ӺhAOddlZddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z m Z mZmZmZmZmZmZddlmZddlmZdZdZed d Zer eZe Ze ZGd d e ZeeZd Z dZ!dZ"dZ#dZ$dZ%GddZ&ed dZ'er e'Z(dZ)dZ*dZ+dZ,dZ-da.dZ/dZ0dZ1dZ2d Z3d!Z4d"Z5d:d#Z6d:d$Z7d:d%Z8d;d&Z9dd+Zd.Z?d/Z@daAd0ZBee01ZCd2ZDdaEd@d3ZFd4ZGdAd5ZHd6ZId7ZJejKd8ZLejKd9ZMdS)BN) lru_cache) TYPE_CHECKING) cdllc_long Structurec_ushortc_ubytec_charPOINTERc_intc_void_pc_char_p)ClPwd)drop_user_privilegesc|dkrtS|dkrtStdtd|)Nlibcliblvezmodule z has no attribute ) _load_libc _load_liblveAttributeError__name__)names h/builddir/build/BUILD/imunify360-venv-2.5.2/opt/imunify360/venv/lib/python3.11/site-packages/secureio.py __getattr__rsK v~~||   ~~ E8EEtEE F FFcJddgtS)Nrr)globalskeysrr__dir__r #s H 0wyy~~// 00r)maxsizectjd}tttg|j_t|j_ttg|j_t|j_tg|j_t|j_tg|j _t|j _tg|j _d|j _tg|j _t|j _|S)Nz libc.so.6) r LoadLibraryr fchownargtypesrestypefchmod fdopendirr readdir DIRENTRY_P rewinddirclosedir)rs rrr(s  K ( (D!5%0DKDK!5>DKDK %gDN%DN&JDL%DL (jDN!DN'ZDM!DM Krc6eZdZdefdefdefdefdedzfgZdS)DIRENTRYd_inod_offd_reclend_typed_nameN) r __module__ __qualname__ino_toff_trr r _fields_rrrr.r.PsA % % X 7 6C< HHHrr.cHt|||SN)rr$)fduidgids rr$r$]s <<  r3 , ,,rcFt||Sr;)rr')r<modes rr'r'as <<  r4 ( ((rcDt|Sr;)rfdopenr<s rrBrBes <<  r " ""rcDt|Sr;)rr)dirps rr)r)is <<   % %%rcDt|Sr;)rr+rEs rr+r+ms << ! !$ ' ''rcDt|Sr;)rr,rEs rr,r,qs <<  & &&rcTeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd S)StubLVEz?Stub implementation of LVE functions for systems without liblvecdSNr)selfpath parent_paths ropen_not_symlinkzStubLVE.open_not_symlinkxrrcdSrLr)rNr<s r check_dirzStubLVE.check_dir{rRrcdSrLr)rNrO descriptorrPs risdirz StubLVE.isdir~rRrcdSrLr)rNrOpermr<rPs rset_perm_dir_securezStubLVE.set_perm_dir_securerRrcdSrLr)rNrOr=r>r<rPs rset_owner_dir_securezStubLVE.set_owner_dir_securerRrcdSrLr)rNrOrYr=r>r<rPs rcreate_dir_securezStubLVE.create_dir_securerRrcdSrLr)rNrOrYr=r>rPs rmakedirs_securezStubLVE.makedirs_securerRrcdSr;r)rNr<bufs rget_path_from_descriptorz StubLVE.get_path_from_descriptorstrcdSNrr)rNdirsubdirs r is_subdirzStubLVE.is_subdirqrcdSrerrNs renable_quota_capabilityzStubLVE.enable_quota_capabilityrircdSrerrks rdisable_quota_capabilityz StubLVE.disable_quota_capabilityrirN)rr5r6__doc__rQrTrWrZr\r^r`rcrhrlrnrrrrJrJusIIrrJcl tjd}nF#t$r9 tjd}n #t$rtcYcYSwxYwYnwxYwttg|j_t|j_tg|j _d|j _tg|j _t|j _tttg|j _t|j _ttttg|j _t|j _tttttg|j _t|j _ttttttg|j_t|j_tttttg|j_t|j_ttg|j_t|j_ttg|j_t|j_|S)z>Load liblve if available, otherwise return stub implementationzlibsecureio.so.0z liblve.so.0N)rr#OSErrorrJrrQr%r r&closefdrTrWrZr\r^r`rcrh)rs rrrs!"455  %m44FF   99       F)1(';F$&+F# %gFN!FN "'F$F&uh7FL FL,4UE8*LF').F&-5eUE8+TF(*/F' *25%x(XF%',F$ (0uh&OF#%*F" 16x/@F#,.6F#+"*8 4F$F Ms/ A7AAAAAAcFt||Sr;)rrQ)rOrPs r_open_not_symlinkrts >> * *4 = ==rcDt|Sr;)rrTrCs rrTrTs >> # #B ' ''rcHt|||Sr;)rrW)rOrVrPs rrWrWs >>  j+ > >>rcFt||Sr;)rrc)r<rbs rrcrcs >> 2 22s ; ;;rcFt||Sr;)rrh)rfrgs rrhrhs >> # #C 0 00rTz/var/log/cagefs-update.logiFcZtj|tjtjzSr;)osopenO_RDONLY O_NOFOLLOWrOs rrQrQs 74r}4 5 55rcFtjt|dS)Nr)rzrBrQr~s ropen_file_not_symlinkrs 9%d++S 1 11rc6tj|}t|}|stdt |g} t |}|sn"|j}||j4t |t||S)z:Returns list of entries of directory pointed by descriptorzfdopendir error) rzdupr( RuntimeErrorr+r)contentsappendr3r,)r<fd2rFdirlistentrypentrys rflistdirrs &**C S>>D .,--- dOOOG%  u|$$$ %dOOO TNNN NrcZ|( tj|dS#t$rYdSwxYwdSr;)rzcloserqrCs rrrrr7sF ~  HRLLLLL    DD ~s  ((c|d}t||||}|dkr|S||d|zdddS)z{Sets permissions to directory (in secure manner) Returns descriptor if successful Returns None if error has occuredNrMrz.Error: failed to set permissions of directory FT)rrZencode)rOrYrPr<loggers rrZrZ?sr z   + +DKKMM4[EWEWEYEY Z ZB Avv  ?$FtTTT 4rc|d}t|||||}|dkr|S||d|zdddS)zSets owner and group of directory (in secure manner) Returns descriptor if successful Returns None if error has occuredNrMrz(Error: failed to set owner of directory FT)rr\r)rOr=r>rPr<rs rr\r\Mst z   , ,T[[]]Cb+J\J\J^J^ _ _B Avv  9D@%NNN 4rc |d}t||||||}|dkr|S||d|zdddS)zCreates directory if it does not exist, sets permissions/owner otherwise Returns descriptor if successful Returns None if error has occuredNrMr#Error : failed to create directory FT)rr^r)rOrYr=r>rPr<rs rr^r^[sv z   ) )$++--sC[M_M_MaMa b bB Avv  4t;UDIII 4rct|||||}|r|r|d|zdd|S)zeRecursive directory creation function Returns 0 if successful Returns -1 if error has occuredrFT)rr`r)rOrYr=r>rPrress rr`r`isg .. ( (c3 HZHZH\H\ ] ]C JvJ4t;UDIII Jrc||||td|duo|du}|rt|| t|}|}||rt |S#t tf$r_}|rt td|zdzt|ztd||stj dYd}~dSd}~wwxYw)z read file not following symlinksNzEread_file_secure: uid and gid should be both null or be both not nullzError: failed to read  : ) r set_user_permr readlinesr set_root_permrqIOErrorloggingstr SILENT_FLAGsysexit) filenamer=r> exit_on_error write_log drop_perm file_objectcontentes rread_file_securerss S_bcccD7s$I c3 +H55 ''))   OOO W    OOO(83e;c!ffDkSTV_```    sAA<<C, AC''C,c Ttj|}|rt||d}d} t jd|\}} tj|d} | d||s$|"| t|||rtdt||rtd| n+#ttf$r} | n#t$rYnwxYw tj |n#t$rYnwxYw tj| n#t$rYnwxYw|rt!t#d|d t%| d d t(d |Yd} ~ d Sd} ~ wt$rD} t#dt%| t(d t+jd Yd} ~ nd} ~ wwxYwd} tj| |nl#t$r_} d } t#d|zd zt%| zt(d | tj| n#t$rYnwxYwYd} ~ nd} ~ wwxYw|rt!| S)z!Returns True if error has occuredNcagefs_)prefixrfwz fchown failedz fchmod failedzError: failed to write file rErrnozErr coderTzError: Fz$Error: failed to rename tempfile to )rzrOdirnamertempfilemkstemprBwritejoinr$rqr'rr Exceptionunlinkrrrreplacerrrrename) rini_pathr=r>rrYrdirpathr< temp_pathrrerrors rwrite_file_securers0gooh''G c3 BI" ( wGGG IiC(( "'''**+++ /S_b#s## /o... "d   +/** * W             D   HRLLLL    D   Ii     D    OOO ]8 ] ]AwPZ8[8[ ] ]      ttttt "#a&&""K333   E )X&&&& 6AEICPQFFRT_abdmnnn  Ii     D   LsB/C((H:DF? DF?DF? D54F?5 E?F?EF?EF? E(%F?'E((AF?? H :H  HH,, J6/J&I;:J; JJJJJrc|%tj}t|ddtj|}d\}} t j|||\}} tj|dd 5} | |dddn #1swxYwYnu#ttf$ra||  tj |n#ttf$rYnwxYw tj | n#ttf$rYnwxYwwxYw tj | |tj| |nI#tttf$r/ tj | n#ttf$rYnwxYwwxYw|htj} tj| tjtj| d krtj|dSdSdS) aP Safely write string content to a file :param content: str :param dest_path: str -> path to a file :param perm: int -> permissions for the file :param prefix: str -> add to temporary file name :param suffix: str -> add to temporary file name :param as_user: str -> name of the user to drop privileges to NTF)effective_or_realset_envNN)rsuffixrfrsurrogateescape)errorsr)rz getgroupsrrOrrrrBrrrqrrchmodr TypeErrorgetuidseteuidsetegidgetgid setgroups) r dest_pathrYrras_user old_groupsrr<rf_tempruids rwrite_file_via_tempfilers\^^ WeLLLLgooi((GMB  (f';;; I Yr3'8 9 9 9 "V LL ! ! ! " " " " " " " " " " " " " " " W     :*   HRLLLL!    D   Ii !    D    D!!! )Y'''' Wi (  Ii !    D  y{{ 4 29;; 199 L $ $ $ $ $  9s 1B,>B  B, B$$B,'B$(B,,DCDC,)D+C,,D0DDDDDD"*E F%E:9F:F F FFcD tj|ng#tf$rY}|rGtdt |zdzt |zt jdnYd}~dSYd}~nd}~wwxYwt||} tj|nS#tf$rE}|r3td|t |t jdnYd}~dSYd}~nd}~wwxYw tj |ng#tf$rY}|rGtdt |zdzt |zt jdnYd}~dSYd}~nd}~wwxYw|dkrda dSt d a dS) Nzfailed to set egid to z: rrMz'failed to set supplementary groups to :zfailed to set euid to rTF) rzrrq print_errorrrr get_groupsrr root_flagrrl)r=r>rrgroupss rrrs 3 :   03s88;dBSVVK L L L HQKKKK22222 KKKKS ! !F V :   A63q66 R R R HQKKKK22222 KKKK 3 :   03s88;dBSVVK L L L HQKKKK22222 KKKK axx  ..000 sF A;A A66A;B$$ C4/5C//C48D E1A E,,E1c tjdnR#tf$rD}|r2tdt |t jdnYd}~dSYd}~nd}~wwxYw tjdnR#tf$rD}|r2tdt |t jdnYd}~dSYd}~nd}~wwxYwtdd} tj |nS#tf$rE}|r3td|t |t jdnYd}~dSYd}~nd}~wwxYwda dS)Nrzfailed to set euid to 0 :rrMz Error: failed to set egid to 0 :z.Error: failed to set supplementary groups to :T) rzrrqrrrrrrrr)rrrs rrr's 1 :   3SVV < < < HQKKKK22222 KKKK 1 :   :CFF C C C HQKKKK22222 KKKK1  F V :   H&RUVWRXRX Y Y Y HQKKKK22222 KKKKIIIsD A&4A!!A&*A?? C 4C  C"C77 E5EEctddtj|D]}t|dtjttjdS)NzError: )endfile)r)printrstderr)argsas rrrIs[ (#*---- ++ aSsz***** szrcVt}t}t}|D]Y}||j}|D]G} ||j}n#t $rYwxYw||kr |||jHZ||t|S)z$Returns supplementary groups for uid) get_grp_dict get_pwd_dictsetgr_mempw_uidKeyErroraddgr_gidlist) r=r>grpwrgroupmembersuser member_uids rrrPs B B UUF--U)" - -D X_     S   2e9+,,,  - JJsOOO <<s A AAcpt)iatj}|D]}|t|j<tSr;)grp_dictgrpgetgrallgr_name)rlines rrres; \^^ * *D%)HT\ " " Or)min_uidc4tSr;)clpwd get_user_dictrrrrrrs     rcX|s|rt||rt}tst\}}t t>t jd}ttddat j|t |t dnU#ttf$rA}tdtt|tjdYd}~nd}~wwxYw|st!||dSdSdS)Nrr z writing to )rrget_permrlog_filerzumaskr{LOGFILErrqrrrrrr) msgsilentverboserroot_flag_savedr=r> umask_savedrs rrrys/    #JJJ$# zzHC OOO  htnn a00%%% NN3    NN4 !     wA 7 7 7 HQKKKKKKKK  $ #s # # # # ##$$  $ $sA9B??D7D  Dc tj}tj}nI#tf$r;}t dt |t jdYd}~nd}~wwxYw||fS)Nzfailed to get (euid,egid)r)rzgeteuidgetegidrqrrrr)r=r>rs rrrsyjlljll :/Q888   8Os&) A/1A**A/c|r tntS)z Set CAP_SYS_RESOURCE capability :param bool clear: Set on if it's true, set off otherwise :return: 0 for success, -1 otherwise :rtype: int )rrnrl)clears rset_capabilityr s99> 6<>> 2 2 4 4 4 ^^ 3 3 5 56rcFtj|tS)a Change effective uid of current process and set CAP_SYS_RESOURCE capbality to prevent "Disk quota exceeded" error :param int euid: User ID to set it as current effective UID :return: 0 if capability was set successfuly, -1 otherwise :rtype: int )rzrr )r=s r change_uidrsJsOOO   rc|s"tdStdS)zZ Disable quota kernel check to allow us to write more than user can by quota. N)rrlrnenableds r_set_quota_checks_statusrsD 2..00000//11111rc#~Ktd dVtddS#tdwxYw)NFrT)rrrr disable_quotarsTU++++/  ...... .....s*<c#Ktj|} dVtj|dS#tj|wxYwr;)rzr) umask_value saved_umasks r set_umaskrsO(;''K  s 2Arr;)NNTT)TrT)rrN)T)FTT)F)Nrrr contextlibrz functoolsrtypingrctypesrrrrr r r r r rclcommonrclcommon.clpwdrrr rrr7r8r.r*r$r'rBr)r+r,rJrrrtrTrWrcrhrrMIN_UIDrrQrrrrrZr\r^r`rrrrrrrrrrrrrrr rrcontextmanagerrrrrrr"s   //////////////////////////////GGG111  4> :<>>(((???<<<111  &  6662228            2;;;;~AE3%3%3%3%l$$$$ND$  g!!! $$$$4 6 6 6 6   222 /// r