g ddlZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddlmZddlmZmZmZmZddlZddlmZddlmZmZddlmZmZdd lm Z m!Z!dd l"m#Z#m$Z$dd l%m&Z&m'Z'dd l(m)Z)dd l*m+Z+m,Z,ddl-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3ddlm4Z4ddl5m6Z6ddl7m8Z8dZ9dZ:dZ;dZdZ?dZ@de@ZAdZBdZCdZDdZEe dd d!gZFd"d#d#d#d#d#d#d#d#d$ ZGd%d&d'd&d&d&d&d&d&d$ ZHiZId(d)eHd*eId+<d,d-eGd*eId.<d/ZJd0ZKd1ZLdd3ZMdd5ZNd6ZOd7ZPd8ZQeLd9d:ZRd;eeSeeTffd<ZUd=ZVeLd>d?ZWd@eTdAeTd;eFfdBZXeLdCePeVdDZYeLdEePeVdFZZeLdGePeVdHZ[eLdIePeVdJZ\eLdKdLZ]eLdMeQdNZ^dOZ_eLdPdQZ`eLdRdSZaeLdTdUZbeLdVeQdWZceLdXdYZdeLdZeQd[ZeeLd\ePd]ZfeLd^ePd_Zgd`ZhdaZigdbZjgdcZkddZldeZmdfZneLdgdhZoeLdidjZpeLdkdlZqdmZrdneTd;eeTfdoZsd;etfdpZud;etfdqZvdreTd;etfdsZwd;eeTfdtZxduZydvZzeLdwePdxZ{ddzZ|d;eSfd{Z}d;eeefd|Z~d}eeed;dfd~ZeLdeQdZeLdeQd;eFfdZdS)N) namedtuplewraps)Path)AnyStrListOptionalTuple)get_hidepid_typing_from_mounts)ClPwddrop_privileges)Featureis_panel_feature_supported)CLEditionDetectionErroris_cl_solo_edition)is_client_enabledis_cmt_disabled)DEFAULT_JWT_ES_TOKEN_PATHDISABLE_CMT_FILE)jwt_token_check) WhmApiError WhmApiRequest)ExternalProgramFaileddemoteis_litespeed_runningprocess_is_running run_commandservice_is_enabled_and_present) is_container)LimitsValidator)get_pkg_versionOKFAILEDSKIPPEDINTERNAL_TEST_ERRORz/https://docs.cloudlinux.com/command-line_tools/disabled_cldiag_cron_checkers cldiag_cronz5https://docs.cloudlinux.com/cloudlinux-os-plus/#faq-2z Link to FAQ and troubleshooting zWPlease write to support https://cloudlinux.zendesk.com/ if you can't resolve the issue.zCentralized Monitoringz;This checker is not supported on CloudLinux OS Solo editionzAThis checker is not supported in environments without LVE support ChkResultresmsgz/usr/local/apache/bin/suexecz/usr/sbin/suexec) cPanel cPanel_ea4 DirectAdminPlesk ISPManager InterWorxzH-Sphere HostingNGUnknownz/opt/suphp/sbin/suphpz/usr/sbin/suphpz/usr/local/suphp/sbin/suphpSuPHPzdetect.get_suPHP_status())namestatus_functionlocationsuphpSuEXECzdetect.get_suEXEC_status()suexecz/var/lve/cldiag_user cldiagusercfd}|S)Nc|_|SN) pretty_name)funcname_of_checkers py/cldiaglib.py decoratorzpretty_name..decoratorrs* )r@rBs` rAr>r>qs$ rCFc d}d}|r%d|D}||d<tj|Sg}|D]?\}}}|d|jd|j} || d|d |d |d } || @d |d |dgz}|S)z2 Formatter of output from all of checkers z)Command for disabling this cron checker: zcldiag --disable-cron-checkersc@i|]\}}}||SrD)_asdict).0checker_pretty_name_ chk_results rA z_formatter..s1hhh=_=PRSU_"J$6$6$8$8hhhrC total_errorsz: : N z " "z z There are z errors found.)jsondumpsr)r*appendjoin) data error_countto_jsonr*cmd_tmpr)rIchecker_public_namerKchecker_results rA _formatterr\ys 6C.Ghhcghhh)Nz# C@D##<0*/^^ ^^jn^^  * .]]c]]W]]GZ]]]N >"""" ++cE+EEEFF G GC JrCTct|r|g}g}d}|D]} |}n9#t$r,}ttt |}Yd}~nd}~wwxYw|jt tfvr|dz }||jt|dr|j nd|ft|||}|r#t|tj|||fS)Nr public_name)callable Exceptionr(r%reprr)r#rTr>hasattrr_r\printsysexit) checkersrXdo_exitresultserrorsfrKer)s rArunnerrms-:G F    AJJ A A A"#6Q@@JJJJJJ A >      aKF !(M!:!:D       Wfg . .C c   3;s ' A"AAcj t|S#t$rtd|dYdSwxYw)NzWARNING missing z function in cldetectlib.F)evalAttributeErrorrd)r?s rAwrapperrqsODzz  B4BBBCCCuus 22c<tfd}|S)Nc td}n#t$rd}YnwxYw|rtttS|i|S)NTskip_jwt_checkF)rrr(r$SKIPPED_ON_SOLO_MSG)argskwargsis_solo_editionrks rAcheckerz(skip_checker_on_cl_solo..checkersl $0EEEOO& $ $ $#OOO $  ;W&9:: :q$!&!!!s  ##rrkrzs` rAskip_checker_on_cl_solor|s3 1XX""""X" NrCc<tfd}|S)Nczttjsttt S|i|Sr=)rrLVEr(r$SKIPPED_WITHOUT_LVE_MSG)rwrxrks rArzz'skip_check_without_lve..checkers;)'+66 ?W&=>> >q$!&!!!rCrr{s` rAskip_check_without_lvers3 1XX""""X" NrCz Check cagefsc,ttdS)NzuCagefs version is too old. Please run cagefsctl --sanity-check directly or upgrade it to have full cldiag integration)r(r$rDrCrAfake_cagefs_checkerrs  8  rCreturnctd}dtdtd}d}ddlm}|}| |d sd |fS|t \}}}|s||fSt rd |fSt sd |fSd S) am Check that a server is cl+, enabled and CM isn't disabled locally The function returns True if the client has CL+ license, didn't disable CM localy and activated CM on https://cm.cloudlinux.com. The function also returns True if we can't read or parse JWT token, because we want to continue and show to client CM related errors z. is not activated on https://cm.cloudlinux.comzThe z& is disabled localy by creating file "rQThe server has no CL+ licenserget_client_data_from_jwt_tokenNcl_plusF)TN) cm_full_namerclsummary.utilsrrrr)cm_is_not_activated_msgcm_is_disabled_localy_msgno_cl_plus_license_msgr jwt_tokenis_validmessagerJs rA_is_cmt_allowed_for_serverrs".``` r| r r_o r r r<>>>>>>..00IYy%9,,,.00'1 %W$ $0///   .--- :rCc<tfd}|S)zi Decorator: Skip check if a server isn't cl+, disabled and CM is disabled locally cdt\}}|r|i|Stt|S)z$ Decorated function )rr(r$)rwrxresultrrks rAdecorated_functionz@skip_if_cmt_not_used_enabled_allowed..decorated_functionsI 566  &1d%f%% %     rCr)rkrs` rA$skip_if_cmt_not_used_enabled_allowedrs6  1XX     X   rCzCheck existing JWT tokencd}dtdtdtdt}d}ddlm}t jtstt||zSt\}}}|r#|}ttd |d S||krttd S|d z}tt|d|S) z% Check an existing JWT token zJ The absence of JWT tokens is normal for the clients with volume license. z$Please check for JWT token in path "zr". %sTry running "rhn_check" for getting a new token if it is absent. Server can't collect and send statistics to z( if you don't have a correct JWT token. . z"JWT token doesn't have CL+ servicerrzJWT token is valid: "rQr)rrcl_plus_doc_msgwrite_to_support_msgrrospathexistsr(r$rr"r#)token_is_absent_msgmain_msgtoken_is_not_cl_plusrrrrJrs rAcheck_jwt_tokenrs3 g " % " "+7 " ",;  " "  " " @>>>>>> 7>>3 4 4   * *   )**FGQ C2244 AYAAABBB&&&  +   "}H V55855 6 66rC service_nameprocess_file_pathc t|\}} t|d}n#t$rd}YnwxYw|r|r|rttd|dSg}|s|d|s|d|s|dtt d|dtd |d td t S) z Check that a service is present, enabled and active :param service_name: name of a service :param process_file_path: path to a file which is run by a service Fz Service "z " is present, enabled and activezService is not present.zService is not enabled.zService is not active.rPz1 The server can't collect and send statistics to z if service z$ isn't present, enabled and active. r) rrFileNotFoundErrorr(r"rTr#rUrrr)rr is_present is_enabled is_activemessagess rA_check_service_stater8sF  cl_node_exporter let`s handle both cases: - old `node_exporter` service - renamed `cl_node_exporter` service rz&/usr/share/cloudlinux/cl_plus/service/z+/usr/share/cloudlinux/cl_plus/node_exportercl_node_exporterzcl_node_exporter.service node_exporter)rr(r$rrrrUr)base_service_pathrrs rAcheck_node_exporter_servicerks~~\"Z[[[@E w~~bgll#46HIIJJ'bgnn  &(BCCOO'* &  .? @ @@rCz7Check service `lvestats` is present, enabled and activec*d}d}t||S)zF Check that service `lvestats` is present, enabled and active lvestatsz'/usr/share/lve-stats/lvestats-server.py)r)rrs rAcheck_lvestats_servicers LA  .? @ @@rCzeCheck that the server has the minimal required packages for correct working of Centralized Monitoringc dD]C}t|2ttd|dtdtdt cSDtt dS)zD Check that the server has minimal required packages for CM )zcl-end-server-toolszcl-node-exporterNz!System doesn't have the package "z". It's required for zA feature to work and it usually installed automatically by cron. rzVSystem has the minimal required packages for correct working of Centralized Monitoring)r!r(r#rrrr") package_names rAcheck_cmt_packagesrsD   < ( ( 0* **8D**+:**( **    1 Rq r rrrCzACheck control panel and it's configuration (for DirectAdmin only)cdtdz}tjtj}|dkrt t dSd|dtjd}td sL|d krFtjrt t|d zSt t|d z|zSt t|S) NzW Fixing the issue will provide CloudLinux support on your control panel. See details: z#diag-cpr2zCan't detect contol panelzControl Panel - z ; Version ;Trtr-z File "options.conf" is finez1 File "options.conf" has no line "cloudlinux=yes") cldiag_doc_linkdetectgetCP getCPNamer(r$ CP_VERSIONrda_check_optionsr"r#)fix_motivationcp_nameres_msgs rA check_cp_diagrs 7'*4 7 7 LNNN  G)"=>>>HHHF4EHHHG T 2 2 2qw-7O7O  " $ $ KR+I!IJJ J+^!^ao!oppp R ! !!rCzDCheck fs.enforce_symlinksifowner is correctly enabled in sysctl confc dtdz}tjrttdS tj}nM#t $r@}d}ttdtt||dcYd}~Sd}~wwxYw|dkrttd|zSttd |S) Nz Fixing that issue makes server more secure against symlink attacks and enables protection of PHP configs or other sensitive files. See details: z#symlinksifowner$Not supported for OpenVZ environmentz+To see full error run /sbin/sysctl --systemz@Some parameter in sysctl config has wrong configuration. Error: z* It`s recommended to fix it and try again zfs.enforce_symlinksifowner = 2zfs.enforce_symlinksifowner = ) rr is_openvzr(r$get_symlinksifownerrr#get_short_error_messagestrr")rsymlinks_if_ownerrl detailed_outs rAcheck_symlinksifownerrs [4CFX4X [ [ J"HIII "688    D   p-c!fflCC p p p         A!AN!RSSS RL9JLL M MMsA B5B BBc|d}tdz|z}d|d|}tjdst t dSt|dst t |ddStj |d }|t t d |dd S|st td |zSt td S)Nr4z#check-z{ Fix that issue to be sure that users run their sites inside CageFS and provide stable work of sites that are using apache z7 module. This may improve server security See details: /usr/sbin/cagefsctlCagefs is not installedr5z is not enabledr6zUnable to check zU module binary for custom control panel. This feature may be added in future updates.zBinary without CageFS jail zbinary has jail) lowerrrrrr(r$rqrcheck_binary_has_jailr#r")params module_namelinkrhas_jails rA binary_checkrs(.&&((K Y & 4D !/: ! ! ! ! 7>>/ 0 0=";<<< 6+, - -FVF^"D"D"DEEE+F:,>??H  Qvf~ Q Q Q   Q!>!OPPP R* + ++rCzCheck suexec has cagefs jailctjr#trttdSt t dS)NzUCurrent PHP selector uses LiteSpeed, which doesn't require the patches in suEXEC bin.r9)rdetect_litespeedrr(r$rBINARY_CHECK_PARAMETERSrDrCrA check_suexecrsQ   %9%;%;  l    /9 : ::rCzCheck suphp has cagefs jailc6ttdS)Nr7)rrrDrCrA check_suphprs /8 9 99rCzCheck usepam in sshd configcdtdz}tj}|ttdS|rtt dStt d|zS)NzgFix the issue to provide correct work of pam_lve module with sshd and CageFS ssh sessions See details: z #check-usepamz!Unable to run "/usr/sbin/sshd -T"zConfig is finez3There is "usepam no" in "/usr/sbin/sshd -T" output )rrcheck_SSHd_UsePAMr(r$r"r#)r check_results rA check_use_pamrsx Q-<-N Q Q+--L"EFFF/-... VRUcc d ddrCz*Check the validity of LVE limits on servercd}d|z}d}t}|}|tt|Stt|dz|zS)z Validate lve limits z6https://docs.cloudlinux.com/lve-limits-validation.htmlz'Invalid LVE limits on server. See doc: zValid LVE limits on server.NrO)r validate_existing_limitsr(r"r#)doc_linkfailed_messagepassed_messagelimits_validatorrs rAcheck_lve_limitsrseHH>IN2N&((  6 6 8 8F ~^,,, V^d2V; < <z%check_phpselector..Ds 5554$**,,555rCz Can not read z ()zdefault::r^z+ config should have the default PHP version)cgifcgir7rzdoesn't support z handler in ea4/php.conf ruid2_modulezIt looks like you use mod_ruid. CloudLinux PHP Selector doesn't work properly with it. How to delete mod_ruid and install mod_suexec in cPanel: https://docs.cloudlinux.com/cloudlinux_os_components/#installation-5 suphp_moduler7 lsapi_moduler suexec_moduler9zyIt looks like you do not have mod_suphp or mod_suexec installed. CloudLinux PHP Selector doesn't work properly without it)r7rrrz php.conf:z with z, c3$K|] \}}||V dSr=rDrHmodule is_installeds rA z$check_phpselector..ls-0s0s.rs-(k(k4HFL^j(k(k(k(k(k(k(krC])rrrrr(r$rrrr"openIOErrorr# startswithsplitrget_apache_modulesanyrUitems) ok_prefix fail_prefixstatushandler conf_pathrkconfigrlerrr default_vermodulescurrents rAcheck_phpselectorr"s+#I q),@@ q q q 7>>2 3 3T"RSSS  6%9%;%;6Y4555 > >FG*I w~~i  8 8iw777 61551555 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 8 8 83)33q333CV[3%677 7 7 7 7 7 7 8 8 8Dz** #zz#q188::  KKKCV[3%677 7 7 7D+00011 7::c??1-4466 ; ; ;FWFFFCV[3%677 7'))G W $ $WW  )G3w(G3w*g5x w!12 3 3   G G   g2&*2w:[/[/[ u u utyy0s0sTZT`T`TbTb0s0s0s's's u u Y0111 o")/33w o o#yy(k(kFLLNN(k(k(kkk o o o V[3. / //sB)C ; C C CC CC D* D DDzCheck fs.symlinkown_gidc`dtdz}ttd}d|z}d}tjrtt dStjtj} tj |n)#t$rtt d|dcYSwxYw t|d 5}t| }dddn #1swxYwYn2#t$r%}tt d |d |cYd}~Sd}~wwxYwtj|kr|S t%j|j}n#t$rg}YnwxYw|r||vr|Stt |||S) Nz|Fix the issue to provide symlink protection for apache user and as a result make your Web Server more secure. See details: z#check-symlinkowngidz>Web-server user is protected by Symlink Owner Match Protectionz@Web-server user '{}' is not in protected group specified in {}. z/proc/sys/fs/symlinkown_gidrzThere is no web-server user [z!] on the system. Nothing to checkrrzCan't read GID from z with error: )rr(r"rrr$get_apache_gid APACHE_UNAMEpwdgetpwnamKeyErrorr intreadrrar# APACHE_GIDgrpgetgrgidgr_memformat) rok_res warn_msg_tplsymlinkown_gid_file apache_unamerkcurrent_symlinkown_gidrl grp_memberss rAcheck_symlinkowngidr/wsH E),BB E E r[ \ \FX[iiL7 J"HIII &Ls \"""" sss"q,"q"q"qrrrrrs_ % 8 8 8 ;A%()9)9%:%: " ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ___!]8K!]!]Z[!]!]^^^^^^^^_222 l#9::A   ; & &M V\00?RSS T TTsf2B#B-,B-1D4D6 DDD D D D=D82D=8D=E-- E<;E<z&Check existence of all user's packagesc  d d}d}gd gd}gtjdkrttdSt j|sttdStj|rt j|tj |tj tj |d 5}| \}}|j }d d d n #1swxYwY|d krd |}tt|S d|dD}fd|D}n1#t $r$} d| }tt|cYd } ~ Sd } ~ wwxYw fdt j D fd|D} | r.dd| d}tt|Stt$dS)zL Return user's packages that do not exist in /var/cpanel/packages/ z/var/cpanel/packages/z/var/cpanel/users/z/var/cpanel/suspended/) undefineddefaultz#cPanel Ticket System temporary userCustom)z /bin/grepz-ezPLAN=z-rr+should be run on cPanel onlyzno users on this serverT)stdoutstderrcwdtextNrzerror getting user's packages: cg|]c}|dddd|ddfdS)=rrr^)r r)rHplans rArz9check_existence_of_all_users_packages..sg   OSTZZ__Q  % %c * *1 -tzz#q/A/G/G/I/I J   rCrOc&g|] \}}|v ||fSrDrD)rHuserpkgsuspended_userss rArz9check_existence_of_all_users_packages..s-mmmidCQU]lQlQltSkQlQlQlrCz"error processing user's packages: cg|]A}tjtj|?|BSrD)rrisfilerU)rHpackagepackages_dir_paths rArz9check_existence_of_all_users_packages..sNrw||\movOwOw@x@xrCc4g|]\}}|v |v |d|S)rNrD)rHr=rBexcluded_packages_namesexists_packagess rArz9check_existence_of_all_users_packages..sK!!! D' 1 1 1g_6T6T 76T6T6TrCzXFound some nonexistent user's packages. List of "user: package" separated by semicolon: z; z. If you want to apply package limits for those users - assign existing packages to them, otherwise limits will be applied incorrectly or not applied at all.z(nonexistent user's packages aren't found)rrr(r$rlistdirrr subprocessPopenPIPE communicate returncoder#rr rarUr")users_dir_pathsuspended_dir_path user_plan_cmdprocstd_outstd_errret_coder*all_users_packagesrlnot_exists_users_packagesrErFrCr?s @@@@rA%check_existence_of_all_users_packagesrVs0)N1ggg666MO X%%"@AAA :n % %=";<<< w~~())9*%788        # ++--?###############1}}999%%% &  W^WdWdWfWfWlWlmqWrWr   nmmm;Mmmm &&&6166%%%%%%%%& !z*;<<O!!!!!/!!! !& R?CyyIb?c?c R R R %%% RC D DDs0 C55C9<C9!?E!! F+F F Fz$Check all resellers's packages filesctjdkrttdSGdd}ddlm} |5|dddn #1swxYwYttdS#t$r,}ttt|cYd}~Sd}~wwxYw) zT Check reseller packages files reading on any errors Caused by LU-2374 r-z!should be run on DirectAdmin onlyceZdZdZdZdZdS)7check_da_resellers_packages_files..HiddenPrintsz= Redirect stdout to /dev/null to hide output cttj|_ttjddt_dS)Nwrr)rer5_original_stdoutr rdevnull)selfs rA __enter__zAcheck_da_resellers_packages_files..HiddenPrints.__enter__s($'JD !bj#@@@CJJJrCcdtj|jt_dSr=)rer5closer\)r^exc_typeexc_valexc_tbs rA__exit__z@check_da_resellers_packages_files..HiddenPrints.__exit__s$ J     .CJJJrCN)__name__ __module__ __qualname____doc__r_rerDrCrA HiddenPrintsrYs?   A A A / / / / /rCrjr)r-Nz6all resellers packages are written in correct encoding) rrr(r$ clcontrollibr-list_resellers_packagesr"rar#r)rjr-rls rA!check_da_resellers_packages_filesrms8]**"EFFF / / / / / / / /)((((() \^^ 4 4 KMM 1 1 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4UVVV )))Q(((((((()sB B A4( B4A88B;A8<B C !C?C C z/etc/cl.selector/defaults.cfgz/etc/cl.selector/php.conf) DirectiveDefaultTypeCommentRangeRemark)valuelistboolcg}d}d}ttdd5}|}dddn #1swxYwY|D]}|drt |dkr_d} ||n%#t $r|gYnwxYw||||sd}|d z }|S) zL Parse php.conf and split it into blocks by empty line :return: rTrrrN#Fr^)r  PHP_CONF_PATH readlinesr lenrrarT) line_blocks block_index new_blockconfrVrs rAparse_php_confrs_ KK I mS7 3 3 3 t~~                ??3     tzz||  q I 'K((( ' ' '""2&&&&& '  $ + +DJJLL 9 9 9 9 I 1 K s!?AA BB76B7cfd}d}|D]}|d}|dtvrd}|dt|dz}|ddkr9|d tvrd}|dt|d z}||gS) NTrr:rFz Block z has wrong param rpr^z has wrong directive )r rPARAM_NAME_LISTblock_to_stringTYPES)blockrr*r line_partss rA check_blockr5s F CWWZZ__ a=    7 7FN?5#9#9NNNNC a=   F * *!}""$$E11Vu'='=VVVV C=rCc>d}|D]}|t|zdz}|S)NrO)r)r res_stringrs rArrDs3J33#d))+d2 rCz"Checking /etc/cl.selector/php.confc`d}d|}d}d}tjtst t dtdSt }|D]"}t|\}}|o|}|r|dz|z}#|st t||zSt tdS) Nz7https://docs.cloudlinux.com/custom_php_ini_options.htmlzTo fix the issue provide valid format for /etc/cl.selector/php.conf file. It is used for PHP Selector and invalid format lead to directives misconfiguration and as a result misconfiguration of selector Please, read more about php.conf file in TrzFile z does not exist rOOk) rrrryr(r$rrr#r")php_ini_doc_linkrrr*blocksrr1msg1s rAcheck_php_confrKsP I7G I I F C 7>>- ( (L"J-"J"J"JKKK   F$$u%%DB  $*t#C 7~!5666 R  rCz&Checking /etc/cl.selector/defaults.cfgcDdtdz}tjtst t tdS tjdd}| tn9#t$r,}t tt|cYd}~Sd}~wwxYw | dd}n9#tjtjf$rt td|zcYSwxYw|D]}|dr|d d} | |d }n#tj$rd }YnwxYw | |d }n#tj$rd }YnwxYw||kr#|dkrt td|d|cS|rCd|vr?|d}|D]'} | s#t&jd|d(t t,dS)NzDetails: this config file is used by the CL PHP selector and stores its global options, so it is important to keep needed configurations and valid syntax for PHP modules' settings to avoid selector's misconfiguration See details: z#cldiagz does not existF interpolationstrictversionsphpz!Default php version is undefined stateenablerrdisabledzDefault php version z is disabled ,z"Warning: Modules list for version z is strange r")rrrrDEFAULTS_CFG_PATHr(r$ configparser ConfigParserr#rar#rget NoOptionErrorNoSectionErrorsectionsr r rer6writer") r defaults_cfgrldefault_php_versionsection php_versionrr module_namesr4s rAcheck_defaults_cfgrcs 8*I5 8 8 7>>+ , ,I%6"G"G"GHHH)#0tERRR +,,,, )))Q(((((((()X*..z5AA  & (C DXXX!E!VWWWWWX((**nn   e $ $ n!!""+K !$(('::- ! ! !  ! &**7I>>-    "k11ez6I6I )k )k)k[i)k)klllll n'>>#*==#5#5L ,nn#nJ,,-lR]-l-l-lmmm R  sT0B B7 !B2,B72B7;C3DDEE,+E,0FFFzChecking domains compatibilityctjdkrttdSd}d}t }|tt |Stt |S)Nr+r4zSome domains/subdomains don't use PHP Selector because they have a non-system default version (in MultiPHP Manager) or PHP_FPM enabled. You can find their list on domains tab and pass control to PHP Selector if necessary.r)rrr(r$domains_compatibility_checkerr"r#)rrrs rAcheck_domains_compatibilityrsh X%%"@AAA 9 N * , ,F ~^,,, V^ , ,,rCch td}td}n#t$rYdSwxYw|dD]F}|d|dks|drdSGdS)Nphp_get_vhost_versionsphp_get_system_default_versionrversionphp_fpmzIncompatible version)rcallrr)domainssystem_versiondomains rArrs 899>>@@&'GHHMMOO tt++j))**   i ( (FJJy,A,A A AVZZPYEZEZ A))) B**sAA AAdirpathctj|sdSd|}tj|dtjtjdd}|jdkrdS |jdd dd }n#t$rYdSwxYw|S) zZ Get mountpoint for dirpath directory from output of df -h {dirpath} utility. Nzdf -h rPTF)r5r6r8checkrrOr^) rrisdirrHrunr rJrLr5 IndexError)rget_mountpoint_cmdprocess mounted_ons rAget_dir_mountpointrs 7== ! !t+'++n  %%  GQt^))$//288==bA tt s59B// B=<B=c d}tjdrltdd5}|D]?}|dr(t |dd}@ dddn #1swxYwY|S) z[ Returns maximum uid from /etc/login.defs If file does not exist returns 60000 i`z/etc/login.defsrrzUID_MAX rPrN)rrrAr r r"r )max_uidrkrs rA get_max_uidrs G w~~'((7 #g 6 6 6 7! 7 7??:..7!$**S//""566G 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 NsABB Bcpd}t|dd}t|}|S)z Returns min cagefs uid z!/usr/sbin/cagefsctl --get-min-uidrPT)convert_to_str)rr r")get_min_uid_cmdr5min_uids rA get_min_uidrs9:O ..s33D I I IF&kkG NrCusernamecBt}t}||krtd|d|d|t|}||vr||S|s|}n1|}|}t||D] }||vr|}n ||krtd|d|dd|d|}t| d d \}} } |d krt| |S) z Creates user with max available uid that greater than min cagefs uid and less than max system uid. Does nothing if user already exists. z Can't create z user: min_uid z is greater than max_uid )rz user: uid z is too bigz#/usr/sbin/useradd -s /bin/false -u z -m rPT)return_full_outputr) rr RuntimeErrorr get_user_full_dictget_uid get_uid_dictrangerr ) rrrclpwd custom_uidused_uids_dict_uid useradd_cmdrLrJrs rAuseraddrso mmGmmGs8ssssjqssttt ' " " "E5++----}}X&&&       ++--'7++  D>))! *WW8WW WWWXXXR RRRRK$[%6%6s%;%;PTUUUJ3Q3 rCc ttd5}|cdddS#1swxYwYn#tt f$rYnwxYwdS)zS Retrive cldiag username from file :return: username from file or None rrN)r _CLDIAG_USERNAME_FILEr#rOSErrorr )rks rAget_username_from_filers  '' : : : $a6688>>## $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ W       4s3A&A  A AAAAA+*A+c\t}tjd}|}|D]`\}}||s d|}t |dD#tttf$rY]wxYwdS)z3 Remove all trash cldiag users from system z^cldiaguser_[a-f0-9]{21}$z/usr/sbin/userdel -r rPN) r recompilerrmatchrr rr r)cl_pwd re_pattern users_dictrrJ userdel_cmds rAremove_all_trash_cldiag_usersr sWWF788J**,,J!'')) !))   <(<tjdrtj|st t dStjd st t d Stst t|Sd}d }tjtrGt}|6 tj |}|j |j} } d }n#t$rYnwxYwnt!|st"d t%jjdd}t+|tj |}|j |j} } t-tdd5} | |dddn #1swxYwYn#t0t2f$rYnwxYw|d| } |d|d|} |d|d|} | dzd}d|d|d}t5t7j}t9||}tj|s"t;| dt;| dt?j d|gt>j!t>j"d d |tG| | itj$ddi5}|%\}}dddn #1swxYwYtM|5|'sGd |vrCt tP|cdddt;|dS|'st1||)dddn #1swxYwYt;|dn'#t;|dwxYwn%#tT$rt t|cYSwxYwt t|S)!a Checker for check if /var/cagefs is located on partition with disk quota enabled. Algorithm for check: we trying to set cldiaguser's quota to 1 inode (so that this user can't create any file if the quota activated on this partition). Then we change uid of process to cldiaguser's uid, and try to create file with his permissions. If we can't create file (Disk quota exceeded) then it's alright and disc quota enabled. Else we warn user to enable quota on that partition. z3/var/cagefs located on partition with quota enabledzDetails: /var/cagefs located on partition with quota disabled. Please, activate quota for /var/cagefs for better security. See details: https://docs.cloudlinux.com/cloudlinux_os_components/#installation-and-update-2zYQuotas seems unworkable on this server. Please correctly setup quotas to run this checkerrz/usr/sbin/setquotaz /var/cagefsNrz/usr/share/cagefs-skeleton/binzCagefs is not initializedFTrJ r[rrz --cpetc z -u z 0 0 1 1 z 0 0 0 0 d02dz /var/cagefs//z/etc/cl.selector/rPz /bin/touchLC_ALLC)r5r6r8start_new_sessionr7 preexec_fnenvzDisk quota exceeded)+rrrrrAr(r$rr#rrrr pw_uidpw_gidr!r_CLDIAG_TEST_USENAME_PREFIXuuiduuid4hexrr rrr rrandomrrr rHrIrJSTDOUTrenvironrKr rr"unlinkr) ok_messagerquota_unworkable_message cagefsctlsetquotacagefs_mountpointris_testuser_existsuser_pwuser_uiduser_gidrkcreate_cagefs_dir_cmdset_quota_limit_cmdreset_quota_limit_cmdprefix tempfile_dir tempfile_nametempfile_full_pathrPr5rJs rA!check_cagefs_partition_disk_quotar .sGJ Z d&I#H*=99  m(D(D BGNN[dLeLe ";<<< 7==9 : :?"=>>>   1000H w~~+,,()++   *,x00%,^W^( &*""       &'''  1FFDJLL4DFFssK,x(($^W^( +S7CCC "q!!! " " " " " " " " " " " " " " "!    D (==8==%QQ8QQ>OQQ'SSXSS@QSS ; : 3,,FN&NN8NNNL 00M!%lM!B!B 7==.. >177<<=== +11#66 7 7 7!}-!!("& !(H555rz5h_5    / ,,..  / / / / / / / / / / / / / / /!** , ,)002257LPV7V7V$R44 , , , , , , , -33C88 9 9 9 9 *0022*!&//)"))+++  , , , , , , , , , , , , , , , -33C88 9 9 9 9K-33C88 9 9 9 9 9 ;;;!9:::::; V^ , ,,s?"D$$ D10D1!G&8G G&GG&!G"G&&G:9G:C3P L1% P1L55P8L59P -O*8 P"Q'7O* P*O..P1O.2P5#Q$P<<QQ"!Q" c|d}t||kr7d|d|dzdgz|| dzdz|gzS|S)a. Handles error message making it shorter, if it is bigger than max limit :param error: error message to make shorter :param detailed_out: way for user to get full error manually :param max_error_lines: max lines for error :return: initial error (less than 10 lines) short error rONrz...)r r{rU)errorrmax_error_lines error_liness rArrs++d##K ;/))yy ./Q.. /5' 9KHX\]H]H_H_<` `dpcq q    LrCcJtjtjddd}|S)zY Return true if automatic cldiag email notifications about problems enabled. ENABLE_CLDIAGr:T) separator default_val)rget_boolean_paramCL_CONFIG_FILE) enable_cldiags rAis_email_notification_enabledrs( ,V-BO_bptuuuM rCcP tjddtdi}|tj|tt}n#tj$rgcYSwxYwd| dDS)zc Get list of disabled cldiag checkers which run by cron from /etc/sysconfig/cloudlinux NFr)rrdefaultsc:g|]}||SrDr)rHitems rArz6get_list_of_disabled_cron_checkers..s% G G GT$ GDJJLL G G GrCr) rrcron_cldiag_checkers_param_namer#rrrcron_cldiag_section_nameErrorrr )rrs rA"get_list_of_disabled_cron_checkersr!s */     F)*** $ +      H GV\\^^%9%9#%>%> G G GGsAA A43A4disabled_cron_cherkersc$ tjdd}|tjt |vr|t t}|r| || t td |ttjdd5}||ddddS#1swxYwYdS#tjt t"f$rb}t%dtjd |d t%d t%t&t)jd Yd}~dSd}~wwxYw) z` Set list of disabled cldiag checker which run by cron in /etc/sysconfig/cloudlinux NFrrzw+rrz3Can't set list of disabled cron checkers to config"z " because "rQz:Please check config's existence, integrity and permissionsr^)rrr#rrrr add_sectionr!extendsetrrUr rr r rrdrrerf)r"rcurrent_disabled_checkersrkrs rA"set_list_of_disabled_cron_checkersr(s *     F)*** #6??+<+< < <   7 8 8 8$F$H$H! ! E " ) )*C D D D $ + HH+ , ,   &' @ @ @ A LLOOO                     1 pH]ppjmpppqqq JKKK "###  s=CD!D7 DDD D DF-AF  Fz!Check mount with hidepid=2 optioncd}d|}d}d}tjdstt|St dkrtt |Stt|S)z7 Check if system mounted with hidepid=2 option zWhttps://docs.cloudlinux.com/cloudlinux_os_kernel/#remounting-procfs-with-hidepid-optionzDetails: hidepid protection disabled. Please, mount system with hidepid=2 for better security. Read more about hidepid option here: zhidepid protection enabledrrr)rrrAr(r$r r#r")hidepid_doc_linkrrskipped_messages rA check_hidepidr,sq C0@ C C 2N/O 7>>/ 0 03/222&''1,,000 R ( ((rCzCheck user's low PMEM limitscd}d|z}d}tj}|rtt|Stt|S)z7 Checks low PMEM limits availability on server z5https://docs.cloudlinux.com/limits/#limits-validationzLSome user(s) on server has low PMEM LVE limit (lower than 512 MB). See doc: zCheck low PMEM limits passed)r is_low_pmem_limit_presentr(r#r")rrrrs rAcheck_low_pmem_limitsr/sP GHcfnnN3N  6 8 8F 1000 R ( ((rC)F)FT)r )rr%rRrrrrrHrer collectionsr functoolsrpathlibrtypingrrr r cldetectlibrcl_proc_hidepidr clcommon.clpwdr r clcommon.cpapirrclcommon.lib.cleditionrrclcommon.lib.cmt_utilsrrclcommon.lib.constsrrclcommon.lib.jwt_tokenrclcommon.lib.whmapi_librrclcommon.utilsrrrrrrrcllimits_validatorr clsentry.utilsr!r"r#r$r%rrrcl_plus_doc_linkrrrrvrr( SUEXEC_PATH SUPHP_PATHrrrr>r\rmrqr|rrrvrrrrrrrrrrrrrrrrrr/rVrmrryrrrrrrrrrrr"rrrrrrr rrr!r(r,r/rDrCrArCs   """"""000000000000::::::11111111>>>>>>>>NNNNNNNNLKKKKKKK222222>>>>>>>>0/////......******   +C"A(JG5EGGp' S] J     -$% $#"#!   &#0 #"!"     2$$ 3%%! /*,@    ^E$ *=$>D.  '(("7"7)("7JssyB  LMM% H H&%NM H  KLL%AA&%MLA2  FGG%AA&%HGA  tuu%ss&%vus"  PQQ""RQ"(  STTNNUTN0,,,2  +,,;;-,;  *++::,+:  *++ e e,+ e  9::==;:=$  344Q0Q054Q0h  &''(U(U('(UV  566BEBE76BEJ  344))54)@4+ PPP!!!D     12232.  566%%76%P  -..--/.-"*** 8 S    Scc@     $"  VWWc-c-XWc-L     tHD&1A,BHHHH2tHVDT?UZ^<  011))21)2  +,, )y ) ) )-, ) ) )rC