ѠgNKddlZddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z m Z mZmZmZmZmZmZddlmZddlmZdZdZed d Zer eZe Ze ZGd d e ZeeZd Z dZ!dZ"dZ#dZ$dZ%ed dZ&er e&Z'dZ(dZ)dZ*dZ+dZ,da-dZ.dZ/dZ0dZ1dZ2dZ3d Z4d8d!Z5d8d"Z6d8d#Z7d9d$Z8d:d%Z9d;d'Z: dd-Z?da@d.ZAee//ZBd0ZCdaDd>d1ZEd2ZFd?d3ZGd4ZHd5ZIejJd6ZKejJd7ZLdS)@N) lru_cache) TYPE_CHECKING) cdllc_long Structurec_ushortc_ubytec_charPOINTERc_intc_void_pc_char_p)ClPwd)drop_user_privilegesc|dkrtS|dkrtStdtd|)Nlibcliblvezmodule z has no attribute ) _load_libc _load_liblveAttributeError__name__)names /builddir/build/BUILDROOT/alt-python27-cllib-3.4.22-1.el8.cloudlinux.x86_64/opt/cloudlinux/venv/lib/python3.11/site-packages/secureio.py __getattr__rsK v~~||   ~~ E8EEtEE F FFcJddgtS)Nrr)globalskeysrr__dir__r #s H 0wyy~~// 00r)maxsizectjd}tttg|j_t|j_ttg|j_t|j_tg|j_t|j_tg|j _t|j _tg|j _d|j _tg|j _t|j _|S)Nz libc.so.6) r LoadLibraryr fchownargtypesrestypefchmod fdopendirr readdir DIRENTRY_P rewinddirclosedir)rs rrr(s  K ( (D!5%0DKDK!5>DKDK %gDN%DN&JDL%DL (jDN!DN'ZDM!DM Krc6eZdZdefdefdefdefdedzfgZdS)DIRENTRYd_inod_offd_reclend_typed_nameN) r __module__ __qualname__ino_toff_trr r _fields_rrrr.r.PsA % % X 7 6C< HHHrr.cHt|||SN)rr$)fduidgids rr$r$]s <<  r3 , ,,rcFt||Sr;)rr')r<modes rr'r'as <<  r4 ( ((rcDt|Sr;)rfdopenr<s rrBrBes <<  r " ""rcDt|Sr;)rr)dirps rr)r)is <<   % %%rcDt|Sr;)rr+rEs rr+r+ms << ! !$ ' ''rcDt|Sr;)rr,rEs rr,r,qs <<  & &&rc( tjd}n$#t$rtjd}YnwxYwttg|j_t |j_t g|j_d|j_t g|j _t |j _tt tg|j _t |j _tt t tg|j _t |j _tt t t tg|j _t |j _tt t t t tg|j _t |j _tt t t tg|j_t |j_t tg|j_t|j_ttg|j_t |j_|S)Nzlibsecureio.so.0z liblve.so.0)rr#OSErrorropen_not_symlinkr%r r&closefd check_dirisdirset_perm_dir_secureset_owner_dir_securecreate_dir_securemakedirs_secureget_path_from_descriptor is_subdir)rs rrrvs1!"455 111!-001)1(';F$&+F# %gFN!FN "'F$F&uh7FL FL,4UE8*LF').F&-5eUE8+TF(*/F' *25%x(XF%',F$ (0uh&OF#%*F" 16x/@F#,.6F#+"*8 4F$F Ms 88cFt||Sr;)rrK)path parent_paths r_open_not_symlinkrXs >> * *4 = ==rcDt|Sr;)rrMrCs rrMrMs >> # #B ' ''rcHt|||Sr;)rrN)rV descriptorrWs rrNrNs >>  j+ > >>rcFt||Sr;)rrS)r<bufs rrSrSs >> 2 22s ; ;;rcFt||Sr;)rrT)dirsubdirs rrTrTs >> # #C 0 00rTz/var/log/cagefs-update.logiFcZtj|tjtjzSr;)osopenO_RDONLY O_NOFOLLOWrVs rrKrKs 74r}4 5 55rcFtjt|dS)Nr)rbrBrKrfs ropen_file_not_symlinkris 9%d++S 1 11rc6tj|}t|}|stdt |g} t |}|sn"|j}||j4t |t||S)z:Returns list of entries of directory pointed by descriptorzfdopendir error) rbdupr( RuntimeErrorr+r)contentsappendr3r,)r<fd2rFdirlistentrypentrys rflistdirrss &**C S>>D .,--- dOOOG%  u|$$$ %dOOO TNNN NrcZ|( tj|dS#t$rYdSwxYwdSr;)rbcloserJrCs rrLrLsF ~  HRLLLLL    DD ~s  ((c|d}t||||}|dkr|S||d|zdddS)z{Sets permissions to directory (in secure manner) Returns descriptor if successful Returns None if error has occuredNrz.Error: failed to set permissions of directory FT)rrOencode)rVpermrWr<loggers rrOrOsr z   + +DKKMM4[EWEWEYEY Z ZB Avv  ?$FtTTT 4rc|d}t|||||}|dkr|S||d|zdddS)zSets owner and group of directory (in secure manner) Returns descriptor if successful Returns None if error has occuredNrwrz(Error: failed to set owner of directory FT)rrPrx)rVr=r>rWr<rzs rrPrP$st z   , ,T[[]]Cb+J\J\J^J^ _ _B Avv  9D@%NNN 4rc |d}t||||||}|dkr|S||d|zdddS)zCreates directory if it does not exist, sets permissions/owner otherwise Returns descriptor if successful Returns None if error has occuredNrwr#Error : failed to create directory FT)rrQrx)rVryr=r>rWr<rzs rrQrQ2sv z   ) )$++--sC[M_M_MaMa b bB Avv  4t;UDIII 4rct|||||}|r|r|d|zdd|S)zeRecursive directory creation function Returns 0 if successful Returns -1 if error has occuredr}FT)rrRrx)rVryr=r>rWrzress rrRrR@sg .. ( (c3 HZHZH\H\ ] ]C JvJ4t;UDIII Jrc||||td|duo|du}|rt|| t|}|}||rt |S#t tf$r_}|rt td|zdzt|ztd||stj dYd}~dSd}~wwxYw)z read file not following symlinksNzEread_file_secure: uid and gid should be both null or be both not nullzError: failed to read  : ) rl set_user_permri readlinesru set_root_permrJIOErrorloggingstr SILENT_FLAGsysexit) filenamer=r> exit_on_error write_log drop_perm file_objectcontentes rread_file_securerJs S_bcccD7s$I c3 +H55 ''))   OOO W    OOO(83e;c!ffDkSTV_```    sAA<<C, AC''C,c Ttj|}|rt||d}d} t jd|\}} tj|d} | d||s$|"| t|||rtdt||rtd| n+#ttf$r} | n#t$rYnwxYw tj |n#t$rYnwxYw tj| n#t$rYnwxYw|rt!t#d|d t%| d d t(d |Yd} ~ d Sd} ~ wt$rD} t#dt%| t(d t+jd Yd} ~ nd} ~ wwxYwd} tj| |nl#t$r_} d } t#d|zd zt%| zt(d | tj| n#t$rYnwxYwYd} ~ nd} ~ wwxYw|rt!| S)z!Returns True if error has occuredNcagefs_)prefixr_wz fchown failedz fchmod failedzError: failed to write file rErrnozErr coderTzError: Fz$Error: failed to rename tempfile to )rbrVdirnamertempfilemkstemprBwritejoinr$rJr'rur Exceptionunlinkrrrreplacerrrrename) rini_pathr=r>rryrdirpathr< temp_pathrrerrors rwrite_file_securercs0gooh''G c3 BI" ( wGGG IiC(( "'''**+++ /S_b#s## /o... "d   +/** * W             D   HRLLLL    D   Ii     D    OOO ]8 ] ]AwPZ8[8[ ] ]      ttttt "#a&&""K333   E )X&&&& 6AEICPQFFRT_abdmnnn  Ii     D   LsB/C((H:DF? DF?DF? D54F?5 E?F?EF?EF? E(%F?'E((AF?? H :H  HH,, J6/J&I;:J; JJJJJrc|%tj}t|ddtj|}d\}} t j|||\}} tj|dd 5} | |dddn #1swxYwYnu#ttf$ra||  tj |n#ttf$rYnwxYw tj | n#ttf$rYnwxYwwxYw tj | |tj| |nI#tttf$r/ tj | n#ttf$rYnwxYwwxYw|htj} tj| tjtj| d krtj|dSdSdS) aP Safely write string content to a file :param content: str :param dest_path: str -> path to a file :param perm: int -> permissions for the file :param prefix: str -> add to temporary file name :param suffix: str -> add to temporary file name :param as_user: str -> name of the user to drop privileges to NTF)effective_or_realset_envNN)rsuffixr_rsurrogateescape)errorsr)rb getgroupsrrVrrrrBrrrJrurchmodr TypeErrorgetuidseteuidsetegidgetgid setgroups) r dest_pathryrras_user old_groupsrr<rf_tempruids rwrite_file_via_tempfilers\^^ WeLLLLgooi((GMB  (f';;; I Yr3'8 9 9 9 "V LL ! ! ! " " " " " " " " " " " " " " " W     :*   HRLLLL!    D   Ii !    D    D!!! )Y'''' Wi (  Ii !    D  y{{ 4 29;; 199 L $ $ $ $ $  9s 1B,>B  B, B$$B,'B$(B,,DCDC,)D+C,,D0DDDDDD"*E F%E:9F:F F FFcD tj|ng#tf$rY}|rGtdt |zdzt |zt jdnYd}~dSYd}~nd}~wwxYwt||} tj|nS#tf$rE}|r3td|t |t jdnYd}~dSYd}~nd}~wwxYw tj |ng#tf$rY}|rGtdt |zdzt |zt jdnYd}~dSYd}~nd}~wwxYw|dkrda dSt d a dS) Nzfailed to set egid to z: rrwz'failed to set supplementary groups to :zfailed to set euid to rTF) rbrrJ print_errorrrr get_groupsrr root_flagrenable_quota_capability)r=r>rrgroupss rrrs 3 :   03s88;dBSVVK L L L HQKKKK22222 KKKKS ! !F V :   A63q66 R R R HQKKKK22222 KKKK 3 :   03s88;dBSVVK L L L HQKKKK22222 KKKK axx  ..000 sF A;A A66A;B$$ C4/5C//C48D E1A E,,E1c tjdnR#tf$rD}|r2tdt |t jdnYd}~dSYd}~nd}~wwxYw tjdnR#tf$rD}|r2tdt |t jdnYd}~dSYd}~nd}~wwxYwtdd} tj |nS#tf$rE}|r3td|t |t jdnYd}~dSYd}~nd}~wwxYwda dS)Nrzfailed to set euid to 0 :rrwz Error: failed to set egid to 0 :z.Error: failed to set supplementary groups to :T) rbrrJrrrrrrrr)rrrs rrrs 1 :   3SVV < < < HQKKKK22222 KKKK 1 :   :CFF C C C HQKKKK22222 KKKK1  F V :   H&RUVWRXRX Y Y Y HQKKKK22222 KKKKIIIsD A&4A!!A&*A?? C 4C  C"C77 E5EEctddtj|D]}t|dtjttjdS)NzError: )endfile)r)printrstderr)argsas rrr s[ (#*---- ++ aSsz***** szrcVt}t}t}|D]Y}||j}|D]G} ||j}n#t $rYwxYw||kr |||jHZ||t|S)z$Returns supplementary groups for uid) get_grp_dict get_pwd_dictsetgr_mempw_uidKeyErroraddgr_gidlist) r=r>grpwrgroupmembersuser member_uids rrr's B B UUF--U)" - -D X_     S   2e9+,,,  - JJsOOO <<s A AAcpt)iatj}|D]}|t|j<tSr;)grp_dictgrpgetgrallgr_name)rlines rrr<s; \^^ * *D%)HT\ " " Or)min_uidc4tSr;)clpwd get_user_dictrrrrrIs     rcX|s|rt||rt}tst\}}t t>t jd}ttddat j|t |t dnU#ttf$rA}tdtt|tjdYd}~nd}~wwxYw|st!||dSdSdS)Nrr z writing to )rrget_permrlog_filerbumaskrcLOGFILErrJrrrrrr) msgsilentverboserroot_flag_savedr=r> umask_savedrs rrrPs/    #JJJ$# zzHC OOO  htnn a00%%% NN3    NN4 !     wA 7 7 7 HQKKKKKKKK  $ #s # # # # ##$$  $ $sA9B??D7D  Dc tj}tj}nI#tf$r;}t dt |t jdYd}~nd}~wwxYw||fS)Nzfailed to get (euid,egid)r)rbgeteuidgetegidrJrrrr)r=r>rs rrrjsyjlljll :/Q888   8Os&) A/1A**A/c|r tntS)z Set CAP_SYS_RESOURCE capability :param bool clear: Set on if it's true, set off otherwise :return: 0 for success, -1 otherwise :rtype: int )rdisable_quota_capabilityr)clears rset_capabilityrts99> 6<>> 2 2 4 4 4 ^^ 3 3 5 56rcFtj|tS)a Change effective uid of current process and set CAP_SYS_RESOURCE capbality to prevent "Disk quota exceeded" error :param int euid: User ID to set it as current effective UID :return: 0 if capability was set successfuly, -1 otherwise :rtype: int )rbrr)r=s r change_uidrsJsOOO   rc|s"tdStdS)zZ Disable quota kernel check to allow us to write more than user can by quota. N)rrrenableds r_set_quota_checks_statusrsD 2..00000//11111rc#~Ktd dVtddS#tdwxYw)NFrT)rrrr disable_quotarsTU++++/  ...... .....s*<c#Ktj|} dVtj|dS#tj|wxYwr;)rbr) umask_value saved_umasks r set_umaskrsO(;''K  s 2Arr;)NNTT)TrT)rrN)T)FTT)F)Mrrr contextlibrb functoolsrtypingrctypesrrrrr r r r r rclcommonrclcommon.clpwdrrr rrr7r8r.r*r$r'rBr)r+r,rrrXrMrNrSrTrrMIN_UIDrrKrirsrLrOrPrQrRrrrrrrrrrrrrrrrrrcontextmanagerrrrrrrs   //////////////////////////////GGG111  4> :<>>(((???<<<111  &  6662228            2;;;;~AE3%3%3%3%l$$$$ND$  g!!! $$$$4 6 6 6 6   222 /// r