File: //opt/cloudlinux/venv/lib/python3.11/site-packages/lvemanager/__pycache__/sudoers.cpython-311.pyc
�
�Y:j�, � � � d Z ddlmZ ddlmZ ddlmZ ddlZddlZddlZddlm Z ddl
mZmZ ddl
mZmZ dd lmZ dd
l
mZ ddlmZ dZd
ZdZdZ eddh� � ZdZd� Zd� Zd� Zd� Zd� Z d� Z!d� Z"d� Z#d� Z$dS )u�
clsudoers unix group management for lvemanager.
Operator upgrade note (CLOS-4576, F-37): ``add_unix_user_to_sudoers()`` now
fails closed when the ``clsudoers`` unix group has pre-existing members
outside the legitimate set (``admins()`` + the user being added +
package-owned members ``root`` / ``lvemanager``). Previously,
``groupadd -f`` was silently idempotent and any stowaway primary-GID
owners or ``gr_mem`` entries (left by manual admin steps or another
RPM's post-install) were quietly elevated to passwordless sudo for
selectorctl / cloudlinux-selector.
The allowlist explicitly includes ``root`` (implicit group membership in
many tools) and ``lvemanager`` (the package's runtime user, placed in
``clsudoers`` by the lvemanager RPM's ``%post`` for SPA's clsudo flow on
DirectAdmin/Plesk) — so the gate fires only on the F-37 attack signature
(a stowaway secondary member or a primary-GID-reuse owner), not on
legitimate package-installed state.
After upgrading to a build that ships this change, the first admin-add
operation on an AFFECTED host (one with non-package stowaways in the
group) raises an exception from ``_assert_sudoers_group_clean()``. To
recover, operators must either:
* remove the stowaway entries from the ``clsudoers`` group (audit with
``getent group clsudoers`` and ``awk -F: '$4==<gid> {print $1}' /etc/passwd``
for primary-GID owners), OR
* add those users via the panel's ``admins()`` interface (panel admin user
list) so they are recognised as legitimate members before retrying.
This is intentional — silent elevation of unaudited accounts is the
vulnerability being closed; reverting to ``groupadd -f`` idempotence is not
an acceptable workaround.
� )�print_function)�division)�absolute_importN)�remount_proc)�admins� getCPName)�
SysCtlConf�SYSCTL_CL_CONF_FILE)�Feature)�is_panel_feature_supported)�Clsudo�admin�
clsupergid� clsudoersi� �root�
lvemanager)�lvemanager_c �� � � � dk rdS � t v pt � fd�t D � � � � }|sdS t j � � � j t k S # t $ r Y dS w xY w)u� Return True if `name` is a known package-owned `clsudoers` member
(always-allowed name OR an lvemanager-package-family name) AND lives
in the system-UID range. Both conditions are required — a regular
user named `lvemanager_evil` (UID 5000) is NOT package-owned; an
unrelated system account named `daemon` (UID 2) is NOT package-owned
either. The gate exists to fire on the F-37 priv_group_reuse
signature; we only want to exempt the RPM's own post-install state.
r Tc 3 �B �K � | ]}�� |� � V � �d S �N)�
startswith)�.0�p�names ��I/opt/cloudlinux/venv/lib64/python3.11/site-packages/lvemanager/sudoers.py� <genexpr>z(_is_system_owned_user.<locals>.<genexpr>a s/ �� � � �O�O�1�D�O�O�A���O�O�O�O�O�O� F)� _PACKAGE_OWNED_CLSUDOERS_MEMBERS�any�&_PACKAGE_OWNED_CLSUDOERS_NAME_PREFIXES�pwd�getpwnam�pw_uid�_SYSTEM_UID_MAX�KeyError)r �
is_known_names ` r �_is_system_owned_userr'