golden hour
/opt/cloudlinux/venv/bin
⬆️ Go Up
Upload
File/Folder
Size
Actions
Activate.ps1
8.82 KB
Del
OK
activate
1.65 KB
Del
OK
activate.csh
915 B
Del
OK
activate.fish
2.14 KB
Del
OK
alembic
202 B
Del
OK
cagefs_enter_site.py
1.83 KB
Del
OK
cagefsctl_user.py
14.41 KB
Del
OK
chardetect
210 B
Del
OK
cl_sysctl
4.51 KB
Del
OK
clcpapi
3.64 KB
Del
OK
coverage
204 B
Del
OK
coverage-3.11
204 B
Del
OK
coverage3
204 B
Del
OK
cpanel-dbmapping
3.83 KB
Del
OK
crontab-user-wrapper.py
2.46 KB
Del
OK
da_suid_caller.py
686 B
Del
OK
detect-requirements
211 B
Del
OK
dodgy
197 B
Del
OK
epylint
208 B
Del
OK
f2py
205 B
Del
OK
f2py3
205 B
Del
OK
f2py3.11
205 B
Del
OK
flake8
203 B
Del
OK
futurize
204 B
Del
OK
get_gprof
1.84 KB
Del
OK
get_objgraph
1.63 KB
Del
OK
isort
198 B
Del
OK
isort-identify-imports
232 B
Del
OK
jsonschema
202 B
Del
OK
lvestats_config_reader.py
1.12 KB
Del
OK
mako-render
202 B
Del
OK
normalizer
233 B
Del
OK
pasteurize
206 B
Del
OK
pip
237 B
Del
OK
pip3
237 B
Del
OK
pip3.11
237 B
Del
OK
plesk_suid_caller.py
905 B
Del
OK
prospector
202 B
Del
OK
py.test
210 B
Del
OK
pycodestyle
201 B
Del
OK
pydocstyle
202 B
Del
OK
pyflakes
200 B
Del
OK
pylint
206 B
Del
OK
pylint-config
222 B
Del
OK
pyreverse
212 B
Del
OK
pysemver
198 B
Del
OK
pytest
210 B
Del
OK
python
6.98 KB
Del
OK
python3
6.98 KB
Del
OK
python3.11
6.98 KB
Del
OK
raven
208 B
Del
OK
symilar
208 B
Del
OK
tap
196 B
Del
OK
tappy
196 B
Del
OK
undill
603 B
Del
OK
virtualenv
227 B
Del
OK
Edit: cagefsctl_user.py
#!/opt/cloudlinux/venv/bin/python3 -sbb # -*- coding: utf-8 -*- # # Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2025 All Rights Reserved # # Licensed under CLOUD LINUX LICENSE AGREEMENT # http://cloudlinux.com/docs/LICENCE.TXT # """ User-level CLI utility for managing website isolation. This script runs via proxyexec with root privileges but operates on behalf of the calling user. It validates that the user only manages domains they own. Commands: site-isolation-enable --domain DOMAIN[,DOMAIN2,...] Enable site isolation for domain(s) site-isolation-disable --domain DOMAIN[,DOMAIN2,...] Disable site isolation for domain(s) site-isolation-list List domains with site isolation enabled All commands output JSON: Success: {"result": "success", "enabled_sites": ["domain1", "domain2"]} Error: {"result": "ERROR_CODE"} """ import argparse import json import logging import os import sys import pwd from clcommon.cpapi import domain_owner, userdomains from clcommon.cpapi.cpapiexceptions import NoDomain from clcagefslib.cli import ( call_via_proxyexec, in_cagefs, is_running_via_proxyexec, ) from clcagefslib.domain import ( enable_website_isolation, disable_website_isolation, get_websites_with_enabled_isolation, is_website_isolation_allowed_server_wide, is_website_isolation_allowed_for_user, ) from clcagefslib.fs import user_exists # Logging configuration LOG_FILE = "/var/log/cloudlinux/cagefsctl-user.log" # Proxyexec alias for all cagefsctl-user commands PROXYEXEC_ALIAS = "CAGEFSCTL_USER" def setup_logger(): """ Set up logging to file only (no console output). Returns: logging.Logger: Configured logger instance """ logger = logging.getLogger("cagefsctl-user") logger.setLevel(logging.INFO) # Disable propagation to root logger to prevent console output logger.propagate = False try: fh = logging.FileHandler(LOG_FILE) fh.setFormatter(logging.Formatter( "[%(levelname)s | %(asctime)s]: %(message)s" )) logger.addHandler(fh) except (IOError, OSError): # Cannot write to log file, continue without file logging pass return logger logger = setup_logger() class ErrorCodes: """Error codes for JSON responses.""" SITE_ISOLATION_NOT_ALLOWED = "Site isolation feature is not allowed" DOMAIN_NOT_FOUND = "Specified domain is not found" USER_NOT_FOUND = "User not found" INTERNAL_ERROR = "Internal error" MISSING_DOMAIN = "Domain is not specified" ROOT_NOT_ALLOWED = "Utility cannot be run as root" def get_calling_user(): """ Get the username of the calling user from proxyexec environment. When running via proxyexec, PROXYEXEC_UID contains the original user's UID. Falls back to current process UID if not set. Returns: str: Username of the calling user None: If user cannot be determined """ proxyexec_uid = os.environ.get("PROXYEXEC_UID") if not proxyexec_uid: return None try: uid = int(proxyexec_uid) pw = pwd.getpwuid(uid) return pw.pw_name except (ValueError, KeyError): return None def json_response(result, enabled_sites=None, message=None): """ Create a JSON response dictionary. Args: result: "success" or error code enabled_sites: Optional list of enabled sites (for success responses) message: Optional error message with additional details Returns: dict: Response dictionary """ response = {"result": result} if enabled_sites is not None: response["enabled_sites"] = enabled_sites if message is not None: response["message"] = message return response def output_json(response): """Print JSON response to stdout.""" print(json.dumps(response)) def validate_domain_ownership(username, domain): """ Validate that a domain belongs to the specified user. Args: username: The username to check ownership for domain: The domain to validate Returns: tuple: (is_valid, error_code) is_valid: True if domain belongs to user error_code: Error code if validation fails, None otherwise """ try: owner = domain_owner(domain) if owner is None: # Fallback: domain_owner() may not resolve subdomains # on some panels (e.g. DirectAdmin). Check via userdomains(). user_domains = [d for d, _ in userdomains(username)] if domain in user_domains: return True, None return False, ErrorCodes.DOMAIN_NOT_FOUND if owner != username: return False, ErrorCodes.DOMAIN_NOT_FOUND return True, None except NoDomain: return False, ErrorCodes.DOMAIN_NOT_FOUND except Exception: return False, ErrorCodes.INTERNAL_ERROR def get_validated_user(): """ Get the calling user and validate they exist. Returns: tuple: (username, error_code) username: The validated username, or None if validation failed error_code: Error code if validation failed, or None if successful """ username = get_calling_user() if not username: logger.error("User not found") return None, ErrorCodes.USER_NOT_FOUND if not user_exists(username): logger.error("User %s does not exist", username) return None, ErrorCodes.USER_NOT_FOUND return username, None def validate_domain_for_user(username, domain): """ Validate domain argument and ownership for a user. Args: username: The username to check ownership for domain: The domain to validate Returns: tuple: (is_valid, error_code) is_valid: True if domain is valid and belongs to user error_code: Error code if validation failed, None otherwise """ if not domain: logger.error("Missing domain argument") return False, ErrorCodes.MISSING_DOMAIN is_valid, error_code = validate_domain_ownership(username, domain) if not is_valid: logger.error("Domain validation failed: user=%s, domain=%s, error=%s", username, domain, error_code) return False, error_code return True, None def parse_domains(domain_arg): """ Parse comma-separated domain argument into a list of domains. Args: domain_arg: Comma-separated domain string (e.g., "domain1.com,domain2.com") Returns: list: List of domain names, with whitespace stripped """ if not domain_arg: return [] return [d.strip() for d in domain_arg.split(",") if d.strip()] def cmd_site_isolation_enable(args): """Handle site-isolation-enable command.""" domains = parse_domains(args.domain) logger.info("site-isolation-enable called: domains=%s", domains) if not domains: logger.error("No domains specified") output_json(json_response(ErrorCodes.MISSING_DOMAIN)) return 1 username, error = get_validated_user() if error: output_json(json_response(error)) return 1 if not is_website_isolation_allowed_server_wide(): logger.error("Site isolation not allowed server-wide") output_json(json_response(ErrorCodes.SITE_ISOLATION_NOT_ALLOWED)) return 1 if not is_website_isolation_allowed_for_user(username): logger.error("Site isolation not allowed for user %s", username) output_json(json_response(ErrorCodes.SITE_ISOLATION_NOT_ALLOWED)) return 1 # Validate all domains first for domain in domains: is_valid, error = validate_domain_for_user(username, domain) if not is_valid: output_json(json_response(error)) return 1 try: for domain in domains: enable_website_isolation(username, domain) enabled_sites = get_websites_with_enabled_isolation(username) logger.info("Site isolation enabled: user=%s, domains=%s, enabled_sites=%s", username, domains, enabled_sites) output_json(json_response("success", enabled_sites)) return 0 except Exception as e: logger.exception("Failed to enable site isolation: user=%s, domains=%s, error=%s", username, domains, e) output_json(json_response(ErrorCodes.INTERNAL_ERROR, message=str(e))) return 1 def cmd_site_isolation_disable(args): """Handle site-isolation-disable command.""" domains = parse_domains(args.domain) logger.info("site-isolation-disable called: domains=%s", domains) if not domains: logger.error("No domains specified") output_json(json_response(ErrorCodes.MISSING_DOMAIN)) return 1 username, error = get_validated_user() if error: output_json(json_response(error)) return 1 # Validate all domains first for domain in domains: is_valid, error = validate_domain_for_user(username, domain) if not is_valid: output_json(json_response(error)) return 1 try: for domain in domains: disable_website_isolation(username, domain) enabled_sites = get_websites_with_enabled_isolation(username) logger.info("Site isolation disabled: user=%s, domains=%s, enabled_sites=%s", username, domains, enabled_sites) output_json(json_response("success", enabled_sites)) return 0 except Exception as e: logger.exception("Failed to disable site isolation: user=%s, domains=%s, error=%s", username, domains, e) output_json(json_response(ErrorCodes.INTERNAL_ERROR, message=str(e))) return 1 def cmd_site_isolation_list(args): """Handle site-isolation-list command.""" logger.info("site-isolation-list called") username, error = get_validated_user() if error: output_json(json_response(error)) return 1 try: enabled_sites = get_websites_with_enabled_isolation(username) logger.info("Site isolation list: user=%s, enabled_sites=%s", username, enabled_sites) output_json(json_response("success", enabled_sites)) return 0 except Exception as e: logger.exception("Failed to list site isolation: user=%s, error=%s", username, e) output_json(json_response(ErrorCodes.INTERNAL_ERROR, message=str(e))) return 1 def _wrap_deprecated(func, old_name, new_name): """Return a wrapper that prints a deprecation warning then delegates.""" def wrapper(args): print(f"WARNING: {old_name} is deprecated, use {new_name}", file=sys.stderr) return func(args) return wrapper def create_parser(): """Create argument parser for cagefsctl-user.""" parser = argparse.ArgumentParser( prog="cagefsctl-user", description="User-level CLI utility for managing CloudLinux Isolates.", ) subparsers = parser.add_subparsers( title="commands", dest="command", help="Available commands", ) # isolates-enable command (primary) enable_parser = subparsers.add_parser( "isolates-enable", help="Enable isolation for domain(s)", ) enable_parser.add_argument( "--domain", required=True, help="Domain name(s) to enable isolation for (comma-separated)", ) enable_parser.set_defaults(func=cmd_site_isolation_enable) # isolates-disable command (primary) disable_parser = subparsers.add_parser( "isolates-disable", help="Disable isolation for domain(s)", ) disable_parser.add_argument( "--domain", required=True, help="Domain name(s) to disable isolation for (comma-separated)", ) disable_parser.set_defaults(func=cmd_site_isolation_disable) # isolates-list command (primary) list_parser = subparsers.add_parser( "isolates-list", help="List domains with isolation enabled", ) list_parser.set_defaults(func=cmd_site_isolation_list) # Deprecated aliases (backward compatible, print warning) dep_enable = subparsers.add_parser( "site-isolation-enable", help="(deprecated, use isolates-enable)", ) dep_enable.add_argument("--domain", required=True, help=argparse.SUPPRESS) dep_enable.set_defaults(func=_wrap_deprecated( cmd_site_isolation_enable, "site-isolation-enable", "isolates-enable")) dep_disable = subparsers.add_parser( "site-isolation-disable", help="(deprecated, use isolates-disable)", ) dep_disable.add_argument("--domain", required=True, help=argparse.SUPPRESS) dep_disable.set_defaults(func=_wrap_deprecated( cmd_site_isolation_disable, "site-isolation-disable", "isolates-disable")) dep_list = subparsers.add_parser( "site-isolation-list", help="(deprecated, use isolates-list)", ) dep_list.set_defaults(func=_wrap_deprecated( cmd_site_isolation_list, "site-isolation-list", "isolates-list")) return parser def main(argv=None): """Main entry point.""" parser = create_parser() args = parser.parse_args(argv) # Guard: do not allow running as root unless via proxyexec # When running via proxyexec, PROXYEXEC_UID is set if os.getuid() == 0 and not is_running_via_proxyexec(): logger.error("Direct root invocation not allowed") output_json(json_response(ErrorCodes.ROOT_NOT_ALLOWED)) return 1 # If running as user (not root via proxyexec) if os.getuid() != 0: if not in_cagefs(): print("This utility is only available inside CageFS.\n" "Please run it via: cagefs_enter cagefsctl-user <command>", file=sys.stderr) return 1 # Inside CageFS - call via proxyexec to get root privileges if not args.command: parser.print_help() return 1 # Build args list for proxyexec args_list = sys.argv[1:] # Pass all original args result = call_via_proxyexec(PROXYEXEC_ALIAS, args_list) if result is None: output_json(json_response( ErrorCodes.INTERNAL_ERROR, message="Failed to execute via proxyexec" )) return 1 return result # Running as root via proxyexec - execute the command if not hasattr(args, "func"): parser.print_help() return 1 return args.func(args) if __name__ == "__main__": sys.exit(main())
Save