PK œqhYî¶J‚ßFßF)nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/
Notice: ob_end_clean(): Failed to delete buffer. No buffer to delete in /home/telusvwg/public_html/da754d/index.php on line 8
$#$#$#

Dir : /opt/cloudlinux/venv/lib64/python3.11/site-packages/clcagefslib/__pycache__/
Server: Linux premium279.web-hosting.com 4.18.0-553.45.1.lve.el8.x86_64 #1 SMP Wed Mar 26 12:08:09 UTC 2025 x86_64
IP: 66.29.132.192
Choose File :

Url:
Dir : //opt/cloudlinux/venv/lib64/python3.11/site-packages/clcagefslib/__pycache__/domain.cpython-311.pyc

�

�Ϟi�?����ddlZddlZddlZddlZddlZddlmZddlmZddl	m
Z
mZddlm
Z
ddlmZddlmZdd	lmZdd
lmZddlmZmZmZddlmZdd
lmZddlmZddl m!Z!m"Z"ddl#m$Z$m%Z%d�Z&d�Z'de(dzfd�Z)de(de*fd�Z+d�Z,dZ-dZ.dgZ/d�Z0de(fd�Z1d�Z2d�Z3de(fd �Z4de(fd!�Z5de(fd"�Z6d#�Z7d$e(fd%�Z8d&�Z9de:fd'�Z;de(fd(�Z<de:fd)�Z=d*�Z>d+�Z?d-de(d$e(dzfd,�Z@dS).�N)�defaultdict)�Path)�setup_mount_dir_cagefs�CAGEFSCTL_TOOL)�cpusers)�docroot)�NoDomain�)�user_exists)�UserNotFoundError)�admin_config�config�
jail_utils)�DOCROOTS_ISOLATED_BASE)�write_jail_mounts_config)�reload_processes_with_docroots)�start_monitoring_service�stop_monitoring_service)�trigger_xray_ini_regeneration�trigger_ssa_ini_regenerationc�T�tj�tj��S�N)�os�path�isfiler
�WEBSITE_ISOLATION_MARKER���Fopt/cloudlinux/venv/lib/python3.11/site-packages/clcagefslib/domain.py�(is_website_isolation_allowed_server_wider !s��
�7�>�>�,�?�@�@�@rc�T�tj�tj��Sr)rrrr
�"WEBSITE_ISOLATION_AVAILABLE_MARKERrrr�&is_website_isolation_feature_availabler#%s��
�7�>�>�,�I�J�J�Jr�returnc�.�tj�tj��}tj�tj��}|r8|r6t
jd��tj	tjd���dS|rdS|rdSdS)uReturn the current user mode for website isolation.

    Returns:
        ``"allow_all"`` – all users allowed, denied dir lists exceptions.
        ``"deny_all"``  – no users allowed, allowed dir lists exceptions.
        ``None``        – not initialised yet.
    z�Both site-isolation.users.allowed and site-isolation.users.denied directories exist. Removing allowed directory, treating as allow_all mode.T��
ignore_errors�	allow_all�deny_allN)
rr�isdirr
�ISOLATION_DENIED_DIR�ISOLATION_ALLOWED_DIR�logging�warning�shutil�rmtree)�
has_denied�has_alloweds  r�get_isolation_user_moder3)s�������|�@�A�A�J��'�-�-�� B�C�C�K���k����
Y�	
�	
�	
�	�
�l�8��M�M�M�M��{����{����z��4r�userc��tj�tj��sdSt��}|dkr tjtj|��S|dkrtjtj|��SdS)uCheck whether *user* is allowed to use website isolation.

    Combines the global marker with the two-mode user model:
    * **allow_all** – allowed unless the user is in the denied directory.
    * **deny_all**  – denied unless the user is in the allowed directory.
    Fr(r))	rrrr
rr3�user_in_dirr+r,)r4�modes  r�%is_website_isolation_allowed_for_userr8Bsw���7�>�>�,�?�@�@���u�"�$�$�D��{����+�L�,M�t�T�T�T�T��z����'��(J�D�Q�Q�Q��5rc�j�tj�tj��s�tt
t��ddd���ttj��}|j	�
dd���|���tj
gd�dd���dSdS)	zCSet up mount directories and the global marker if not already done.�*TF)�prefix�remount_cagefs�remount_in_background)�parents�exist_ok)z/usr/bin/systemctlztry-restartzclwpos_monitoring.service)�capture_output�textN)rrrr
rr�strrr�parent�mkdir�touch�
subprocess�run)�marker_paths r�"_ensure_isolation_mount_and_markerrISs���
�7�>�>�,�?�@�@�

���&�'�'���u�	
�	
�	
�	
��<�@�A�A���� � ��� �=�=�=���������N�N�N���	
�	
�	
�	
�	
�	
�

�

rz/etc/cagefs/proxy.commandsz6CAGEFSCTL_USER:noproceed=root:/usr/sbin/cagefsctl-userz/usr/sbin/cagefsctl-userc��	ttdd���5}|���}ddd��n#1swxYwYn#t$rd}YnwxYwd|vrdSt	jdt��|}|r|�d��s|dz
}|tdzz
}tj	�
t��}tj|d	�
��tj
|d���\}}	tj|d
d���5}|�|��ddd��n#1swxYwYtj|t��n##t"$rtj|���wxYwd�t(��dz���}t-jt0ddg|t,jt,jd���dS)a-Register the ``cagefsctl-user`` proxyexec alias if not already present.

    Appends the ``CAGEFSCTL_USER`` entry to ``/etc/cagefs/proxy.commands``
    and runs ``cagefsctl --update-list`` to pull the required binaries into
    the CageFS skeleton.  This is a no-op when the entry already exists.
    �rzutf-8)�encodingN��CAGEFSCTL_USERz Registering cagefsctl-user in %s�
T)r?z.proxy.commands.)�dirr;�wz--wait-lockz
--update-listF)�input�stdout�stderr�check)�open�PROXY_COMMANDS_PATH�read�FileNotFoundErrorr-�info�endswith�CAGEFSCTL_USER_PROXY_ENTRYrr�dirname�makedirs�tempfile�mkstemp�fdopen�write�replace�
BaseException�unlink�join�CAGEFSCTL_USER_BINARIES�encoderFrGr�DEVNULL)�f�content�new_content�	proxy_dir�fd�tmp_path�update_lists       r�ensure_proxyexec_commandrqnsn���
�%�s�W�
=�
=�
=�	���f�f�h�h�G�	�	�	�	�	�	�	�	�	�	�	����	�	�	�	����������������7�"�"����L�3�5H�I�I�I��K���;�/�/��5�5���t����-��4�4�K����� 3�4�4�I��K�	�D�)�)�)�)��#�	�:L�M�M�M�L�B���
�Y�r�3��
1�
1�
1�	!�Q�
�G�G�K� � � �	!�	!�	!�	!�	!�	!�	!�	!�	!�	!�	!����	!�	!�	!�	!�
�
�8�0�1�1�1�1������
�	�(����
������9�9�4�5�5��<�D�D�F�F�K��N�	���8���!��!�������s^�A�:�A�>�A�>�A�A�A�7E�D0�$E�0D4�4E�7D4�8E� E6c��t��t��}|dkrNd}tjtjtjd���tjtj	d���nMd}tjtj	tjd���tjtjd���|S)uFlip the isolation user mode without modifying any per-user state.

    Unlike :func:`allow_website_isolation_server_wide` and
    :func:`deny_website_isolation_server_wide`, this function only flips
    the mode indicator directories.  It does **not** clean up existing
    user isolation or alter the per-user exception lists.

    * ``allow_all`` → ``deny_all``
    * ``deny_all``  → ``allow_all``
    * not initialised → ``allow_all``

    Returns:
        The new mode after toggling (``"allow_all"`` or ``"deny_all"``).
    r(r)T�r7r?r&)
rIr3rr^r
r,�DIR_MODEr/r0r+)�current�new_modes  r�toggle_isolation_user_moderw�s���'�(�(�(�%�'�'�G��+�����
��L�6�\�=R�]a�b�b�b�b��
�l�7�t�L�L�L�L�L���
��L�5�L�<Q�\`�a�a�a�a��
�l�8��M�M�M�M��Orc���t��t��tjtjtjd���tjtj	d���dS)u@Switch to *allow_all* mode – all users are allowed by default.Trsr&N)
rIrqrr^r
r+rtr/r0r,rrr�#allow_website_isolation_server_widery�sV��&�(�(�(������K��1��8M�X\�]�]�]�]�
�M�,�4�D�I�I�I�I�I�Irc���t��t��tjtjtjd���tjtj	d���dS)u�Switch to *deny_all* mode – no users are allowed by default.

    Disables domain isolation for every user and switches the mode.
    Trsr&N)
�_cleanup_all_users_isolationrIrr^r
r,rtr/r0r+rrr�"deny_website_isolation_server_wider|�sX��
!�"�"�"�&�(�(�(��K��2��9N�Y]�^�^�^�^�
�M�,�3�4�H�H�H�H�H�Hr�usernamec��t��t��t��}|dkr!tjtj|��dS|dkr!tjtj|��dStj	tjtj
d���tjtj|��dS)u;Allow website isolation for *username* (mode-aware).

    * **allow_all** – removes *username* from the denied directory.
    * **deny_all**  – adds *username* to the allowed directory.
    * **not initialised** – sets up infrastructure in *deny_all* mode
      with *username* as the first allowed user.
    r(r)TrsN)rIrqr3r
�remove_user_from_dirr+�add_user_to_dirr,rr^rt�r}r7s  r� allow_website_isolation_for_userr��s���'�(�(�(�����"�$�$�D��{����)�,�*K�X�V�V�V�V�V�	
��	�	��$�\�%G��R�R�R�R�R�	��L�6�\�=R�]a�b�b�b�b��$�\�%G��R�R�R�R�Rrc���t��}|dkr tjtj|��n%|dkrtjtj|��t
|��dS)u�Deny website isolation for *username* (mode-aware).

    * **allow_all** – adds *username* to the denied directory.
    * **deny_all**  – removes *username* from the allowed directory.

    Also disables all domain isolation for the user.
    r(r)N)r3r
r�r+rr,�_cleanup_user_isolationr�s  r�deny_website_isolation_for_userr��sj��#�$�$�D��{����$�\�%F��Q�Q�Q�Q�	
��	�	��)�,�*L�h�W�W�W��H�%�%�%�%�%rc��t|��sdStj|��}|jsdSd�|jD��}tj|d���t|d���t
|t|��������|�	��D]2\}}|�tjd|���tj
||���3dS)z4Remove all domain isolation state for a single user.Nc�.�i|]}|t|����Sr��_get_docroot_or_none)�.0�ds  r�
<dictcomp>z+_cleanup_user_isolation.<locals>.<dictcomp>�s0�����'(����"�"���r)r)�user_config��filter_by_docrootsz|Unable to detect document root for domain %s, configuration cleanup failed. Contact CloudLinux support if the error repeats.)rr�load_user_config�enabled_websites�save_user_configrr�list�values�itemsr-�errorr�remove_website_token_directory)r}�user_cfg�domain_docroot_mapr�rs     rr�r��s"���x� � �����&�x�0�0�H��$������,4�,E�������H�T�2�2�2�2��X�4�8�8�8�8�"��T�*<�*C�*C�*E�*E�%F�%F�����)�.�.�0�0�	E�	E�
��7��?��M�(��	
�
�
�
��1�(�G�D�D�D�D�	E�	Erc���tt����D]7}	t|���#t$rt	jd|��Y�4wxYwt��}|st
��dSdS)z9Remove domain isolation state for every user that has it.z:Unable to disable website isolation for user %s, skipping.N)r��#users_with_enabled_domain_isolationr��	Exceptionr-�	exceptionr)r}�
users_lefts  rr{r{s����<�>�>�?�?����	�#�H�-�-�-�-���	�	�	���L��
�
�
�
�
�	����
5�6�6�J��"��!�!�!�!�!�"�"s�/�A�A�domainc�^�	t|��dS#ttf$rYdSwxYw)Nr)�get_domain_docrootr	�
IndexError)r�s rr�r�sA���!�&�)�)�!�,�,���j�!�����t�t����s��,�,c��t��sdS	tj|��}n#t$rYdSwxYwtj�|��S)NF)r r�get_jail_config_pathrrr�exists)r4�domains_config_paths  r�is_isolation_enabledr�&se��3�5�5���u��(�=�d�C�C���������u�u�����
�7�>�>�-�.�.�.s�'�
5�5c�p�d�t��D��}i}|D]}t|��}|r|||<�|S)Nc�N�g|]"}t|���t|��� |��#Sr)rr�)r��us  r�
<listcomp>z7users_with_enabled_domain_isolation.<locals>.<listcomp>1s1��P�P�P�1�[��^�^�P�8L�Q�8O�8O�P�Q�P�P�Pr)r�#get_websites_with_enabled_isolation)�users�user_domain_pairsr4�domains_with_isolations    rr�r�0sV��P�P��	�	�P�P�P�E����=�=��!D�T�!J�!J��!�	=�&<��d�#���rc��t|��stjd|��gStj|��jS)Nz=User %s not found, cannot get websites with enabled isolation)rr-r.rr�r�)r4s rr�r�:sG���t������K�T�	S�	S�	S��	��"�4�(�(�9�9rc��t��}tt��}|���D]S\}}|D]K}	t	|��d}n#t
tf$rY�,wxYw||�|���L�T|S)z�
    Returns pairs user: set(docroots) for all users with website isolation enabled
    Used by monitoring service to watch docroots changes to load actual list of docroot paths
    instead of stale storage
    r)r�r�setr�r�r	r��add)�users_with_isolation�pairsr4�domainsr��drs      r�!get_docroots_of_isolated_websitesr�Bs���?�@�@������E�-�3�3�5�5� � �
��g��	 �	 �F�
�'��/�/��2�����j�)�
�
�
���
�����$�K�O�O�B�����	 ��Ls�A�A+�*A+c�T�t|��stjd|��dStj|��}||jvr|j�|��t|��d}tj	||��tj
||��tj||��tj
ddd|gd���t||��t|t!|��g���t#��t%||��t'|��dS)	Nz2User %s not found, cannot enable website isolationr�	cagefsctlz--rebuild-alt-php-iniz--domainT)rUr�)rr-r.rr�r��appendr�r�create_website_token_directory� create_overlay_storage_directoryr�rFrGrrr�rrr)r4r�r��
document_roots    r�enable_website_isolationr�Ts;���t������@�$�	H�	H�	H����)�$�/�/�K�
�[�1�1�1��$�+�+�F�3�3�3�
'�v�.�.�q�1�M��-�d�M�B�B�B��/��m�D�D�D�
��D�+�.�.�.��N�K�!8�*�f�M�UY�Z�Z�Z�Z��T�;�/�/�/�"�4�=Q�RX�=Y�=Y�<Z�[�[�[�[�����"�$��/�/�/� ��&�&�&�&�&rc��t|��stjd|��dStj|��}t||��g}|jD]�}t|��}|�tjd|���)|�|��	tj
||��tj||���j#t$r }tj
d||��Yd}~��d}~wwxYwt||���dS)NzDUser %s not found, cannot regenerate website isolation configurationzdUnable to find document root for domain %s, please contact CloudLinux support if the issue persists.z8Unable to recreate token/storage for domain=%s, Error=%sr�)rr-r.rr�rr�r�r�rr�r�r�r�r)r4r��document_rootsr�r��es      r�"regenerate_isolation_configurationr�us>���t������R�TX�	Z�	Z�	Z����)�$�/�/�K��T�;�/�/�/��N��.����,�V�4�4�
�� ��O�K��
�
�
�

����m�,�,�,�	��5�d�M�J�J�J��7��m�L�L�L�L���	�	�	��M�T�V\�^_�`�`�`��H�H�H�H�����	����#�4�N�K�K�K�K�K�Ks�*B>�>
C(�C#�#C(c��t|��stjd|��dStj|��}d}|�d�|jD��}g|_n3||jvr*t
|��g}|j�|��tj||��t||��|r.t||���|D]}|��tj||���t��}|st��dSdS)Nz3User %s not found, cannot disable website isolationc�,�g|]}t|����Srr�)r��websites  rr�z-disable_website_isolation.<locals>.<listcomp>�s.��
�
�
�.5� ��)�)�
�
�
rr�)rr-r.rr�r�r��remover�rrrr�r�r)r4r�r��reload_docrootsr�r�s      r�disable_website_isolationr��sQ���t������A�4�	I�	I�	I����)�$�/�/�K��O�
�~�
�
�9D�9U�
�
�
��(*��$�$�	�;�/�	/�	/�/��7�7�8���$�+�+�F�3�3�3�
��D�+�.�.�.��T�;�/�/�/��K�&�t��P�P�P�P�,�	K�	K�M��$���5�d�M�J�J�J�J�?�@�@���"��!�!�!�!�!�"�"rr)Ar-rr/rFr_�collectionsr�pathlibr�clcommon.clcagefsrr�clcommon.cpapirrr��clcommon.cpapi.cpapiexceptionsr	�fsr�
exceptionsr�webisolationr
rr�webisolation.configr� webisolation.jail_config_builderr�webisolation.phpr�webisolation.servicerr�webisolation.triggersrrr r#rBr3�boolr8rIrWr\rgrqrwryr|r�r�r�r{r�r��dictr�r�r�r�r�r�rrr�<module>r�sk������	�	�	�	�
�
�
�
���������#�#�#�#�#�#�������D�D�D�D�D�D�D�D�"�"�"�"�"�"�8�8�8�8�8�8�3�3�3�3�3�3�������)�)�)�)�)�)�:�:�:�:�:�:�:�:�:�:�7�7�7�7�7�7�F�F�F�F�F�F�<�<�<�<�<�<�S�S�S�S�S�S�S�S�^�^�^�^�^�^�^�^�A�A�A�K�K�K���t������2��������"
�
�
�$3��U�����
(�(�(�V�C�����:J�J�J�
I�
I�
I�S�s�S�S�S�S�*&�c�&�&�&�&�$E�c�E�E�E�E�8"�"�"�������/�/�/��T�����:�c�:�:�:�:��4�����$'�'�'�BL�L�L�>"�"�C�"��t��"�"�"�"�"�"r