shell bypass 403
UnknownSec Shell
:
/
opt
/
cloudlinux
/
venv
/
lib
/
python3.11
/
site-packages
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
lveapi.py
#!/usr/bin/env python # -*- coding: utf-8 -*- # Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved # # Licensed under CLOUD LINUX LICENSE AGREEMENT # http://cloudlinux.com/docs/LICENSE.TXT import contextlib import os import errno import syslog import time import pwd from typing import Optional # NOQA from clcommon.clfunc import uid_max from clcommon.clproc import ProcLve from clcommon import cpapi, ClPwd from clcommon.cpapi.cpapiexceptions import NotSupported try: import pylve except ImportError: pylve = None from clveconfig import ve_config UID_MAX = uid_max() # kernel devs say that lve_id type is uint32_t # so max id should be 0xFFFF_FFFF, it in fact we have this: MAX_LVE_ID = 0x7FFFFFFF - 1 LVP_XML_TAG_NAME = "reseller" LVE_NO_UBC = 1 << 1 LVE_NO_MAXENTER = 1 << 2 class NameMapError(Exception): pass class NameMapConfigError(NameMapError): pass class NameMapNotInitialized(NameMapError): pass class NameMap: """ Container for backend storing resellers_name<=>resellers_id map As backend store use ve.cfg Usage: >>> name_map = NameMap() >>> name_map.link_xml_node() >>> name_map.id_list() [1001] """ def __init__(self, xml_tag_name=LVP_XML_TAG_NAME): self._xml_tag_name = xml_tag_name self._xml_node = None # Reseller name to id map (list of corteges) self._reseller_id_name_map = None def get_id(self, name): for name_, id_ in self.load_from_node(): if name_ == name: return id_ def get_name(self, id_): for name_, _id in self.load_from_node(): if id_ == _id: return name_ def id_list(self): return [id_ for _, id_ in self.load_from_node()] def link_xml_node(self, xml_node=None, use_cache=True): """ Initialize NameMap. If xml_node is none, config will be loaded automatically :param use_cache: Bool whether bypass ve.cfg xml cache :param xml_node: !! DEPRECATED PARAM !! this param is left only for compatibility with our old code """ if xml_node is None: # New mode, Load reseller_id, reseller_name pairs from ve.cfg to dictionary self._xml_node = None self._load_resellers_map_from_ve_cfg(use_cache) else: # For compatibility with our old code self._xml_node = xml_node self._reseller_id_name_map = None def _load_resellers_map_from_ve_cfg(self, use_cache): """ Fills self._reseller_id_name_map from ve.cfg file :return: """ self._reseller_id_name_map = [] ve_cfg, xml_node = self._try_get_xml_node(use_cache=use_cache) for el_ in xml_node: name = el_.getAttribute('user') id_ = int(el_.getAttribute('id')) if name and id_ and id_ not in self._reseller_id_name_map: self._reseller_id_name_map.append((id_, name)) # Force delete XML object to avoid high memory load del xml_node del ve_cfg def _try_get_xml_node(self, use_cache=True): try: ve_cfg, xml_node = ve_config.get_xml_config(use_cache=use_cache) except ve_config.BadVeConfigException as e: self._reseller_id_name_map = None raise NameMapConfigError("Error happened while loading data from ve.cfg") from e return ve_cfg, xml_node.getElementsByTagName(self._xml_tag_name) def load_from_node(self): """ Obtain data from xml node as (name, id_) list """ if self._xml_node is None and self._reseller_id_name_map is None: raise NameMapNotInitialized('Name map is not initialized. ' 'Use obj.link_xml_node() to get data from config') if self._xml_node: # For compatibility with our old code for el_ in self._xml_node.getElementsByTagName(self._xml_tag_name): name = el_.getAttribute('user') id_ = int(el_.getAttribute('id')) if name and id_: yield name, id_ if self._reseller_id_name_map: # New mode, use resellers map for id_, name in self._reseller_id_name_map: yield name, id_ class LvpMap: """ Container for storing information about lve:lvp mapping In which reseller container stored lve """ def __init__(self): self.name_map = NameMap() self._id_name_map = {} self._name_id_map = {} self._reseller_id_map_panel = None self._pwd = ClPwd() def _add_map(self, name, id_): self._id_name_map[id_] = name self._name_id_map[name] = id_ def pw_uid(self, name, default=None): try: return self._pwd.get_pw_by_name(name).pw_uid except ClPwd.NoSuchUserException: return default def _get_panel_reseller_id(self, reseller): # type: (str) -> Optional[int] uid = self.pw_uid(reseller) if uid is not None: return uid # in case when we cannot find reseller in passwd file # let's ask control panel for reseller's id if self._reseller_id_map_panel is None: self._reseller_id_map_panel = cpapi.get_reseller_id_pairs() return self._reseller_id_map_panel.get(reseller) def get_reseller_id(self, name): # type: (str) -> Optional[int] """ Convert reseller name to an LVE id. It supports resellers without a system account (for Plesk compatibility). """ uid = self.name_map.get_id(name) or self._name_id_map.get(name) if uid is not None: return uid try: uid = self._get_panel_reseller_id(name) except NotSupported: uid = None if uid is not None: self._add_map(name, uid) return uid def get_reseller_name(self, id_): """ Convert reseller id to reseller name It support resellers without system account (for Plesk compatibilyty) """ # add attribute fo in memory cache support name = self.name_map.get_name(id_) or self._id_name_map.get(id_) if name is not None: return name try: name = pwd.getpwuid(id_).pw_name if cpapi.is_reseller(name): self._add_map(name, id_) else: name = None except KeyError: name = None return name def lve_lvp_pairs(self): """ This method loops over all user:reseller pairs in control panel and returns appropriate lve_id:lvp_id pairs. THIS METHOD WON'T CHECK IF 'RESELLER LIMITS' IS ENABLED IN ve.cfg """ resellers = set(cpapi.resellers()) reseller_uids = {} for reseller in resellers: try: reseller_uids[reseller] = self.get_reseller_id(reseller) except NotSupported: syslog.syslog( syslog.LOG_WARNING, f"Reseller {reseller} still exists in control panel, " "but absent in /etc/passwd file") for cplogin, reseller in cpapi.cpinfo(keyls=('cplogin', 'reseller')): lve_id = self.pw_uid(cplogin) # for some reasons (process of destroying user died # or admin called 'pure' userdel), user may still exist in control panel # but absent in /etc/passwd file; we can do nothing with that, # so just skip and write a warning to syslog if lve_id is None: syslog.syslog( syslog.LOG_WARNING, f"user {cplogin} still exists in control panel, " "but absent in /etc/passwd file") continue lvp_id = reseller_uids.get(reseller, 0) yield lve_id, lvp_id @staticmethod def resellers(): for reseller_name in cpapi.resellers(): yield reseller_name @staticmethod def reseller_uids(name): """ Obtain from control panel resellers uids """ uids = [] reseller_users = cpapi.reseller_users(name) for user in reseller_users: try: id_ = pwd.getpwnam(user).pw_uid uids.append(id_) except KeyError: syslog.syslog( syslog.LOG_WARNING, f"user {user} still exists in control panel, " "but absent in /etc/passwd file") return uids def lvp_lve_id_list(self, lvp_id): reseller_name = self.get_reseller_name(lvp_id) return self.reseller_uids(reseller_name) class PyLveError(Exception): pass class PyLve: """ Wrapper for generate traceback with pretty descriptions """ @staticmethod def _code_is_error(code): return isinstance(code, int) and code != -errno.ENOSYS and code != 0 def _arg_to_str(self, arg_var): if isinstance(arg_var, self._pylve.liblve_settings): # for pretty print liblve_settings object liblve_settings_attr = ', '.join( [f"{attr}={getattr(arg_var, attr)}" for attr in dir(arg_var) if not attr.startswith('_')] ) arg_var_str = f'<liblve_settings object {liblve_settings_attr}>' else: arg_var_str = str(arg_var) return arg_var_str def _wrapped_fun(self, call, *args, **kwargs): msg_template = kwargs.pop('err_msg', self.default_msg_template) ignore_error = kwargs.pop('ignore_error', self.ignore_error) code = call(*args, **kwargs) is_error = self._code_is_error(code) if is_error and self._retry: # wait and try again run function time.sleep(self._retry_time) code = call(*args, **kwargs) is_error = self._code_is_error(code) format_args = { 'code': code, 'fun_name': call.__name__, 'module': call.__module__, 'args_': ', '.join( list(map(self._arg_to_str, args)) + [f"{k}={self._arg_to_str(v)}" for k, v in kwargs.items()] ) } format_args = { 'code': code, 'fun_name': call.__name__, 'module': call.__module__, 'args_': ', '.join(list(map(self._arg_to_str, args)) + [f"{k}={self._arg_to_str(v)}" for k, v in kwargs.items()]) } if self.debug >= 1: print(self.debug_msg_template.format(**format_args)) if self.debug >= 2: self.traceback.print_stack() if not ignore_error and is_error: msg = msg_template.format(**format_args) raise PyLveError(msg) return code def _wrap_code(self, call): def fun(*args, **kwargs): return self._wrapped_fun(call, *args, **kwargs) return fun def __init__(self, pylve=pylve, retry=True, retry_tyme=0.1, debug=0): self.debug = debug if self.debug >= 2: self.traceback = __import__('traceback') self.default_msg_template = 'Error code {code}; {module}.{fun_name}({args_})' self.debug_msg_template = "DEBUG [lvectl]: call {module}.{fun_name}({args_}) with code {code}" self.ignore_error = False self._pylve = pylve self._retry = retry self._proc = ProcLve() self._retry_time = retry_tyme self.api_version = self._pylve.lve_get_api_version() self.initialize = self._pylve.initialize self.lve_start = self._wrap_code(self._pylve.lve_start) self.liblve_settings = self._pylve.liblve_settings self.lve_create = self._wrap_code(self._pylve.lve_create) self.lve_destroy = self._wrap_code(self._pylve.lve_destroy) self.lve_info = self._pylve.lve_info self.lve_set_default = self._wrap_code(self._pylve.lve_set_default) self.lve_setup = self._wrap_code(self._pylve.lve_setup) self.lve_enter_pid = self._wrap_code(self._pylve.lve_enter_pid) self.lve_enter_pid_flags = self._wrap_code(self._pylve.lve_enter_pid_flags) self.lve_leave_pid = self._wrap_code(self._pylve.lve_leave_pid) if hasattr(pylve, 'lve_lvp_create'): self.lve_lvp_create = self._wrap_code(self._pylve.lve_lvp_create) self.lve_lvp_destroy = self._wrap_code(self._pylve.lve_lvp_destroy) self.lve_lvp_map = self._wrap_code(self._pylve.lve_lvp_map) self.lve_lvp_move = self._wrap_code(self._pylve.lve_lvp_move) # mocked functions. Not implement in pylve self.lve_lvp_setup = self._wrap_code(self.lve_lvp_setup) def resellers_supported(self): """ Check in pylve binding reseller limits supported """ return hasattr(self._pylve, 'lve_lvp_create') def lve_exists(self, lve_id): """ Check if lve exists in kernel :rtype: bool """ try: self.lve_info(lve_id) return True except OSError: return False # TODO: remove this wrapper when kernel logic is ready # upd: kernel logic is still not ready yet (KMODLVE-79) def lve_lvp_setup(self, lvp_id, settings): # pylint: disable=method-hidden """ Wrapper for lve_lvp_setup. When reseller's limits changed, we should iterate over his user's limits and set them again; This behaviour is needed cause kernel does not update users limits after changing reseller's one Adjust parameters for top level container. :param int lvp_id: top level container ID, 0 by default; :param settings: liblve_settings instance. :return: 0 or errno value """ # is it real situation when lvp_id is 0? if lvp_id == 0: return self._pylve.lve_lvp_setup(lvp_id, settings) # reduce lve limits real_lve_settings = {} # type: dict[int, pylve.liblve_settings] for lve_id in self._proc.lve_id_list(lvp_id): # save real settings to restore them later try: real_settings = self.lve_info(lve_id) real_lve_settings[lve_id] = real_settings if real_settings.ls_cpu > settings.ls_cpu: # get current settings and reduce cpu temp_settings = self.lve_info(lve_id) temp_settings.ls_cpu = min(temp_settings.ls_cpu, settings.ls_cpu) self.lve_setup(lve_id, temp_settings) except OSError: # lve was destroyed, ignore that pass # set new reseller settings _lve_lvp_setup = self._wrap_code(self._pylve.lve_lvp_setup) # ignore errors here and raise errors after operations result = _lve_lvp_setup(lvp_id, settings, ignore_error=True) # pass lve's limits again, so kernel will apply them for lve_id in self._proc.lve_id_list(lvp_id): if lve_id in real_lve_settings: self.lve_setup(lve_id, real_lve_settings[lve_id]) else: # some lve was created during operations above # nothing bad, but we can do nothing with that # until we have no lock's for this method self.lve_setup(lve_id, self.lve_info(lve_id)) return result def get_available_lve_id(self, start=UID_MAX, stop=MAX_LVE_ID): """ Iter over lves and find available one. :param int start: value to start search from; UID_MAX by default :param int stop: max value when we will stop search :return int: lve_id """ for lve_id in range(start + 1, stop): try: self.lve_info(lve_id) except OSError: return lve_id raise PyLveError(f"Unable to find free lve in range ({start}, {stop})") @contextlib.contextmanager def context_ignore_error(self, ignore_error): self.ignore_error, saved_ignore_error = ignore_error, self.ignore_error try: yield finally: self.ignore_error = saved_ignore_error class Lve: def __init__(self, proc=None, py=None, map=None): self.proc = proc or ProcLve() self.py = py or PyLve() self.map = map or LvpMap() def lve_id_lvp_id_pairs(self): """ Obtain {lve id}:{lvp id} pairs iterator based on ve.cfg config (detect enabled resellers containers) This method (unlike LvpMap.lve_lvp_pairs) will check if reseller is enabled in ve.cfg and return lvp_id=0 for users of reseller with disabled reseller limits """ enabled_lvp_id = set(self.map.name_map.id_list()) for lve_id, lvp_id in self.map.lve_lvp_pairs(): if lvp_id in enabled_lvp_id: # load map for enabled resellers only yield lve_id, lvp_id else: yield lve_id, 0 def lve2lvp(self, lve_id): """ Obtain lvp id based on ve.cfg config (detect enabled resellers containers) """ for lve_id_, lvp_id_ in self.lve_id_lvp_id_pairs(): if lve_id == lve_id_: return lvp_id_ return 0 def lve_destroy(self, lve_id, *args, **kwargs): """ safe destroy lve container with preserving lvp mapping """ if os.path.exists(self.proc.proc_lve_map()): lvp_id = self.proc.map().get(lve_id, 0) else: lvp_id = 0 self.py.lve_destroy(lve_id, *args, **kwargs) if lvp_id != 0: try: pwd.getpwuid(lve_id) self.py.lve_lvp_map(lvp_id, lve_id) except KeyError: pass def _sync_map(self): """ Load lve_id:lvp_id map to kmod-lve """ # laod mapping information from kernel (/proc/lve/map) proc_map_dict = self.proc.map() # loop over user_id:reseller_id pairs # lve_id_lvp_id_pairs includes all control panel users # and checks for enabled resellers in ve.cfg # so user of reseller without reseller limits # will be listed in response like 'tuple(user_id, 0)' for lve_id, lvp_id in self.lve_id_lvp_id_pairs(): if proc_map_dict.get(lve_id, 0) != lvp_id: # change map if needed only if not self.proc.exist_lvp(lvp_id=lvp_id): self.py.lve_lvp_create(lvp_id) self.py.lve_lvp_move(lvp_id, lve_id) proc_map_dict[lve_id] = lvp_id def sync_map(self): """ wrapped _sync_map function for prevent error if some cpapi not supported """ try: self._sync_map() except NotSupported: pass def is_panel_supported(self): """ Check if current panel supported for reseller's limits; :rtype: bool """ try: return cpapi.is_reseller_limits_supported() except NotSupported: return False def reseller_limit_supported(self): """ Check present all needed (kmod-lve, liblve, /proc/lve, panel) for manipulate resellers limits """ return all((self.py.resellers_supported(), self.proc.resellers_supported(), self.is_panel_supported())) def is_lve10(self): """ Check present all needed (kmod-lve, liblve, /proc/lve) for manipulate resellers limits """ return all((self.py.resellers_supported(), self.proc.resellers_supported()))
© 2024 UnknownSec