- GRAYBYTE UNDETECTABLE CODES -

403Webshell
Server IP : 184.154.167.98  /  Your IP : 3.135.220.239
Web Server : Apache
System : Linux pink.dnsnetservice.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64
User : puertode ( 1767)
PHP Version : 8.2.26
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /sbin/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /sbin/imunify360-pam
#!/opt/imunify360/venv/bin/python3
#
# imunify360-pam        Python script to manage imunify360 pam module
#                       enabled/diabled state.
#

import argparse
import os
import re
import shutil
import signal
import subprocess
import sys
import traceback
from collections import OrderedDict
from configparser import ConfigParser
from contextlib import closing, suppress
from distutils.version import LooseVersion
from enum import Enum
from functools import lru_cache, wraps
from pathlib import Path
from string import Template
from typing import Iterable, Tuple

import yaml

from pam_i360.internals import getLogger, logger_init, pam_imunify_config

CONFIG_DOVECOT = "/etc/dovecot/dovecot.conf"
CONFIG_DOVECOT_DATASTORE = "/var/cpanel/conf/dovecot/main"
CONFIG_DOVECOT_BASEDIR = "/var/cpanel/templates/dovecot"
CONFIG_DOVECOT_DEFAULT_SUFFIX = "2.3"
CONFIG_DOVECOT_TMPL = "main.default"
CONFIG_DOVECOT_LOCAL = "main.local"
CONFIG_PAM_DOVECOT = "/etc/pam.d/dovecot_imunify"
CONFIG_PAM_DOVECOT_DOMAINOWNER = "/etc/pam.d/dovecot_imunify_domainowner"
CONFIG_PROFTPD = "/etc/proftpd.conf"
CONFIG_PAM_PROFTPD = "/etc/pam.d/proftpd_imunify"
CONFIG_PUREFTPD = "/etc/pure-ftpd.conf"
CONFIG_TEMPLATE_PUREFTPD = "/var/cpanel/conf/pureftpd/local"
CONFIG_PAM_PUREFTPD = "/etc/pam.d/pure-ftpd"
CONFIG_IMUNIFY360 = "/etc/sysconfig/imunify360/imunify360-merged.config"

LEVELDB = "/opt/i360_pam_imunify/db/leveldb"

PAM_UNIX_REGEX = re.compile(r"auth\s+.+?\s+pam_unix\.so")

# logger late init in order to let sigterm_handler() to break
# logger_init() if needed
logger = None


class DovecotState(Enum):
    DISABLED = 0
    PAM = 1
    NATIVE = 2


DOVECOT_STATES = {
    "disabled": DovecotState.DISABLED,
    "pam": DovecotState.PAM,
    "native": DovecotState.NATIVE,
}


class Output:
    def status_changed(self, services):
        enabled = []
        already_enabled = []
        disabled = []
        already_disabled = []

        services = OrderedDict(sorted(services.items(), key=lambda x: x[0]))
        for key, value in services.items():
            enabled_prev, enabled_now = value
            if enabled_now:
                if enabled_prev:
                    already_enabled.append(key)
                else:
                    enabled.append(key)
            else:
                if not enabled_prev:
                    already_disabled.append(key)
                else:
                    disabled.append(key)

        message = None
        if len(enabled) > 0:
            message = "imunify360-pam (%s) is now enabled." % ", ".join(enabled)

        if len(already_enabled) > 0:
            message = "imunify360-pam (%s) is already enabled." % ", ".join(
                already_enabled
            )

        if len(disabled) > 0:
            message = "imunify360-pam (%s) is now disabled." % ", ".join(disabled)

        if len(already_disabled) > 0:
            message = "imunify360-pam (%s) is already disabled." % ", ".join(
                already_disabled
            )

        if message:
            self._print(message)

    def status(self, services):
        services = OrderedDict(sorted(services.items(), key=lambda x: x[1]))
        enabled = [key for key, value in services.items() if value]
        if len(enabled) > 0:
            self._print("status: enabled (%s)" % ", ".join(enabled))
        else:
            self._print("status: disabled")

    def warning(self, *args, **kwargs):
        self._print("[WARNING]", *args, **kwargs)

    def error(self, *args, **kwargs):
        self._print("[ERROR]", *args, **kwargs)

    def run_and_log(self, *args, **kwargs):
        subprocess.run(*args, **kwargs)

    def flush(self):
        pass

    def _print(self, *args, **kwargs):
        print(*args, **kwargs)

        # duplicate to pam.log
        if args[0] == "[WARNING]":
            logfun = logger.warning
            args = args[1:]
        elif args[0] == "[ERROR]":
            logfun = logger.error
            args = args[1:]
        else:
            logfun = logger.info
        logfun(" ".join(args))


class YamlOutput(Output):
    def __init__(self):
        self._buffer = {}

    def flush(self):
        print(yaml.safe_dump(self._buffer, default_flow_style=False))

        # duplicate to pam.log
        for k in ["status_changed", "status"]:
            if k in self._buffer:
                logger.info("%s=%r", k, self._buffer[k])

    def status_changed(self, services):
        for service, value in services.items():
            enabled_prev, enabled_now = value
            self._buffer.setdefault("status_changed", {})[service] = {
                "from": "enabled" if enabled_prev else "disabled",
                "to": "enabled" if enabled_now else "disabled",
            }

    def status(self, services):
        for service, enabled in services.items():
            self._buffer.setdefault("status", {})[service] = (
                "enabled" if enabled else "disabled"
            )

    def warning(self, *args, **kwargs):
        self._buffer.setdefault("warnings", []).append(" ".join(args))
        logger.warning(" ".join(args))

    def error(self, *args, **kwargs):
        self._buffer.setdefault("errors", []).append(" ".join(args))
        # catch message and backtrace for sentry
        logger.error(" ".join(args))

    def run_and_log(self, cmd, *args, **kwargs):
        proc = subprocess.run(
            cmd,
            *args,
            **kwargs,
            stdin=subprocess.DEVNULL,
            # capture and combine both streams into one
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT
        )

        if proc.returncode != 0:
            self.warning("%s exit code %d" % (" ".join(cmd), proc.returncode))

        if (
            proc.returncode != 0
            or options.verbose
            or pam_imunify_config().getboolean("verbose")
        ):
            self._buffer.setdefault("subprocess_call", []).append(
                {
                    "cmd": " ".join(cmd),
                    "returncode": proc.returncode,
                    # .decode('ascii', errors='ignore') is to suppress
                    # cPanel tools output colors
                    "output": proc.stdout.decode("ascii", errors="ignore"),
                }
            )


# This function get CP name only
@lru_cache(1)
def get_cp_name():
    panel = "generic"

    # cPanel check
    if os.path.isfile("/usr/local/cpanel/cpanel"):
        panel = "cpanel"

    # Plesk check
    elif os.path.isfile("/usr/local/psa/version"):
        panel = "plesk"

    # DirectAdmin check
    elif os.path.isfile("/usr/local/directadmin/directadmin"):
        panel = "directadmin"

    return panel


def readlink_f(filename):
    """
    Pythonic way of doing /bin/readlink --canonicalize filename
    and is needed for cPanel /etc/pam.d symlinks.
    """
    try:
        result = os.readlink(filename)
    except OSError:
        # not a symlink
        return filename

    if os.path.isabs(result):
        return result
    else:
        return os.path.join(os.path.dirname(filename), result)


def detect_conffiles(output=None):
    if not output:
        output = Output()

    if os.path.exists("/etc/pam.d/common-auth"):
        # debian, ubuntu
        conffiles = ("/etc/pam.d/common-auth",)
    else:
        conffiles = "/etc/pam.d/password-auth", "/etc/pam.d/system-auth"

    if not all(os.path.exists(conf) for conf in conffiles):
        output.error("PAM configuration file(s) not found: %s" % " ".join(conffiles))
        sys.exit(1)

    return [readlink_f(fn) for fn in conffiles]


def atomic_rewrite(filename, content):
    """
    Atomically rewrites filename with given content to
    avoid possible "No space left on device"
    or unintenrional PAM module break.

    Backup original file content to {filename}.i360bak
    """
    if os.path.exists(filename):
        shutil.copy(filename, filename + ".i360bak")

    tmp = filename + ".i360edit"
    with open(tmp, "wb" if isinstance(content, bytes) else "w") as tf:
        tf.write(content)
        try:
            st = os.stat(filename)
        except FileNotFoundError:
            pass
        else:
            os.fchmod(tf.fileno(), st.st_mode)
            os.fchown(tf.fileno(), st.st_uid, st.st_gid)
    ext = 3
    while ext > 0:
        try:
            os.rename(tmp, filename)
        except OSError:
            ext = ext - 1
            if ext == 0:
                output.error("Trouble in renaming of %s to %s" % (tmp, filename))
                sys.exit(1)
        else:
            ext = 0


class i360RPatch:
    def __init__(self, conf_filename, output=None):
        self._conf_filename = conf_filename
        self.output = Output() if not output else output

    def filename(self):
        return os.path.join(
            os.path.dirname(self._conf_filename),
            ".%s.i360patch" % os.path.basename(self._conf_filename),
        )

    def create_upon(self, content):
        cmd = ["/usr/bin/diff", "--unified=1", self._conf_filename, "-"]
        proc = subprocess.Popen(
            cmd, stdin=subprocess.PIPE, stdout=open(self.filename(), "w")
        )
        proc.communicate(content.encode())

        if proc.returncode != 1:
            # not a big deal: will use .i360bak as the last resort
            self.output.warning("'diff -u' error", file=sys.stderr)
            os.unlink(self.filename())

    def apply(self):
        """
        :raise CalledProcessError:
        """
        cmd = ["/usr/bin/patch", "--reverse", self._conf_filename]
        subprocess.check_call(
            cmd, stdin=open(self.filename()), stdout=open("/dev/null", "w")
        )
        os.unlink(self.filename())


def pam_unix_patch_around(pamconfig_lines, pam_unix_ln):
    match_offset = re.search(
        r"success=(\d)\s+default=ignore", pamconfig_lines[pam_unix_ln]
    )

    patch_simple(pamconfig_lines, pam_unix_ln)
    pam_unix_ln += 1

    if match_offset:
        fix_offset(pamconfig_lines, pam_unix_ln, int(match_offset.group(1)))


def dovecot_manyconfigs_basedir() -> Tuple[Iterable[str], str]:
    """
    As per DEF-18259 it comes out that dovecot config main.default and main.local
    files may reside in a directory /var/cpanel/conf/dovecot/main refers it via
    '_use_target_version: ...'

    :return: dovecot multiple configs basedir list and
             warning message if any
    """
    result = set()
    warning_msg = None

    def check_and_use(path_):
        # unwind '/var/cpanel/templates/dovecot -> /var/cpanel/templates/dovecot2.3'
        path_ = readlink_f(path_)

        if os.path.exists(os.path.join(path_, CONFIG_DOVECOT_TMPL)):
            result.add(path_)
            return True
        return False

    check_and_use(CONFIG_DOVECOT_BASEDIR)
    check_and_use(CONFIG_DOVECOT_BASEDIR + CONFIG_DOVECOT_DEFAULT_SUFFIX)

    try:
        with open(CONFIG_DOVECOT_DATASTORE) as f:
            target_version = yaml.safe_load(f)["_use_target_version"]
    except (FileNotFoundError, UnicodeError, yaml.YAMLError) as e:
        warning_msg = "%s: %s" % (CONFIG_DOVECOT_DATASTORE, e)
    except KeyError:
        pass
    else:
        path_ = CONFIG_DOVECOT_BASEDIR + target_version
        if not check_and_use(path_):
            warning_msg = (
                "%s '_use_target_version: %s' refers a non existent "
                "configuration file %r"
                % (CONFIG_DOVECOT_DATASTORE, target_version, path_)
            )

    return result, warning_msg


def insert_imunify_passdb(data, output=None):
    imunify_passdb_template = Template(
        "passdb {\n"
        "  driver = imunify360\n"
        "  args = key=/opt/i360_pam_imunify/key \\\n"
        "         secret=/opt/i360_pam_imunify/secret \\\n"
        "         socket=/opt/i360_pam_imunify/pam_imunify360.sock"
        "$check_only"
        "$result_action\n"
        "}"
    )

    if not output:
        output = Output()

    if not re.search(
        r"passdb\s*\{\s*driver\s*=\s*imunify360.*?}", data, re.DOTALL
    ):  # passdb is already in config
        match = re.search(
            r"passdb\s*\{\s*driver\s*=\s*dict.*?}", data, re.DOTALL
        )  # find default passdb
        if match:
            data = (
                data[: match.end()]
                + "\n"
                + imunify_passdb_template.substitute(
                    check_only="\n", result_action="  result_success = continue"
                )
                + "\n"
                + data[match.end() :]
            )  # insert imunify passdb after default passdb
            return (
                data[: match.start()]
                + "\n"
                + imunify_passdb_template.substitute(
                    check_only=" \\\n         check_only=1\n",
                    result_action="  result_failure = return-fail\n",
                )
                + "\n"
                + data[match.start() :]  # insert imunify passdb before default passdb
            )
        else:  # default passdb missing
            output.error("PAM configuration file parse error: passdb missing")
            sys.exit(1)


def patch_dovecot_config_template(dovecot_state: str, config_basedir: str):
    config_template = os.path.join(config_basedir, CONFIG_DOVECOT_TMPL)
    config_local = os.path.join(config_basedir, CONFIG_DOVECOT_LOCAL)
    passdb_regex = re.compile(r"^\s*passdb\s*\{.*?\}\s*$", re.DOTALL | re.MULTILINE)
    if dovecot_state == DovecotState.PAM or dovecot_state == DovecotState.NATIVE:

        def passdb_replace(match):
            repl = None
            if dovecot_state == DovecotState.PAM:
                repl = re.sub(r"driver\s*=.*", "driver = pam", match.group(0))
                repl = re.sub(
                    r"args\s*=.*",
                    r"args = "
                    r"[% IF allow_domainowner_mail_pass %]"
                    r"dovecot_imunify_domainowner"
                    r"[% ELSE %]dovecot_imunify[% END %]",
                    repl,
                )

            if dovecot_state == DovecotState.NATIVE:
                repl = re.sub(
                    r"result_internalfail\s*=.*",
                    "result_success = continue-ok",
                    match.group(0),
                )
                repl = re.sub(
                    r"result_failure\s*=.*", "result_failure = continue-fail", repl
                )
            return repl

        data = Path(config_template).read_text()
        data = re.sub(passdb_regex, passdb_replace, data)
        if dovecot_state == DovecotState.NATIVE:
            data = insert_imunify_passdb(data)

        if not options.dry:
            with open(config_local, "w") as f:
                f.write(data)
        else:
            return
    elif dovecot_state == DovecotState.DISABLED:
        with suppress(FileNotFoundError):
            os.unlink(config_local)


def change_dovecot_state(dovecot_state, output=None):
    """
    Enable or disable pam_imunify support for Dovecot
    """
    if not output:
        output = Output()

    manyconfigs, warn = dovecot_manyconfigs_basedir()
    if warn:
        output.warning(warn)
    if len(manyconfigs) == 0:
        output.error("Dovecot config template file not found. Aborting.")
        sys.exit(1)
    for config_basedir in manyconfigs:
        patch_dovecot_config_template(dovecot_state, config_basedir)

    if not options.norestart:
        if os.path.isfile("/scripts/builddovecotconf"):
            output.run_and_log(["/scripts/builddovecotconf"])
        if os.path.isfile("/scripts/restartsrv_dovecot"):
            output.run_and_log(["/scripts/restartsrv_dovecot"])


def service_incompatibility_panic(msg):
    """
    So far we decided to report service incompatibility error as warning,
    with the only exception for --dry-run option.

    Otherwise we break agent PAM subsystem loop with the error when
    a client copied imunify360-merged.config from one server to another server
    in a case when the first server is compatible with that PAM integration feature
    but the second server is not capable with.
    """
    if options.dry:
        output.error(msg)
        sys.exit(1)
    else:
        output.warning(msg)
        sys.exit(0)


def cpanel_only_feature(service):
    def decorator(fun):
        @wraps(fun)
        def wrapper(*args, **kwargs):
            if get_cp_name() != "cpanel":
                service_incompatibility_panic(
                    "%s is not supported for %s."
                    % (service, get_cp_name().capitalize())
                )
            else:
                return fun(*args, **kwargs)

        return wrapper

    return decorator


def toggle_proftpd_support(enable=True, output=None):
    """
    Enable or disable pam_imunify support for ProFTPd
    """
    conf = CONFIG_PROFTPD
    if not os.path.isfile(conf):
        output.error("ProFTPD config file not found. Aborting.")
        sys.exit(1)

    if enable:
        version_output = subprocess.check_output(
            [
                "in.proftpd" if get_cp_name() == "plesk" else "proftpd",
                "--version-status",
            ],
            stderr=subprocess.DEVNULL,
        ).decode(sys.stdout.encoding)
        if "mod_auth_pam" not in version_output:
            service_incompatibility_panic(
                "ProFTPD built without PAM support. "
                "pam_imunify for FTP is NOT enabled."
            )

        version_regex = re.compile(r"ProFTPD Version:\s([0-9a-z\.]+)")
        version_found = version_regex.search(version_output)
        if version_found:
            version = LooseVersion(version_found.group(1))
            if version < LooseVersion("1.3.6c") or version.vstring.startswith(
                "1.3.6rc"
            ):
                if get_cp_name() == "cpanel":
                    service_incompatibility_panic(
                        "ProFTPD needs to be upgraded to "
                        "cPanel version 88 or higher. "
                        "pam_imunify for FTP is NOT enabled."
                    )
                else:
                    service_incompatibility_panic(
                        "ProFTPD needs to be upgraded. "
                        "pam_imunify for FTP is NOT enabled."
                    )

    if not output:
        output = Output()

    authpam_imunify = (
        "AuthOrder mod_auth_pam.c* mod_auth_file.c\n"
        "AuthPAM on\n"
        "AuthPAMConfig proftpd_imunify\n"
    )

    authpam_regex = re.compile(r"(^AuthPAM.*\n?)+", re.MULTILINE)

    data = open(conf).read()
    authpam_found = authpam_regex.search(data)

    if enable:
        if authpam_found:
            authpam_span = authpam_found.span()
            data = data[: authpam_span[0]] + authpam_imunify + data[authpam_span[1] :]
        else:
            data = authpam_imunify + "\n" + data

        if not options.dry:
            atomic_rewrite(conf, data)
        else:
            return
    else:
        conf_bak = conf + ".i360bak"
        if os.path.isfile(conf_bak):
            os.rename(conf_bak, conf)
        else:
            output.error(
                "Failed to disable proftpd integration: %s not found" % conf_bak
            )
            sys.exit(1)
    if os.path.isfile("/scripts/restartsrv_ftpd"):
        output.run_and_log(["/scripts/restartsrv_ftpd"])


def file_patchline(config: str, pattern, repl: bytes, reverse: bool):
    """
    Patch config file line inplace and backup config to '%s.i360bak' % config
    :param config: file path
    :param pattern: re.compile(b'...') result type
    :param reverse: revert back the previos operation on the same config file
    """
    if reverse:
        # lookup replacement in config_i360bak
        try:
            with open("%s.i360bak" % config, "rb") as f:
                repl = next(ln for ln in f if re.match(pattern, ln))
        except (FileNotFoundError, StopIteration):
            # there were no such entry before us
            repl = b""

    if os.path.exists(config):
        with open(config, "rb") as f:
            conf_before = f.read()
            conf_after = re.sub(pattern, repl, conf_before, count=1)
            if conf_after == conf_before and not repl in conf_after:
                conf_after = (
                    conf_before + (b"" if conf_before.endswith(b"\n") else b"\n") + repl
                )
        if conf_after != conf_before:
            atomic_rewrite(config, conf_after)
    else:
        atomic_rewrite(config, repl)


def is_pureftpd_supported():
    # Pure-FTPd writes output to stdin, so we have to use
    # pipes to read from stdin afterwards...
    pipe_r, pipe_w = map(os.fdopen, os.pipe())

    def finalize():
        pipe_w.close()
        pipe_r.close()

    try:
        subprocess.check_output(
            ["pure-ftpd", "-l", "pam"],
            stdin=pipe_w,
            stderr=subprocess.STDOUT,
            timeout=1,
        )
    except subprocess.CalledProcessError:
        # after pipe_w.close() we can do pipe_r.read()
        pipe_w.close()
        with closing(pipe_r):
            # 421 Unknown authentication method: pam
            if pipe_r.read().startswith("421 "):
                return False
    except subprocess.TimeoutExpired:
        # This could happen if pam is supported
        # and pure-ftpd has started
        finalize()
    else:
        finalize()

    return True

def is_pureftpd_enabled():
    """
    Check if pure-ftpd.conf contains /var/run/ftpd.imunify360.sock
    """
    if not os.path.isfile(CONFIG_PUREFTPD):
        return False

    imunify360_regex = re.compile(
        rb"^(?!#).*\/var\/run\/ftpd.imunify360.sock",
        re.MULTILINE
    )

    return imunify360_regex.search(
               open(CONFIG_PUREFTPD, "rb").read()) is not None

def toggle_pureftpd_conf_support(enable, output):
    extauth_regex = re.compile(rb"^\s*ExtAuth\s.*$", re.MULTILINE)
    extauth_imunify = b"ExtAuth /var/run/ftpd.imunify360.sock"

    file_patchline(CONFIG_PUREFTPD, extauth_regex, extauth_imunify, reverse=enable is False)

    if not options.norestart_pureftpd and \
            os.path.isfile("/scripts/restartsrv_ftpd"):
        output.run_and_log(["/scripts/restartsrv_ftpd"])

def toggle_pureftpd_cpanel_support(enable, output):
    extauth_regex = re.compile(rb"^\s*ExtAuth:\s.*$", re.MULTILINE)
    extauth_imunify = b"ExtAuth: /var/run/ftpd.imunify360.sock"

    file_patchline(CONFIG_TEMPLATE_PUREFTPD, extauth_regex, extauth_imunify, reverse=enable is False)

    if os.path.isfile("/scripts/setupftpserver"):
        output.run_and_log(["/usr/local/cpanel/scripts/setupftpserver", "--force", "pure-ftpd"])

def disable_ftp_protection():
    if not os.path.exists(CONFIG_IMUNIFY360):
        return

    ftp_protection_pattern = re.compile(
        rb"^(?!#)([^\S\r\n]*ftp_protection:[^\S\r\n])*true",
        re.MULTILINE
    )
    def replacement(match):
        return match.group(1) + b'false'

    with open(CONFIG_IMUNIFY360, "rb") as f:
        contents = f.read()
        if ftp_protection_pattern.search(contents):
            disabled_ftp_content = re.sub(
                ftp_protection_pattern,
                replacement,
                contents,
                count=1
            )
            atomic_rewrite(CONFIG_IMUNIFY360, disabled_ftp_content)

def toggle_pureftpd_support(enable=True, output=None):
    """
    Enable or disable pam_imunify support for PureFTPd
    """
    conf = CONFIG_PUREFTPD
    if not os.path.isfile(conf):
        output.error("Pure-FTPd config file not found. Aborting.")
        sys.exit(1)
    if enable:
        if not is_pureftpd_supported():
            service_incompatibility_panic(
                "Pure-FTPd built without PAM support. "
                "pam_imunify for FTP is NOT enabled."
            )

    # ensure that ftp_protection is disabled in imunify360-merged.config
    if enable is False:
        disable_ftp_protection()

    if not output:
        output = Output()
    if options.dry:
        return

    toggle_pureftpd_conf_support(enable, output)

def toggle_sshd_support(conffiles, enable=True, output=None):
    """
    Enable or disable pam_imunify module for sshd authentication
    """
    if not output:
        output = Output()

    if enable:
        for conf in conffiles:
            lines = open(conf).readlines()

            try:
                pam_unix_ln = next(
                    ln for ln, line in enumerate(lines) if PAM_UNIX_REGEX.search(line)
                )
            except StopIteration:
                output.error("PAM configuration file %s parse error" % conf)
                sys.exit(1)

            pam_unix_patch_around(lines, pam_unix_ln)

            content = "".join(lines)
            i360RPatch(conf, output).create_upon(content)
            if not options.dry:
                atomic_rewrite(conf, content)
    else:
        for conf in conffiles:
            rpatch = i360RPatch(conf, output)
            if os.path.exists(rpatch.filename()):
                try:
                    rpatch.apply()
                    continue
                except subprocess.CalledProcessError as e:
                    output.warning(
                        "'patch -R' was not successful: %s" % e, file=sys.stderr
                    )
            else:
                output.warning(
                    "File not found: %s" % rpatch.filename(), file=sys.stderr
                )

            atomic_rewrite(conf, open(conf + ".i360bak").read())


def set_panel_integration(confs, output=None):
    imunify_regex = re.compile(r"auth\s+sufficient\s+pam_imunify\.so")
    assert get_cp_name() == "cpanel", "The only supported integration so far."

    if not output:
        output = Output()

    for conf in confs:
        lines = open(conf).readlines()

        try:
            imunify_ln = next(
                ln for ln, line in enumerate(lines) if imunify_regex.search(line)
            )
        except StopIteration:
            output.error("PAM configuration file %s parse error" % conf)
            sys.exit(1)

        match_count = 0

        def panel_replace(match):
            nonlocal match_count
            if match.group() in ["cpanel", "plesk", "directadmin"]:
                match_count += 1
                return get_cp_name()
            return match.group()

        lines[imunify_ln] = re.sub(r"\b([^\s]+)\b", panel_replace, lines[imunify_ln])

        if match_count == 0:
            lines[imunify_ln] = "%s %s\n" % (lines[imunify_ln].strip(), get_cp_name())

        content = "".join(lines)
        atomic_rewrite(conf, content)
        os.unlink(conf + ".i360bak")


def patch_simple(pamconfig_lines, pam_unix_ln):
    pamconfig_lines.insert(pam_unix_ln + 1, "auth\trequired\tpam_imunify.so\n")
    pamconfig_lines.insert(pam_unix_ln, "auth\trequired\tpam_imunify.so\tcheck_only\n")


def fix_offset(pamconfig_lines, pam_unix_ln, pam_unix_success_offset):
    bump_to = pam_unix_success_offset + 1
    pamconfig_lines[pam_unix_ln] = re.sub(
        r"success=\d", "success=%d" % bump_to, pamconfig_lines[pam_unix_ln]
    )


def dovecot_state():
    pam_dovecot_enabled = (
        os.path.isfile(CONFIG_DOVECOT)
        and "dovecot_imunify" in open(CONFIG_DOVECOT).read()
    )
    native_dovecot_enabled = (
        os.path.isfile(CONFIG_DOVECOT) and "imunify360" in open(CONFIG_DOVECOT).read()
    )

    if pam_dovecot_enabled:
        return DovecotState.PAM
    elif native_dovecot_enabled:
        return DovecotState.NATIVE
    else:
        return DovecotState.DISABLED


class Cmd:
    @classmethod
    def enable(cls, conffiles, output=None):
        if not output:
            output = Output()

        if any("pam_imunify.so" in open(conf).read() for conf in conffiles):
            cls._cphulk_check()
            output.status_changed({"sshd": (True, True)})
            return

        toggle_sshd_support(conffiles, True, output)

        if not options.dry:
            cls._cphulk_check(output)
            output.status_changed({"sshd": (False, True)})

    @staticmethod
    @cpanel_only_feature("Dovecot")
    def set_dovecot(conffiles, output=None):
        if not output:
            output = Output()

        target_dovecot_state = DOVECOT_STATES[options.dovecot_state]
        if target_dovecot_state:
            prev_dovecot_state = dovecot_state()
            if prev_dovecot_state != target_dovecot_state:
                set_panel_integration(
                    [CONFIG_PAM_DOVECOT, CONFIG_PAM_DOVECOT_DOMAINOWNER], output
                )
                change_dovecot_state(target_dovecot_state, output)
            if target_dovecot_state in [DovecotState.PAM, DovecotState.NATIVE]:
                output.status_changed(
                    {
                        "dovecot-{}".format(options.dovecot_state): (
                            prev_dovecot_state == target_dovecot_state,
                            True,
                        )
                    }
                )
            else:
                output.status_changed(
                    {"dovecot": (prev_dovecot_state != target_dovecot_state, False)}
                )

        else:
            output.error("Unexpected dovecot state {}".format(options.dovecot_state))

    @staticmethod
    @cpanel_only_feature("ProFTPd")
    def enable_proftpd(conffiles, output=None):
        if not output:
            output = Output()

        set_panel_integration([CONFIG_PAM_PROFTPD], output)

        proftpd_enabled = (
            os.path.isfile(CONFIG_PROFTPD)
            and "proftpd_imunify" in open(CONFIG_PROFTPD).read()
        )

        if not proftpd_enabled:
            toggle_proftpd_support(True, output)

        if not options.dry:
            output.status_changed({"ftp": (proftpd_enabled, True)})

    @staticmethod
    @cpanel_only_feature("Pure-FTPd")
    def enable_pureftpd(conffiles, output=None):
        if not output:
            output = Output()

        panel = get_cp_name()

        pureftpd_enabled = is_pureftpd_enabled()

        if not pureftpd_enabled:
            toggle_pureftpd_support(True, output)

        if not options.dry:
            output.status_changed({"ftp": (pureftpd_enabled, True)})

    @staticmethod
    def disable_all(conffiles, output=None):
        if not output:
            output = Output()

        dovecot_enabled = dovecot_state() != DovecotState.DISABLED
        proftpd_enabled = (
            os.path.isfile(CONFIG_PROFTPD)
            and "proftpd_imunify" in open(CONFIG_PROFTPD).read()
        )
        pureftpd_enabled = is_pureftpd_enabled()
        sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles)

        if dovecot_enabled:
            change_dovecot_state(DovecotState.DISABLED, output)

        if proftpd_enabled:
            toggle_proftpd_support(False, output)

        if pureftpd_enabled:
            toggle_pureftpd_support(False, output)

        if sshd_enabled:
            toggle_sshd_support(conffiles, False, output)

        output.status_changed(
            {
                "sshd": (sshd_enabled, False),
                "dovecot": (dovecot_enabled, False),
                "ftp": (proftpd_enabled or pureftpd_enabled, False),
            }
        )

    @staticmethod
    def disable(conffiles, output=None):
        if not output:
            output = Output()

        sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles)

        if sshd_enabled:
            toggle_sshd_support(conffiles, False, output)

        output.status_changed({"sshd": (sshd_enabled, False)})

    @staticmethod
    def disable_proftpd(conffiles, output=None):
        if not output:
            output = Output()

        proftpd_enabled = (
            os.path.isfile(CONFIG_PROFTPD)
            and "proftpd_imunify" in open(CONFIG_PROFTPD).read()
        )
        if proftpd_enabled:
            toggle_proftpd_support(False, output)

        output.status_changed({"ftp": (proftpd_enabled, False)})

    @staticmethod
    def disable_pureftpd(conffiles, output=None):
        if not output:
            output = Output()

        pureftpd_enabled = is_pureftpd_enabled()
        if pureftpd_enabled:
            toggle_pureftpd_support(False, output)

        output.status_changed({"ftp": (pureftpd_enabled, False)})

    @staticmethod
    @cpanel_only_feature("FTP service")
    def enable_ftp(conffiles, output=None):
        if not output:
            output = Output()

        with open("/var/cpanel/cpanel.config", "r") as cpcfg:
            data = cpcfg.read()
            if "ftpserver=proftpd" in data:
                Cmd.enable_proftpd(conffiles, output)
            elif "ftpserver=pure-ftpd" in data:
                Cmd.enable_pureftpd(conffiles, output)
            else:
                service_incompatibility_panic("No supported FTP found.")

    @staticmethod
    def disable_ftp(conffiles, output=None):
        if not output:
            output = Output()

        proftpd_enabled = (
            os.path.isfile(CONFIG_PROFTPD)
            and "proftpd_imunify" in open(CONFIG_PROFTPD).read()
        )
        pureftpd_enabled = is_pureftpd_enabled()

        if proftpd_enabled:
            toggle_proftpd_support(False, output)

        if pureftpd_enabled:
            toggle_pureftpd_support(False, output)

        output.status_changed({"ftp": (proftpd_enabled or pureftpd_enabled, False)})

    @classmethod
    def status(cls, conffiles, output=None):
        if not output:
            output = Output()

        dovecot_enabled = dovecot_state() != DovecotState.DISABLED
        sshd_enabled = any("pam_imunify.so" in open(conf).read() for conf in conffiles)
        proftpd_enabled = (
            os.path.isfile(CONFIG_PROFTPD)
            and "proftpd_imunify" in open(CONFIG_PROFTPD).read()
        )
        pureftpd_enabled = is_pureftpd_enabled()

        if dovecot_enabled or sshd_enabled or proftpd_enabled or pureftpd_enabled:
            cls._cphulk_check(output)

        output.status(
            {
                "sshd": sshd_enabled,
                "dovecot-pam": dovecot_state() == DovecotState.PAM,
                "dovecot-native": dovecot_state() == DovecotState.NATIVE,
                "ftp": proftpd_enabled or pureftpd_enabled,
            }
        )

    @staticmethod
    def state_reset(*_):
        subprocess.check_call(["service", "imunify360-pam", "stop"])
        shutil.rmtree(LEVELDB)
        logger.info("rm -rf %s", LEVELDB)
        subprocess.check_call(["service", "imunify360-pam", "start"])

    @staticmethod
    def _cphulk_check(output=None):
        if not os.path.isfile("/usr/sbin/whmapi1"):
            return
        if not options.verbose and not pam_imunify_config().getboolean("verbose"):
            return

        if not output:
            output = Output()

        proc = subprocess.run(
            ["whmapi1", "servicestatus", "service=cphulkd"],
            stdin=subprocess.DEVNULL,
            stdout=subprocess.PIPE,
        )
        if proc.returncode != 0:
            # we expect err dump is printed to stderr
            return

        try:
            status = yaml.safe_load(proc.stdout)
            if status["data"]["service"][0]["enabled"]:
                output.warning("cPHulk is enabled", file=sys.stderr)
        except (yaml.YAMLError, IndexError, KeyError) as e:
            output.warning("whmapi error:", e, file=sys.stderr)


def sigterm_handler(signum, frame):
    """
    generate backtrace on SIGTERM
    """
    traceback.print_stack(frame, file=sys.stderr)
    print("caught SIGTERM.", file=sys.stderr)
    if logger is not None:
        logger.fatal("caught SIGTERM.")
    sys.exit(15)


if __name__ == "__main__":
    def add_opt_args(parser):
        parser.add_argument(
            "-r",
            "--dry-run",
            dest="dry",
            action="store_true",
            help="Dry run the command, whithout changing of state",
        )
        parser.add_argument(
            "-n",
            "--no-restart",
            dest="norestart",
            action="store_true",
            help="Don't restart dovecot and don't rebuild, just patch local dovecot template (cPanel only)",
        )
        parser.add_argument(
            "--no-restart-pureftpd",
            dest="norestart_pureftpd",
            action="store_true",
            help="Don't restart pureftpd",
        )
        parser.add_argument(
            "--yaml", dest="yaml", action="store_true", help="for YAML output"
        )
        parser.add_argument("-v", "--verbose", dest="verbose", action="store_true")

    signal.signal(signal.SIGTERM, sigterm_handler)
    logger = logger_init(console_stream=None)
    parser = argparse.ArgumentParser()
    subparsers = parser.add_subparsers(dest="cmd")
    subparsers.required = True

    for command in sorted(
        (cmd.replace("_", "-") for cmd in dir(Cmd) if not cmd.startswith("_")),
        reverse=True,
    ):
        if command == "set-dovecot":
            command_parser = subparsers.add_parser(command)
            command_parser.add_argument(
                "dovecot_state", type=str, choices=["pam", "native", "disabled"]
            )
            add_opt_args(command_parser)
        else:
            command_parser = subparsers.add_parser(command)
            add_opt_args(command_parser)

    options = parser.parse_args()
    output = YamlOutput() if options.yaml else Output()
    try:
        cmd = getattr(Cmd, options.cmd.replace("-", "_"))
        cmd(detect_conffiles(output), output)
    except Exception as e:
        logger.exception("unexpected error: %s", e)
    finally:
        # even if we caught an exception there is still a possibility
        # that stdout is still usable (at least partially)
        output.flush()

Youez - 2016 - github.com/yon3zu
LinuXploit