HEX
Server: LiteSpeed
System: Linux premium263.web-hosting.com 4.18.0-553.50.1.lve.el8.x86_64 #1 SMP Thu Apr 17 19:10:24 UTC 2025 x86_64
User: eastcjee (525)
PHP: 8.2.31
Disabled: NONE
Upload Files
File: //opt/cloudlinux/venv/lib/python3.11/site-packages/lvemanager/__pycache__/sudoers.cpython-311.pyc
�

�Y:j�,���dZddlmZddlmZddlmZddlZddlZddlZddlm	Z	ddl
mZmZddl
mZmZdd	lmZdd
l
mZddlmZdZd
ZdZdZeddh��ZdZd�Zd�Zd�Zd�Zd�Z d�Z!d�Z"d�Z#d�Z$dS)u�
clsudoers unix group management for lvemanager.

Operator upgrade note (CLOS-4576, F-37): ``add_unix_user_to_sudoers()`` now
fails closed when the ``clsudoers`` unix group has pre-existing members
outside the legitimate set (``admins()`` + the user being added +
package-owned members ``root`` / ``lvemanager``). Previously,
``groupadd -f`` was silently idempotent and any stowaway primary-GID
owners or ``gr_mem`` entries (left by manual admin steps or another
RPM's post-install) were quietly elevated to passwordless sudo for
selectorctl / cloudlinux-selector.

The allowlist explicitly includes ``root`` (implicit group membership in
many tools) and ``lvemanager`` (the package's runtime user, placed in
``clsudoers`` by the lvemanager RPM's ``%post`` for SPA's clsudo flow on
DirectAdmin/Plesk) — so the gate fires only on the F-37 attack signature
(a stowaway secondary member or a primary-GID-reuse owner), not on
legitimate package-installed state.

After upgrading to a build that ships this change, the first admin-add
operation on an AFFECTED host (one with non-package stowaways in the
group) raises an exception from ``_assert_sudoers_group_clean()``. To
recover, operators must either:

  * remove the stowaway entries from the ``clsudoers`` group (audit with
    ``getent group clsudoers`` and ``awk -F: '$4==<gid> {print $1}' /etc/passwd``
    for primary-GID owners), OR
  * add those users via the panel's ``admins()`` interface (panel admin user
    list) so they are recognised as legitimate members before retrying.

This is intentional — silent elevation of unaudited accounts is the
vulnerability being closed; reverting to ``groupadd -f`` idempotence is not
an acceptable workaround.
�)�print_function)�division)�absolute_importN)�remount_proc)�admins�	getCPName)�
SysCtlConf�SYSCTL_CL_CONF_FILE)�Feature)�is_panel_feature_supported)�Clsudo�admin�
clsupergid�	clsudoersi��root�
lvemanager)�lvemanager_c�����dkrdS�tvpt�fd�tD����}|sdS	tj���jtkS#t$rYdSwxYw)u�Return True if `name` is a known package-owned `clsudoers` member
    (always-allowed name OR an lvemanager-package-family name) AND lives
    in the system-UID range. Both conditions are required — a regular
    user named `lvemanager_evil` (UID 5000) is NOT package-owned; an
    unrelated system account named `daemon` (UID 2) is NOT package-owned
    either. The gate exists to fire on the F-37 priv_group_reuse
    signature; we only want to exempt the RPM's own post-install state.
    rTc3�B�K�|]}��|��V��dS�N)�
startswith)�.0�p�names  ��I/opt/cloudlinux/venv/lib64/python3.11/site-packages/lvemanager/sudoers.py�	<genexpr>z(_is_system_owned_user.<locals>.<genexpr>as/�����O�O�1�D�O�O�A���O�O�O�O�O�O�F)� _PACKAGE_OWNED_CLSUDOERS_MEMBERS�any�&_PACKAGE_OWNED_CLSUDOERS_NAME_PREFIXES�pwd�getpwnam�pw_uid�_SYSTEM_UID_MAX�KeyError)r�
is_known_names` r�_is_system_owned_userr'Ss�����v�~�~��t��0�0�	P��O�O�O�O�(N�O�O�O�O�O�����u���|�D�!�!�(�O�;�;�������u�u����s�!A�
A(�'A(c�F�tjdd||g��}|dkrdSdS)zAdd user to given unix group�/usr/bin/gpasswdz-arFT��
subprocess�call��	user_name�
group_name�retcodes   r�_add_user_to_groupr1ms.���o�1�4��J�O�P�P�G��!�|�|��u��4rc�F�tjdd||g��}|dkrdSdS)Nr)z-drFTr*r-s   r�_remove_user_from_groupr3vs.���o�1�4��J�O�P�P�G��!�|�|��u��4rc��tt����}||vr|�|��|D]}t||���dS)z�
    Add all present DA admins (plus new_admin_name admin) to supplied group
    :param new_admin_name: new admin name to add
    :return:
    N)�listr�appendr1)r/�new_admin_name�
admin_listrs    r�_add_admins_into_groupr9}s^���f�h�h���J��Z�'�'����.�)�)�)��.�.���5�*�-�-�-�-�.�.rc�D�tjdd|g��}|dkrdSdS)zCreate group with given namez/usr/sbin/groupaddz-frFTr*)r/r0s  r�
_create_groupr;�s,���o�3�T�:�F�G�G�G��!�|�|��u��4rc���ttjt��j��}tt���}|�d��}|�d��s-|�	d|��tt|��dSt��dkrr	ttjt��j��}n#t$rd}YnwxYw||kr-|�	d|��tt|��dS	t|��}n#t$rt!d���wxYwtj|��j}t||��dS)z�
    Add all present DA admins (plus new_admin_name admin) to current supergid group
    :param new_admin_name: new admin name to add
    :return:
    )�config_filezfs.proc_super_gidN�DirectAdminz6Bad fs.proc_super_gid option value in /etc/sysctl.conf)�str�grp�getgrnam�SUPER_GROUP_NAME�gr_gidr	r
�get�
has_parameter�setr9r�DEFAULT_GROUP_NAMEr%�int�
ValueError�RuntimeError�getgrgid�gr_name)r7�	super_gid�
sysctl_cfg�proc_super_gid�	admin_gid�proc_super_names      r�_add_admins_into_supergid_grprR�s����C�L�!1�2�2�9�:�:�I��(;�<�<�<�J� �^�^�$7�8�8�N��#�#�$7�8�8�
����*�I�6�6�6��/��@�@�@���	���
�	%�	%�	��C�L�);�<�<�C�D�D�I�I���	�	�	��I�I�I�	�����Y�&�&��N�N�.�	�:�:�:�"�#3�^�D�D�D��F�U��^�,�,�����U�U�U��S�T�T�T�U�����l�>�2�2�:�O��?�N�;�;�;�;�;s�++C�C&�%C&�D-�-Ec����	tj|���n#t$rYdSwxYwt|����fd��jD��}��fd�tj��D��}|s|rtd|�d|�d|�����dS)a?
    Refuse to grant %group_name passwordless sudo if the unix group already
    exists with members or primary-GID owners that the lvemanager flow did
    not place there. `groupadd -f` is silently idempotent and would otherwise
    elevate any pre-existing member on the first call.

    :param group_name: target group (clsudoers)
    :param expected_members: iterable of usernames the lvemanager flow is
        about to authorize (panel admins + the user being added).
    :raises Exception: if any unexpected secondary member or primary-GID
        owner is found.
    Nc�:��g|]}|�v�t|���|��S�)r')r�m�expecteds  �r�
<listcomp>z/_assert_sudoers_group_clean.<locals>.<listcomp>�s<��������H���%:�1�%=�%=��	
���rc�x��g|]6}|j�jkr$|j�v�t|j���/|j��7SrU)�pw_gidrC�pw_namer')rrrW�grs  ��rrXz/_assert_sudoers_group_clean.<locals>.<listcomp>�sS��������8�r�y� � �
�I�X�%�%�%�a�i�0�0�
&�	
�	�%�%�%rzERROR: refusing to grant %z9 passwordless sudo: group already has unexpected members z and primary-GID owners )r@rAr%rF�gr_memr!�getpwall�	Exception)r/�expected_members�unexpected_members�unexpected_primaryrWr\s    @@r�_assert_sudoers_group_cleanrc�s�����
�\�*�
%�
%����������������#�$�$�H������9�����������<�>�>������E�/�E��i��
�
�.�.�.�0B�0B�
D�E�E�	E�E�Es��
'�'c���ttj��rjtt��stdtz���t
|��t|t��std|�dt�d����tt����}|�
|��|�t��tt|��tt��stdtz���t|t��std|�dt�d����t��}|�t��t#��dS)NzERROR: Can't create %s group
zERROR: Can't add user z to z group
)rr�LVEr;rBr_rRr1rFr�add�updaterrc�SUDOERS_GROUP_NAMEr
�add_lvemanager_groupr)r�expected_clsudoers�sudos   r�add_unix_user_to_sudoersrl�sd��!�'�+�.�.�)��-�.�.�	Q��<�?O�O�P�P�P�%�d�+�+�+�!�$�(8�9�9�	)��)����&�&�&�(�)�)�
)��V�X�X�������4� � � ����>�?�?�?�� 2�4F�G�G�G��+�,�,�O��8�;M�M�N�N�N��d�$6�7�7�'��i��D�D�$�$�$�&�'�'�	'��8�8�D����0�1�1�1��N�N�N�N�Nrc�Z�t|t��t|t��dSr)r3rBrh)rs r�remove_unix_user_from_sudoersrns*���D�"2�3�3�3��D�"4�5�5�5�5�5r)%�__doc__�
__future__rrrr@r!r+�cl_proc_hidepidr�clcommon.cpapirr�clcommon.sysctlr	r
�clcommon.constrr�clsudor
rGrBrhr$�	frozensetrr r'r1r3r9r;rRrcrlrnrUrr�<module>rws���!�!�F&�%�%�%�%�%�������&�&�&�&�&�&�
�
�
�
�
�
�
�
�����(�(�(�(�(�(�,�,�,�,�,�,�,�,�;�;�;�;�;�;�;�;�"�"�"�"�"�"�5�5�5�5�5�5��������� ��!����$-�9�f�l�-C�#D�#D� �)9�&����4������.�.�.����$<�$<�$<�N/E�/E�/E�d#�#�#�L6�6�6�6�6r