Mini Shell

Direktori : /lib/fixperms/
Upload File :
Current File : //lib/fixperms/fixperms_cwp.py

"""Fixperms class for CWP"""
import os
from stat import S_ISLNK, S_ISREG, S_ISDIR
import cwp
from fixperms_base import PermMap
from fixperms_ids import IDCache
from fixperms_cli import Args


class CwpPermMap(PermMap):
    """Fixperms class for CWP"""

    def __init__(self, ids: IDCache, args: Args, user: str):
        super().__init__(
            ids=ids,
            args=args,
            user=user,
            all_docroots=list(cwp.get_docroots(user).values()),
            docroot_chmod=0o750,
            docroot_chown=(user, 'nobody'),
        )
        # pylint: disable=duplicate-code
        # Order these rules more specific to less specific regex.
        uid, gid = self.uid, self.gid
        # sensitive passwords: ~/.pgpass, ~/.my.cnf
        self.add_rule(r"\/\.(?:pgpass|my\.cnf)$", (0o600, None), (uid, gid))
        # ~/.imh directory and contents
        self.add_rule(r"\/\.imh(?:$|\/)", (0o644, 0o755), (0, 0))
        # ~/.ssh directory and contents
        self.add_rule(r"\/\.ssh(?:$|\/)", (0o600, 0o700), (uid, gid))
        # ~/.pki dir and subdirs
        self.add_rule(r"\/\.pki(?:$|\/)", (None, 0o740), (uid, gid))
        # .cgi and .pl files
        self.add_rule(r"\/.*\.(?:pl|cgi)$", (0o755, None), (uid, gid))
        # homedir folder itself
        self.add_rule("$", (None, 0o711), (uid, gid))
        # restrict access to sensitive CMS config files
        self.add_rule(
            r"\/.+\/(?:(?:wp-config|conf|[cC]onfig|[cC]onfiguration|"
            r"LocalSettings|settings)(?:\.inc)?\.php|"
            r"local\.xml|mt-config\.cgi)$",
            (0o640, None),
            (uid, gid),
        )
        # web log stats
        self.add_rule(r"\/cwp_stats\/.+\.html", (0o644, None), (0, 0))
        # cwp user dashboard session dir
        self.add_rule(r"\/tmp\/session$", (None, 0o751), (uid, gid))
        # cwp user dashboard session files
        self.add_rule(r"\/tmp\/session\/sess_.+", (0o600, None), (uid, gid))
        # cwp user config dir
        self.add_rule(r"\/\.conf$", (None, 0o755), (uid, gid))
        # cwp user config dir items
        self.add_rule(r"/\.conf/\..+\.sqlite$", (0o644, None), (0, 0))
        self.add_rule(
            r"/.conf/(?:cache|reseller)(?:\/.+\.json)?$", (0o644, 0o755), (0, 0)
        )
        # softaculous files
        self.add_rule(r"\/.softaculous(?:$|\/)", (0o600, 0o711), (uid, gid))
        # contents of homedir which do not match a previous regex
        self.add_rule(r"\/", (0o644, 0o755), (uid, gid))

    def fixperms(self) -> None:
        super().fixperms()
        if not self.args.skip_mail:
            self.mailperms()

    def iter_vmail(self):
        """Iterate all paths in the user's mail dirs"""
        for top_dir in cwp.vmail_paths(self.user, check_exists=True):
            yield from self.walk(str(top_dir))

    def mailperms(self):
        """Fix permissions of a CWP user's mail dirs"""
        uid = self.uid
        gid = self.ids.getgrnam('mail').gr_gid
        for stat, path in self.iter_vmail():
            if S_ISLNK(stat.st_mode):
                self.log.warning("Skipping unexpected symlink at %s", path)
                continue
            if S_ISDIR(stat.st_mode):  # directory
                mode = 0o700
            elif S_ISREG(stat.st_mode):  # regular file
                if os.path.basename(path).startswith('dovecot-uidvalidity.'):
                    mode = 0o444
                else:
                    mode = 0o600
                if self.uid != stat.st_uid and stat.st_nlink > 1:
                    self.hard_links.add(path, stat, (uid, gid), mode)
                    continue
            else:
                self.log.warning("Skipping unexpected path type at %s", path)
                continue
            self.lchown(path, stat, uid, gid)
            self.lchmod(path, stat, mode)

Zerion Mini Shell 1.0