CHips L MINI SHELL

CHips L pro

Current Path : /proc/3/cwd/scripts/
Upload File :
Current File : //proc/3/cwd/scripts/fix_reseller_acls

#!/usr/local/cpanel/3rdparty/bin/perl
package scripts::fix_reseller_acls;

# cpanel - scripts/fix_reseller_acls
#                                                    Copyright 2017 cPanel, Inc.
#                                                           All rights Reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

use strict;
use warnings;

use Try::Tiny;
use Pod::Usage   ();
use Getopt::Long ();

use Cpanel::Exception    ();
use Cpanel::LoadModule   ();
use Cpanel::ConfigFiles  ();
use Whostmgr::ACLS::Data ();

exit run(@ARGV) unless caller();

sub run {
    my @cmdline_args = @_;

    die Cpanel::Exception::create('RootRequired')->to_string_no_id() unless ( $> == 0 && $< == 0 );
    return Pod::Usage::pod2usage( -exitval => 'NOEXIT', -output => \*STDERR, -verbose => 99, -sections => [qw(NAME DESCRIPTION SYNOPSIS)] ) if !@cmdline_args;

    my $opts = _parse_and_validate_opts( \@cmdline_args );

    # -1 to get the right exit code
    return Pod::Usage::pod2usage( -exitval => 'NOEXIT', -output => \*STDOUT, -verbose => 99, -sections => [qw(NAME DESCRIPTION SYNOPSIS)] ) - 1 if $opts->{'help'};
    return Pod::Usage::pod2usage( -exitval => 'NOEXIT', -verbose => 2 ) - 1 if $opts->{'man'};

    if ( my @enabled_operations = map { __PACKAGE__->can( $_ =~ s/\-/_/gr ) } sort grep { $opts->{'operations'}->{$_} } keys %{ $opts->{'operations'} } ) {
        process_users( $opts->{'resellers'}, \@enabled_operations )
          if $opts->{'resellers'} && scalar @{ $opts->{'resellers'} };

        process_acl_lists( $opts->{'acl-lists'}, \@enabled_operations )
          if $opts->{'acl-lists'} && scalar @{ $opts->{'acl-lists'} };

        return 0;
    }

    die Cpanel::Exception->create_raw("[!] You must specify a operation to perform. See --help\n")->to_string_no_id();
}

sub process_users {
    my $resellers_to_process_ar = shift;
    my $callbacks_ar            = shift;

    Cpanel::LoadModule::load_perl_module('Cpanel::Reseller');
    Cpanel::LoadModule::load_perl_module('Whostmgr::Resellers');

    # TODO: The current interfaces to the RESELLERS_FILE do not provide
    # any way to do a 'mass-edit'. Depending on how slow this process is,
    # we might need to implement one.
    my %current_reseller_acls = Cpanel::Reseller::getresellersaclhash();
    foreach my $reseller ( @{$resellers_to_process_ar} ) {

        # We validated resellers beforehand, but just in case something
        # changed between that check, and the getresellersaclhash call, check again.
        next unless exists $current_reseller_acls{$reseller};
        _output("[*] Processing reseller: '$reseller'...\n");
        foreach my $cr ( @{$callbacks_ar} ) {
            $cr->(
                {
                    name         => $reseller,
                    current_acls => $current_reseller_acls{$reseller},
                }
            );
        }

        # set_reseller_acls requires the ACLs to have a 'acl-' prefix
        Whostmgr::Resellers::set_reseller_acls( $reseller, { map { 'acl-' . $_ => 1 } keys %{ $current_reseller_acls{$reseller} } } );
        _output("[+] Processed reseller: '$reseller'\n");
    }

    return 0;
}

sub process_acl_lists {
    my $acl_lists_to_process_ar = shift;
    my $callbacks_ar            = shift;

    Cpanel::LoadModule::load_perl_module('Whostmgr::ACLS');

    foreach my $acl_list ( @{$acl_lists_to_process_ar} ) {
        my $list_file = "$Cpanel::ConfigFiles::ACL_LISTS_DIR/$acl_list";
        next unless -f $list_file;

        _output("[*] Processing ACL list: '$acl_list'...\n");
        if ( open( my $acl_fh, '<', $list_file ) ) {
            my $acls = { map { split /=/, $_, 2 } grep { !/^\s*$/ } map { s/\n//r } readline($acl_fh) };
            close($acl_fh);

            foreach my $cr ( @{$callbacks_ar} ) {
                $cr->(
                    {
                        name         => $acl_list,
                        current_acls => $acls,
                    }
                );
            }

            Whostmgr::ACLS::save_acl_list(
                'acllist' => $acl_list,
                ( map { 'acl-' . $_ => 1 } grep { $acls->{$_} } keys %{$acls} )
            );

            _output("[+] Processed ACL list: '$acl_list'\n");
        }
        else {
            _output("[!] Failed to process ACL list '$acl_list': $!\n");
        }
    }

    return 0;
}

my $defaults_to_apply_hr;

sub add_default_privs {
    my $to_process_hr = shift;

    $defaults_to_apply_hr //= { map { $_ => 1 } @{ Whostmgr::ACLS::Data::get_default_acls() } };
    _output("\t[*] Adding default privileges to '$to_process_hr->{'name'}'...\n");
    %{ $to_process_hr->{'current_acls'} } = (
        %{ $to_process_hr->{'current_acls'} },
        %{$defaults_to_apply_hr}
    );
    _output("\t[+] Added default privileges to '$to_process_hr->{'name'}'.\n");
    return 1;
}

sub fix_disallow_shell {
    my $to_process_hr = shift;

    _output("\t[*] Fixing 'disallow-shell' privilege for '$to_process_hr->{'name'}'...\n");
    my $had_disallow_shell = delete $to_process_hr->{'current_acls'}->{'disallow-shell'};
    if ( !$had_disallow_shell ) {
        %{ $to_process_hr->{'current_acls'} } = (
            %{ $to_process_hr->{'current_acls'} },
            'allow-shell' => 1,
        );
    }
    _output("\t[+] Fixed 'disallow-shell' privilege for '$to_process_hr->{'name'}'.\n");
    return 1;
}

# for mocking
sub _output { return print @_; }

sub _parse_and_validate_opts {
    my $cmdline_args_ar = shift;

    my $opts = {
        'help'       => 0,
        'man'        => 0,
        'operations' => {
            'add-default-privs'  => 0,
            'fix-disallow-shell' => 0,
        },
        'all-resellers'       => 0,
        'specified_resellers' => {},
        'all-acl-lists'       => 0,
        'specified_acl_lists' => {}
    };
    Getopt::Long::GetOptionsFromArray(
        $cmdline_args_ar,
        'help|h' => \$opts->{'help'},
        'man'    => \$opts->{'man'},

        # What should be changed?
        'reseller=s' => sub { $opts->{'specified_resellers'}->{ $_[1] }++; },    # Avoid dupes
        'acl-list=s' => sub { $opts->{'specified_acl_lists'}->{ $_[1] }++; },    # Avoid dupes
        'all-resellers' => \$opts->{'all-resellers'},
        'all-acl-lists' => \$opts->{'all-acl-lists'},

        # What changes should be made?
        'add-default-privs'  => \$opts->{'operations'}->{'add-default-privs'},
        'fix-disallow-shell' => \$opts->{'operations'}->{'fix-disallow-shell'},
    ) or die Cpanel::Exception->create_raw("[!] Invalid usage. See --help\n")->to_string_no_id();
    return $opts if $opts->{'help'} || $opts->{'man'};

    $opts->{'resellers'} = _validate_resellers($opts);
    $opts->{'acl-lists'} = _validate_acl_lists($opts);

    die Cpanel::Exception->create_raw("[!] You must specify a mode of operation. See --help\n")->to_string_no_id()
      unless $opts->{'resellers'} // $opts->{'acl-lists'};

    return $opts;
}

sub _validate_resellers {
    my $opts = shift;

    if ( $opts->{'all-resellers'} ) {
        Cpanel::LoadModule::load_perl_module("Whostmgr::Resellers::List");
        Cpanel::LoadModule::load_perl_module('Cpanel::Config::HasCpUserFile');
        return [

            # Skip 'resellers without a domain' when processing all resellers on the system:
            # https://documentation.cpanel.net/display/CKB/How+to+Create+a+WHM+Reseller+Without+An+Associated+Domain
            #
            # These resellers are created "out of band" by editing the resellers file,
            # so altering them should be left up to the server administrators.
            grep { Cpanel::Config::HasCpUserFile::has_cpuser_file($_) }
              keys %{ Whostmgr::Resellers::List::list() }
        ];
    }
    elsif ( my @specified_resellers = keys %{ $opts->{'specified_resellers'} } ) {
        Cpanel::LoadModule::load_perl_module("Whostmgr::Resellers::Check");
        if ( my @invalid_resellers = grep { !Whostmgr::Resellers::Check::is_reseller($_) } @specified_resellers ) {
            die Cpanel::Exception->create_raw( "[!] Invalid resellers specified:\n" . join( "\n", map { " " x 8 . $_ } @invalid_resellers ) . "\n" )->to_string_no_id();
        }

        return \@specified_resellers;
    }

    return;
}

sub _validate_acl_lists {
    my $opts = shift;

    if ( $opts->{'all-acl-lists'} ) {
        if ( opendir my $dh, $Cpanel::ConfigFiles::ACL_LISTS_DIR ) {
            return [ grep { $_ !~ m/^\.+$/ && -f "$Cpanel::ConfigFiles::ACL_LISTS_DIR/$_" } readdir($dh) ];
        }
    }
    elsif ( my @specified_acl_lists = keys %{ $opts->{'specified_acl_lists'} } ) {
        if ( my @invalid_acl_lists = grep { !-f "$Cpanel::ConfigFiles::ACL_LISTS_DIR/$_" } @specified_acl_lists ) {
            die Cpanel::Exception->create_raw( "[!] Invalid acl-lists specified:\n" . join( "\n", map { " " x 8 . $_ } @invalid_acl_lists ) . "\n" )->to_string_no_id();
        }
        return \@specified_acl_lists;
    }

    return;
}

1;

__END__

=encoding utf8

=head1 NAME

fix_reseller_acls

=head1 DESCRIPTION

Utility to update reseller privileges and ACL lists.

=head1 SYNOPSIS

    fix_reseller_acls [OPERATION] [MODE]

    Operations:
    --add-default-privs            Add the default set of privileges.
    --fix-disallow-shell           Clean up the 'disallow-shell' privilege.

    Modes:
   --reseller [reseller]           Update the specified reseller.
   --all-resellers                 Update all resellers on the system.

   --acl-list [acl-list]           Update the specified ACL list.
   --all-acl-lists                 Update all ACL lists on the system.

   --help                          This documentation.
   --man                           Full documentation.

=head1 Operations

Specify at least one operation.

=over

=item B<--add-default-privs>

Add the default set of privileges, introduced in v68, to the set of resellers
and ACLS lists specified.

    acct-summary
    basic-system-info
    basic-whm-functions
    cors-proxy-get
    cpanel-integration
    cpanel-api
    create-user-session
    digest-auth
    generate-email-config
    list-pkgs
    manage-api-tokens
    manage-dns-records
    manage-oidc
    manage-styles
    mysql-info
    ns-config
    ssl-info
    track-email

=item B<--fix-disallow-shell>

Remove the 'disallow-shell' privilege from the set of resellers and specified ACL lists.

If the C<disallow-shell> privilege is set, then the script will remove it.
If the C<disallow-shell> privilege is not set, then the script adds the C<allow-shell> privilege.

=back

=head1 Modes

Specify at least one mode.

=over

=item B<--all-resellers>

Process all of the resellers on the system. This option overrides B<--reseller>.

B<Note>: The script does not process resellers without an associated domain in this mode.

=item B<--reseller [reseller-username]>

Process the reseller specified.

Specify this option multiple times to process mutiple resellers.

=item B<--all-acl-lists>

Process all ACL lists on the system. This option overrides B<--acl-list>.

=item B<--acl-list [acl-list]>

Process the ACL list specified.

Specify this option multiple times to process mutiple ACL lists.

=back

=head1 EXAMPLES

=over

=item C<--add-default-privs --fix-disallow-shell --all-resellers>

Update the privileges for all resellers on the system to include the default privilege and clean
up the C<disallow-shell> privilege.

=item C<--add-default-privs --reseller myreseller>

Update the privileges for the I<myreseller> reseller to include the new default privileges.

=item C<--add-default-privs --fix-disallow-shell --all-acl-lists>

Update all of the ACL lists on the system to include the default privileges, and clean up the
C<disallow-shell> privilege.

=back

=cut


Copyright 2K16 - 2K18 Indonesian Hacker Rulez