.warning("whmapi error:", e, file=sys.stderr) def sigterm_handler(signum, frame): """ generate backtrace on SIGTERM """ traceback.print_stack(frame, file=sys.stderr) print("caught SIGTERM.", file=sys.stderr) if logger is not None: logger.fatal("caught SIGTERM.") sys.exit(15) if __name__ == "__main__": def add_opt_args(parser): parser.add_argument( "-r", "--dry-run", dest="dry", action="store_true", help="Dry run the command, whithout changing of state", ) parser.add_argument( "-n", "--no-restart", dest="norestart", action="store_true", help="Don't restart dovecot and don't rebuild, just patch local dovecot template (cPanel only)", ) parser.add_argument( "--no-restart-pureftpd", dest="norestart_pureftpd", action="store_true", help="Don't restart pureftpd", ) parser.add_argument( "--yaml", dest="yaml", action="store_true", help="for YAML output" ) parser.add_argument("-v", "--verbose", dest="verbose", action="store_true") signal.signal(signal.SIGTERM, sigterm_handler) logger = logger_init(console_stream=None) parser = argparse.ArgumentParser() subparsers = parser.add_subparsers(dest="cmd") subparsers.required = True for command in sorted( (cmd.replace("_", "-") for cmd in dir(Cmd) if not cmd.startswith("_")), reverse=True, ): if command == "set-dovecot": command_parser = subparsers.add_parser(command) command_parser.add_argument( "dovecot_state", type=str, choices=["pam", "native", "disabled"] ) add_opt_args(command_parser) else: command_parser = subparsers.add_parser(command) add_opt_args(command_parser) options = parser.parse_args() output = YamlOutput() if options.yaml else Output() try: cmd = getattr(Cmd, options.cmd.replace("-", "_")) cmd(detect_conffiles(output), output) except Exception as e: logger.exception("unexpected error: %s", e) finally: # even if we caught an exception there is still a possibility # that stdout is still usable (at least partially) output.flush()