# coding=utf-8
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2018 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
# This module provides functions for secure I/O and filesystem operations
import grp
import sys
import tempfile
import contextlib
import os
from functools import lru_cache
from typing import TYPE_CHECKING
from ctypes import (cdll, c_long, Structure, c_ushort, c_ubyte, c_char, POINTER,
c_int, c_void_p, c_char_p)
from clcommon import ClPwd
from clcommon.clpwd import drop_user_privileges
def __getattr__(name):
# NOTE(vlebedev): Delay shared libraries loading until they are actually used.
# It makes module loadable even in case those shared libraries are not available
# and that is useful for e.g. unit testing on local non-CL system.
if name == 'libc':
return _load_libc()
elif name == 'liblve':
return _load_liblve()
raise AttributeError(f"module {__name__} has no attribute {name}")
def __dir__():
return ['libc', 'liblve', *globals().keys()]
# --- libc functions -----------------------------------------------
@lru_cache(maxsize=None)
def _load_libc():
libc = cdll.LoadLibrary("libc.so.6")
libc.fchown.argtypes = [c_int, c_int, c_int]
libc.fchown.restype = c_int
libc.fchmod.argtypes = [c_int, c_int]
libc.fchmod.restype = c_int
# accepts file/dir descriptor (integer)
libc.fdopendir.argtypes = [c_int]
# returns pointer to DIR structure
libc.fdopendir.restype = c_void_p
# accepts pointer to DIR structure
libc.readdir.argtypes = [c_void_p]
# returns pointer to DIRENTRY structure
libc.readdir.restype = DIRENTRY_P
# accepts pointer to DIR structure
libc.rewinddir.argtypes = [c_void_p]
# returns void
libc.rewinddir.restype = None
# accepts pointer to DIR structure
libc.closedir.argtypes = [c_void_p]
libc.closedir.restype = c_int
return libc
if TYPE_CHECKING:
libc = _load_libc()
ino_t = c_long
off_t = c_long
class DIRENTRY(Structure):
_fields_ = [
('d_ino', ino_t), # inode number
('d_off', off_t), # offset to the next dirent
('d_reclen', c_ushort), # length of this record
('d_type', c_ubyte), # type of file; not supported by all file system types
('d_name', c_char * 256), # filename
]
DIRENTRY_P = POINTER(DIRENTRY)
def fchown(fd, uid, gid):
return _load_libc().fchown(fd, uid, gid)
def fchmod(fd, mode):
return _load_libc().fchmod(fd, mode)
def fdopen(fd):
return _load_libc().fdopen(fd)
def readdir(dirp):
return _load_libc().readdir(dirp)
def rewinddir(dirp):
return _load_libc().rewinddir(dirp)
def closedir(dirp):
return _load_libc().closedir(dirp)
class StubLVE:
"""Stub implementation of LVE functions for systems without liblve"""
def open_not_symlink(self, path, parent_path):
return -1
def check_dir(self, fd):
return -1
def isdir(self, path, descriptor, parent_path):
return -1
def set_perm_dir_secure(self, path, perm, fd, parent_path):
return -1
def set_owner_dir_secure(self, path, uid, gid, fd, parent_path):
return -1
def create_dir_secure(self, path, perm, uid, gid, fd, parent_path):
return -1
def makedirs_secure(self, path, perm, uid, gid, parent_path):
return -1
def get_path_from_descriptor(self, fd, buf):
return None
def is_subdir(self, dir, subdir):
return 0
def enable_quota_capability(self):
return 0
def disable_quota_capability(self):
return 0
# --- liblve functions -----------------------------------------------
@lru_cache(maxsize=None)
def _load_liblve():
"""Load liblve if available, otherwise return stub implementation"""
try:
liblve = cdll.LoadLibrary("libsecureio.so.0")
except OSError:
try:
liblve = cdll.LoadLibrary("liblve.so.0")
except OSError:
return StubLVE()
# Opens path for reading not following symlinks and verifies that opened path is inside parent_path
# Returns:
# descriptor if successful
# -1 if path does not exist or is a symlink
# -2 if opened path is NOT inside parent_path or cannot be determined
# accepts path, parent_path
liblve.open_not_symlink.argtypes = [c_char_p, c_char_p]
liblve.open_not_symlink.restype = c_int
# Closes descriptor (if it is not equal -1)
# accepts file/dir descriptor (integer)
liblve.closefd.argtypes = [c_int]
# returns void
liblve.closefd.restype = None
# Tries to read first directory entry in order to ensure that descriptor is valid
# Returns 0 if reading succeeded or -1 if error has occured
# accepts descriptor
liblve.check_dir.argtypes = [c_int]
liblve.check_dir.restype = c_int
# Checks if path is a directory (in secure manner)
# Also opens path (if descriptor fd == -1) and then checks that opened path is inside parent_path
# Returns descriptor if path refers to directory
# Returns -1 if path does not exist or is not a directory
# Returns -2 if opened path is NOT inside parent_path or cannot be determined
# accepts path, descriptor, parent_path
liblve.isdir.argtypes = [c_char_p, c_int, c_char_p]
liblve.isdir.restype = c_int
# Sets permissions to directory (in secure manner)
# Returns descriptor if successful
# Returns -1 if error has occured
# Returns -2 if opened path is NOT inside parent_path or cannot be determined
# accepts: const char *path, mode_t perm, int fd, const char *parent_path
liblve.set_perm_dir_secure.argtypes = [c_char_p, c_int, c_int, c_char_p]
liblve.set_perm_dir_secure.restype = c_int
# Sets owner and group of directory (in secure manner)
# Returns descriptor if successful
# Returns -1 if error has occured
# Returns -2 if opened path is NOT inside parent_path or cannot be determined
# accepts: const char *path, uid_t uid, gid_t gid, int fd, const char *parent_path
liblve.set_owner_dir_secure.argtypes = [c_char_p, c_int, c_int, c_int, c_char_p]
liblve.set_owner_dir_secure.restype = c_int
# Creates directory if it does not exist, sets permissions/owner otherwise
# Returns descriptor if successful
# Returns -1 if error has occured
# accepts: const char *path, mode_t perm, uid_t uid, gid_t gid, int fd, const char *parent_path
liblve.create_dir_secure.argtypes = [c_char_p, c_int, c_int, c_int, c_int, c_char_p]
liblve.create_dir_secure.restype = c_int
# Recursive directory creation function
# Returns 0 if successful
# Returns -1 if error has occured
# accepts: const char *path, mode_t perm, uid_t uid, gid_t gid, const char *parent_path
liblve.makedirs_secure.argtypes = [c_char_p, c_int, c_int, c_int, c_char_p]
liblve.makedirs_secure.restype = c_int
# Writes absolute path pointed by descriptor fd to buffer *buf
# Returns buf if successful
# Returns NULL if error has occured
liblve.get_path_from_descriptor.argtypes = [c_int, c_char_p]
liblve.get_path_from_descriptor.restype = c_char_p
# Returns 1 if subdir is subdirectory of dir, 0 otherwise
liblve.is_subdir.argtypes = [c_char_p, c_char_p]
liblve.is_subdir.restype = c_int
return liblve
if TYPE_CHECKING:
liblve = _load_liblve()
def _open_not_symlink(path, parent_path):
return _load_liblve().open_not_symlink(path, parent_path)
def check_dir(fd):
return _load_liblve().check_dir(fd)
def isdir(path, descriptor, parent_path):
return _load_liblve().isdir(path, descriptor, parent_path)
def get_path_from_descriptor(fd, buf):
return _load_liblve().get_path_from_descriptor(fd, buf)
def is_subdir(dir, subdir):
return _load_liblve().is_subdir(dir, subdir)
# True : euid/egid == 0/0
# False : euid/egid == user/user
# set by set_user_perm() and set_root_perm() functions
root_flag = True
LOGFILE = "/var/log/cagefs-update.log"
MIN_UID = 500
SILENT_FLAG = False
def open_not_symlink(path):
return os.open(path, os.O_RDONLY | os.O_NOFOLLOW)
def open_file_not_symlink(path):
return os.fdopen(open_not_symlink(path), 'r')
def flistdir(fd):
"""Returns list of entries of directory pointed by descriptor"""
# Duplicate descriptor, because closedir() closes descriptor associated with directory stream
fd2 = os.dup(fd)
# Open directory stream
dirp = fdopendir(fd2) # NOQA
if not dirp:
raise RuntimeError("fdopendir error")
# Reset position of directory stream
# (so it will be possible to read content of directory multiple times
# via other descriptors that refer to the directory)
rewinddir(dirp)
dirlist = []
while True:
entryp = readdir(dirp)
if not entryp:
break
entry = entryp.contents
dirlist.append(entry.d_name)
rewinddir(dirp)
closedir(dirp)
return dirlist
def closefd(fd):
if fd is not None:
try:
os.close(fd)
except OSError:
pass
def set_perm_dir_secure(path, perm, parent_path, fd=None, logger=None):
"""Sets permissions to directory (in secure manner)
Returns descriptor if successful
Returns None if error has occured"""
if fd is None:
fd = -1
fd = _load_liblve().set_perm_dir_secure(path.encode(), perm, fd, parent_path.encode())
if fd > 0:
return fd
if logger is not None:
logger('Error: failed to set permissions of directory ' + path, False, True)
return None
def set_owner_dir_secure(path, uid, gid, parent_path, fd=None, logger=None):
"""Sets owner and group of directory (in secure manner)
Returns descriptor if successful
Returns None if error has occured"""
if fd is None:
fd = -1
fd = _load_liblve().set_owner_dir_secure(path.encode(), uid, gid, fd, parent_path.encode())
if fd > 0:
return fd
if logger is not None:
logger('Error: failed to set owner of directory ' + path, False, True)
return None
def create_dir_secure(path, perm, uid, gid, parent_path, fd=None, logger=None):
"""Creates directory if it does not exist, sets permissions/owner otherwise
Returns descriptor if successful
Returns None if error has occured"""
if fd is None:
fd = -1
fd = _load_liblve().create_dir_secure(path.encode(), perm, uid, gid, fd, parent_path.encode())
if fd > 0:
return fd
if logger is not None:
logger('Error : failed to create directory ' + path, False, True)
return None
def makedirs_secure(path, perm, uid, gid, parent_path, logger=None):
"""Recursive directory creation function
Returns 0 if successful
Returns -1 if error has occured"""
res = _load_liblve().makedirs_secure(path.encode(), perm, uid, gid, parent_path.encode())
if res and logger:
logger('Error : failed to create directory ' + path, False, True)
return res
def read_file_secure(filename, uid=None, gid=None, exit_on_error=True, write_log=True):
"""read file not following symlinks"""
if (uid is None and gid is not None) or (uid is not None and gid is None):
raise RuntimeError("read_file_secure: uid and gid should be both null or be both not null")
drop_perm = (uid is not None) and (gid is not None)
if drop_perm:
set_user_perm(uid, gid)
try:
file_object = open_file_not_symlink(filename)
content = file_object.readlines()
file_object.close()
if drop_perm:
set_root_perm()
return content
except (OSError, IOError) as e:
if drop_perm:
set_root_perm()
logging('Error: failed to read ' + filename + ' : ' + str(e), SILENT_FLAG, 1, write_log)
if not exit_on_error:
raise
sys.exit(1)
def write_file_secure(content, ini_path, uid, gid, drop_perm=True, perm=0o644, write_log=True):
"""Returns True if error has occured"""
dirpath = os.path.dirname(ini_path)
if drop_perm:
set_user_perm(uid, gid)
fd = None
temp_path = None
try:
fd, temp_path = tempfile.mkstemp(prefix='cagefs_', dir=dirpath)
file_object = os.fdopen(fd, 'w')
file_object.write(''.join(content))
if not drop_perm and uid is not None and gid is not None:
if fchown(fd, uid, gid):
raise OSError('fchown failed')
if fchmod(fd, perm):
raise OSError('fchmod failed')
file_object.close()
except (IOError, OSError) as e:
try:
file_object.close()
except Exception:
pass
try:
os.close(fd)
except Exception:
pass
try:
os.unlink(temp_path)
except Exception:
pass
if drop_perm:
set_root_perm()
logging(
f"Error: failed to write file {ini_path} : {str(e).replace('Errno', 'Err code')}",
SILENT_FLAG,
1,
write_log,
)
return True
except Exception as e:
logging(f'Error: {str(e)}', SILENT_FLAG, 1)
sys.exit(1)
error = False
try:
os.rename(temp_path, ini_path)
except OSError as e:
error = True
logging('Error: failed to rename tempfile to ' + ini_path + ' : ' + str(e), SILENT_FLAG, 1, write_log)
try:
os.unlink(temp_path)
except OSError:
pass
if drop_perm:
set_root_perm()
return error
def write_file_via_tempfile(
content, dest_path, perm, prefix='', suffix='', as_user=None):
"""
Safely write string content to a file
:param content: str
:param dest_path: str -> path to a file
:param perm: int -> permissions for the file
:param prefix: str -> add to temporary file name
:param suffix: str -> add to temporary file name
:param as_user: str -> name of the user to drop privileges to
"""
if as_user is not None:
old_groups = os.getgroups()
drop_user_privileges(as_user, effective_or_real=True, set_env=False)
dirpath = os.path.dirname(dest_path)
fd, temp_path = None, None
try:
fd, temp_path = tempfile.mkstemp(
prefix=prefix, suffix=suffix, dir=dirpath)
with os.fdopen(fd, 'w', errors='surrogateescape') as f_temp:
f_temp.write(content)
except (IOError, OSError):
if fd is None or temp_path is None:
raise
try:
os.close(fd)
except (IOError, OSError):
pass
try:
os.unlink(temp_path)
except (IOError, OSError):
pass
raise
try:
os.chmod(temp_path, perm)
os.rename(temp_path, dest_path)
except (OSError, IOError, TypeError):
try:
os.unlink(temp_path)
except (OSError, IOError):
pass
raise
if as_user is not None:
ruid = os.getuid()
os.seteuid(ruid)
os.setegid(os.getgid())
# All of the above can be called from user named as_user
if ruid == 0:
os.setgroups(old_groups)
def set_user_perm(uid, gid, exit=True):
global root_flag
try:
os.setegid(gid)
except (OSError,) as e:
if exit:
print_error('failed to set egid to ' + str(gid) + ': ' + str(e))
sys.exit(1)
else:
return -1
groups = get_groups(uid, gid)
try:
os.setgroups(groups)
except (OSError,) as e:
if exit:
print_error('failed to set supplementary groups to :', groups, str(e))
sys.exit(1)
else:
return -1
try:
os.seteuid(uid)
except (OSError,) as e:
if exit:
print_error('failed to set euid to ' + str(uid) + ': ' + str(e))
sys.exit(1)
else:
return -1
if uid == 0:
root_flag = True
else:
# If it's possible, switch on CAP_SYS_RESOURCE
_load_liblve().enable_quota_capability()
root_flag = False
def set_root_perm(exit=True):
global root_flag
try:
os.seteuid(0)
except (OSError,) as e:
if exit:
print_error('failed to set euid to 0 :', str(e))
sys.exit(1)
else:
return -1
try:
os.setegid(0)
except (OSError,) as e:
if exit:
print_error('Error: failed to set egid to 0 :', str(e))
sys.exit(1)
else:
return -1
groups = get_groups(0, 0)
try:
os.setgroups(groups)
except (OSError,) as e:
if exit:
print_error('Error: failed to set supplementary groups to :', groups, str(e))
sys.exit(1)
else:
return -1
root_flag = True
def print_error(*args):
print("Error:", end=' ', file=sys.stderr)
for a in args:
print(a, end=' ', file=sys.stderr)
print(file=sys.stderr)
def get_groups(uid, gid):
"""Returns supplementary groups for uid"""
gr = get_grp_dict()
pw = get_pwd_dict()
groups = set()
for group in gr:
members = gr[group].gr_mem
for user in members:
try:
member_uid = pw[user].pw_uid
except KeyError:
continue
if member_uid == uid:
groups.add(gr[group].gr_gid)
groups.add(gid)
return list(groups)
grp_dict = None
def get_grp_dict():
global grp_dict
if grp_dict is None:
grp_dict = {}
gr = grp.getgrall()
for line in gr:
grp_dict[line.gr_name] = line
return grp_dict
clpwd = ClPwd(min_uid=MIN_UID)
def get_pwd_dict():
return clpwd.get_user_dict()
log_file = None
def logging(msg, silent=False, verbose=True, write_log=True):
global log_file
if not silent:
if verbose:
print(msg)
if write_log:
root_flag_saved = root_flag
if not root_flag:
uid, gid = get_perm()
set_root_perm()
try:
if log_file is None:
umask_saved = os.umask(0o22)
# log_file is opened in "line buffered" mode
log_file = open(LOGFILE, 'w', 1) # NOQA
os.umask(umask_saved)
log_file.write(msg)
log_file.write("\n")
except (OSError, IOError) as e:
print_error("writing to ", LOGFILE, str(e))
sys.exit(1)
if not root_flag_saved:
set_user_perm(uid, gid)
def get_perm():
try:
uid = os.geteuid()
gid = os.getegid()
except (OSError,) as e:
print_error('failed to get (euid,egid)', str(e))
sys.exit(1)
return uid, gid
def set_capability(clear=False):
"""
Set CAP_SYS_RESOURCE capability
:param bool clear: Set on if it's true, set off otherwise
:return: 0 for success, -1 otherwise
:rtype: int
"""
return _load_liblve().disable_quota_capability() if clear \
else _load_liblve().enable_quota_capability()
def change_uid(uid):
"""
Change effective uid of current process and set CAP_SYS_RESOURCE capbality
to prevent "Disk quota exceeded" error
:param int euid: User ID to set it as current effective UID
:return: 0 if capability was set successfuly, -1 otherwise
:rtype: int
"""
os.seteuid(uid)
return set_capability()
def _set_quota_checks_status(enabled):
"""
Disable quota kernel check to allow us to write
more than user can by quota.
"""
if not enabled:
_load_liblve().enable_quota_capability()
else:
_load_liblve().disable_quota_capability()
@contextlib.contextmanager
def disable_quota():
_set_quota_checks_status(enabled=False)
try:
yield
finally:
_set_quota_checks_status(enabled=True)
@contextlib.contextmanager
def set_umask(umask_value):
saved_umask = os.umask(umask_value)
try:
yield
finally:
os.umask(saved_umask)