5/9e ddlmZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl mZddlZddlZddlmZddlmZmZmZmZddlZddlmZmZdd lmZmZdd l m!Z!m"Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-ddl.m/Z/m0Z0ddl1m2Z2m3Z3ddl m4Z4ddl5m6Z6ddl7m8Z8m9Z9ddl:m;Z;dZdZ?dZ@dZAdZBdZCdeCZDdZEdZFdZGd ZHe d!d"d#gZId$d%d%d%d%d%d%d%d%d& ZJd'd(d)d(d(d(d(d(d(d& ZKeLZMd*d+eKd,eMd-<d.d/eJd,eMd0<d1ZNd2ZOd3ZPdd5ZQdd7ZRd8ZSd9ZTd:ZUePd;d<ZVd=eeWeeXffd>ZYd?ZZePd@dAZ[dBeXdCeXd=eIfdDZ\ePdEeTeZdFZ]ePdGeTeZdHZ^ePdIeTeZdJZ_ePdKeTeZdLZ`ePdMdNZaePdOeUdPZbdQZcePdRdSZdePdTdUZeePdVdWZfePdXeUdYZgePdZd[ZhePd\eUd]ZiePd^eTd_ZjePd`eTdaZkdbZldcZmgddZngdeZodfZpdgZqdhZrePdidjZsePdkdlZtePdmdnZudoZvdpeXd=eeXfdqZwd=exfdrZyd=exfdsZzdteXd=exfduZ{d=eeXfdvZ|dwZ}dxZ~ePdyeTdzZdd|Zd=eWfd}Zd=eeefd~Zdeeed=dfdZePdeUdZePdeUd=eIfdZdS))print_function)absolute_importN) namedtuple)Pathwraps)AnyStrListOptionalTuple)Featureis_panel_feature_supported)DEFAULT_JWT_ES_TOKEN_PATHDISABLE_CMT_FILE)is_cl_solo_editionCLEditionDetectionError)jwt_token_check)LimitsValidator)ExternalProgramFailedservice_is_enabled_and_present run_commandprocess_is_runningis_litespeed_runningdemote)is_cmt_disabledis_client_enabled) WhmApiRequest WhmApiError) is_ubuntu)get_pkg_version)ClPwddrop_privileges)get_hidepid_typing_from_mountsOKFAILEDSKIPPEDINTERNAL_TEST_ERRORz/https://docs.cloudlinux.com/command-line_tools/disabled_cldiag_cron_checkers cldiag_cronz5https://docs.cloudlinux.com/cloudlinux-os-plus/#faq-2z Link to FAQ and troubleshooting zWPlease write to support https://cloudlinux.zendesk.com/ if you can't resolve the issue.zCentralized Monitoringz;This checker is not supported on CloudLinux OS Solo editionzAThis checker is not supported in environments without LVE support ChkResultresmsgz/usr/local/apache/bin/suexecz/usr/sbin/suexec) cPanel cPanel_ea4 DirectAdminPlesk ISPManager InterWorxzH-Sphere HostingNGUnknownz/opt/suphp/sbin/suphpz/usr/sbin/suphpz/usr/local/suphp/sbin/suphpSuPHPzdetect.get_suPHP_status())namestatus_functionlocationsuphpSuEXECzdetect.get_suEXEC_status()suexecz/var/lve/cldiag_user cldiagusercfd}|S)Nc|_|SN) pretty_name)funcname_of_checkers py/cldiaglib.py decoratorzpretty_name..decoratorus* )rBrDs` rCr@r@ts$ rEFc d}d}|r%d|D}||d<tj|Sg}|D]?\}}}|d|jd|j} || d|d |d |d } || @d |d |dgz}|S)z2 Formatter of output from all of checkers z)Command for disabling this cron checker: zcldiag --disable-cron-checkersc@i|]\}}}||SrF)_asdict).0checker_pretty_name_ chk_results rC z_formatter..s=   . J !3!3!5!5   rE total_errorsz: z: N z " "z z There are z errors found.)jsondumpsr+r,appendjoin) data error_countto_jsonr,cmd_tmpr+rKchecker_public_namerMchecker_results rC _formatterr]{s  6C.G  26   *Nz# C@D##<0*/-- --&N--  * .HH #HH'.HH1DHHHN >"""" ++cE+EEEFF G GC JrETct|r|g}g}d}|D]} |}n9#t$r,}ttt |}Yd}~nd}~wwxYw|jt tfvr|dz }||jt|dr|j nd|ft|||}|rt|t|||fS)Nr public_name)callable Exceptionr*r'reprr+r%rUr@hasattrr`r]printexit) checkersrYdo_exitresultserrorsfrMer+s rCrunnerrms:G F     AJJ A A A"#6Q@@JJJJJJ A >f&9; ; ; aKF M$Q 66 @AMMD      Wfg . .C c  V 3;s ' A"AAc t|S#t$r&td|YdSwxYw)Nz,WARNING missing {} function in cldetectlib.F)evalAttributeErrorreformat)rAs rCwrapperrrsRDzz  =DDTJJKKKuus,AAc<tfd}|S)Nc td}n#t$rd}YnwxYw|rtttS|i|S)NTskip_jwt_checkF)rrr*r&SKIPPED_ON_SOLO_MSG)argskwargsis_solo_editionrks rCcheckerz(skip_checker_on_cl_solo..checkersl $0EEEOO& $ $ $#OOO $  ;W&9:: :q$!&!!!s  ##rrkr{s` rCskip_checker_on_cl_solor}s3 1XX""""X" NrEc<tfd}|S)Nczttjsttt S|i|Sr?)rr LVEr*r&SKIPPED_WITHOUT_LVE_MSG)rxryrks rCr{z'skip_check_without_lve..checkers;)'+66 ?W&=>> >q$!&!!!rErr|s` rCskip_check_without_lvers3 1XX""""X" NrEz Check cagefsc,ttdS)NzuCagefs version is too old. Please run cagefsctl --sanity-check directly or upgrade it to have full cldiag integration)r*r&rFrErCfake_cagefs_checkerrs WN O OOrEreturnctd}dtdtd}d}ddlm}|}| |d sd |fS|t \}}}|s||fSt rd |fSt sd |fSd S) am Check that a server is cl+, enabled and CM isn't disabled locally The function returns True if the client has CL+ license, didn't disable CM localy and activated CM on https://cm.cloudlinux.com. The function also returns True if we can't read or parse JWT token, because we want to continue and show to client CM related errors z. is not activated on https://cm.cloudlinux.comzThe z& is disabled localy by creating file "rRThe server has no CL+ licenserget_client_data_from_jwt_tokenNcl_plusF)TN) cm_full_namerclsummary.cl_summary_utilsrrrr)cm_is_not_activated_msgcm_is_disabled_localy_msgno_cl_plus_license_msgr jwt_tokenis_validmessagerLs rC_is_cmt_allowed_for_serverrs".>>>!J|!J!J6F!J!J!J<IIIIII..00IYy%9,,,  .00'1 %W$ $0///   .--- :rEc<tfd}|S)zi Decorator: Skip check if a server isn't cl+, disabled and CM is disabled locally cdt\}}|r|i|Stt|S)z$ Decorated function )rr*r&)rxryresultrrks rCdecorated_functionz@skip_if_cmt_not_used_enabled_allowed..decorated_functionsI 566  1d%f%% % rEr)rkrs` rC$skip_if_cmt_not_used_enabled_allowedrs6  1XX    X  rEzCheck existing JWT tokencd}dtdtdtdt}d}ddlm}t jtrqt\}}}|r#|}ttd |d S||krttd S|d z}tt|d|Stt||zS) z% Check an existing JWT token zR Absence of JWT token is normal for the clients with volume license like GoDaddy. z$Please check for JWT token in path "zr". %sTry running "rhn_check" for getting a new token if it is absent. Server can't collect and send statistics to z( if you don't have a correct JWT token. . z"JWT token doesn't have CL+ servicerrzJWT token is valid: "rRr)rrcl_plus_doc_msgwrite_to_support_msgrrospathexistsrr*r$r&r%)token_is_absent_msgmain_msgtoken_is_not_cl_plusrrrrLrs rCcheck_jwt_tokenrs8 G),))2>))4C )) ' ))H @IIIIII w~~/00 ,..  6688IR!E!E!E!EFF F , , ,/   "}H((h((    * *   rE service_nameprocess_file_pathc t|\}} t|d}n#t$rd}YnwxYw|r|r|rttd|dSg}|s|d|s|d|s|dtt d|dtd |d td t S) z Check that a service is present, enabled and active :param service_name: name of a service :param process_file_path: path to a file which is run by a service Fz Service "z " is present, enabled and activezService is not present.zService is not enabled.zService is not active.rQz1 The server can't collect and send statistics to z if service z$ isn't present, enabled and active. r) rrFileNotFoundErrorr*r$rUr%rVrrr)rr is_present is_enabled is_activemessagess rC_check_service_stater5sF cl_node_exporter let`s handle both cases: - old `node_exporter` service - renamed `cl_node_exporter` service z&/usr/share/cloudlinux/cl_plus/service/z+/usr/share/cloudlinux/cl_plus/node_exportercl_node_exporterzcl_node_exporter.service node_exporter)rrrrVr)base_service_pathrrs rCcheck_node_exporter_servicerfs~AE w~~bgll#46HIIJJ' GNN27<<(9;UVV W W') &  .? @ @@rEz7Check service `lvestats` is present, enabled and activec*d}d}t||S)zF Check that service `lvestats` is present, enabled and active lvestatsz'/usr/share/lve-stats/lvestats-server.py)r)rrs rCcheck_lvestats_servicer}s LA  .? @ @@rEzeCheck that the server has the minimal required packages for correct working of Centralized Monitoringc dD]C}t|2ttd|dtdtdt cSDtt dS)zD Check that the server has minimal required packages for CM )zcl-end-server-toolszcl-node-exporterNz!System doesn't have the package "z". It's required for zA feature to work and it usually installed automatically by cron. rzVSystem has the minimal required packages for correct working of Centralized Monitoring)r r*r%rrrr$) package_names rCcheck_cmt_packagesrsD   < ( ( 0* **8D**+:**( **    1   4  rEzACheck control panel and it's configuration (for DirectAdmin only)cdtdz}tjtj}|dkrt t dSd|tj}tdsL|dkrFtj rt t|d zSt t|d z|zSt t|S) NzY Fixing the issue will provide CloudLinux support on your control panel. See details: {}z#diag-cpr4zCan't detect contol panelzControl Panel - {}; Version {};Trur/z File "options.conf" is finez1 File "options.conf" has no line "cloudlinux=yes") rqcldiag_doc_linkdetectgetCP getCPNamer*r& CP_VERSIONrda_check_optionsr$r%)fix_motivationcp_nameres_msgs rC check_cp_diagrs@@FYcGc@d@d LNNN  G)"=>>>/66"$$G T 2 2 2&w-7O7O  " $ $ `R+I!IJJ JVW0N&NP^&_`` `W%%%rEzDCheck fs.enforce_symlinksifowner is correctly enabled in sysctl confc dtdz}tjrt t dS tj}n\#t$rO}d}t tdtt||cYd}~Sd}~wwxYw|dkrt td|zSt td|S) Nz Fixing that issue makes server more secure against symlink attacks and enables protection of PHP configs or other sensitive files. See details: {}z#symlinksifowner$Not supported for OpenVZ environmentz+To see full error run /sbin/sysctl --systemzlSome parameter in sysctl config has wrong configuration. Error: {} It`s recommended to fix it and try again zfs.enforce_symlinksifowner = 2zfs.enforce_symlinksifowner = {}) rqrr is_openvzr*r&get_symlinksifownerrr%get_short_error_messagestrr$)rsymlinks_if_ownerrl detailed_outs rCcheck_symlinksifownerrs/CCI6/\nJnCoCoJ"HIIIR"688 RRRD "WW]W]"9#a&&,"O"OXQXQRR R R R R R RR A!AN!RSSS R:f.// 1 11sA B4%AB/)B4/B4c\|d}tdz|z}d||}tjdst tdSt|ds.t td|dStj |d}|.t td |dS|st td |zSt td S) Nr6z#check-z Fix that issue to be sure that users run their sites inside CageFS and provide stable work of sites that are using apache {} module. This may improve server security See details: {}/usr/sbin/cagefsctlCagefs is not installedr7z{} is not enabledr8zgUnable to check {} module binary for custom control panel. This feature may be added in future updates.zBinary without CageFS jail zbinary has jail) lowerrrqrrrr*r&rrrcheck_binary_has_jailr%r$)params module_namelinkrhas_jails rC binary_checkrs.&&((K Y & 4D))/ T)B)B 7>>/ 0 0=";<<< 6+, - -N"5"<"??H#==CVF6N=S=SUU UQ!>!OPPP R* + ++rEzCheck suexec has cagefs jailctjr#trttdSt t dS)NzUCurrent PHP selector uses LiteSpeed, which doesn't require the patches in suEXEC bin.r;)rdetect_litespeedrr*r&rBINARY_CHECK_PARAMETERSrFrErC check_suexecrsV  ?%9%;%;?#UVV V3H=>>>rEzCheck suphp has cagefs jailc6ttdS)Nr9)rrrFrErC check_suphprs /8 9 99rEzCheck usepam in sshd configcdtdz}tj}|t t dS|rt t dSt td|zS)NziFix the issue to provide correct work of pam_lve module with sshd and CageFS ssh sessions See details: {}z #check-usepamz!Unable to run "/usr/sbin/sshd -T"zConfig is finez3There is "usepam no" in "/usr/sbin/sshd -T" output )rqrrcheck_SSHd_UsePAMr*r&r$r%)r check_results rC check_use_pamrsv))//0Q)R)R+--L"EFFFi-...!VYg!ghhhrEz*Check the validity of LVE limits on servercd}d|z}d}t}|}|tt|Stt|dz|zS)z Validate lve limits z6https://docs.cloudlinux.com/lve-limits-validation.htmlz'Invalid LVE limits on server. See doc: zValid LVE limits on server.NrP)rvalidate_existing_limitsr*r$r%)doc_linkfailed_messagepassed_messagelimits_validatorrs rCcheck_lve_limitsrseHH>IN2N&((  6 6 8 8F ~^,,,$!6!?@@@rEz$Check compatibility for PHP Selectorc d}dtdz}t}|rttdSt jdsttdStj r&trtt|dzSdddd  d }d }t j|rZ t|d }d | D}|nE#t$r8}d|dt!|d}tt"||zcYd }~Sd }~wwxYw|D]F} | dr/| dd} nGd|z}tt"||zS|D]G} | d| zr-| dd}H|dvrd|z}tt"||zStj} | 1d| vrtt"|dzSd| v d<d| v d<d| v d<t- d dgstt"|d zS ds drC|d!vr?d"|d#d$ fd% D} tt|| zSd&|d'n|d(d$ fd) Dd*}tt"||zS)+z 1. mod_ruid not present 2. suphp 3. mod_lsapi 4. suexec and (fcgi or cgi) 5. litespeed 6. do not support other zIt looks ok [%s]zLooks like your PHP handler doesn't support CloudLinux PHP Selector and as a result does not work http://docs.cloudlinux.com/index.html?compatiblity_matrix.html [%s] Please, see: {} and try to fix issue to have working selectorz#check-phpselectorz-PHP Selector is not supported. Skipping checkz/etc/cpanel/ea4/is_ea4z+It is not cPanel with EA4, can diag nothing LitespeedF)r;r9lsapiNz/etc/cpanel/ea4/php.confrc6g|]}|SrFstrip)rJxs rC z%check_phpselector..As 888Aaggii888rEz Can not read z ()zdefault::r_z)%s config should have default php versionz%s:)cgifcgir9rz*doesn't support %s handler in ea4/php.conf ruid2_modulezIt looks like you use mod_ruid. CloudLinux PHP Selector doesn't work properly with it. How to delete mod_ruid and install mod_suexec in cPanel https://docs.cloudlinux.com/cloudlinux_os_components/#installation-5 suphp_moduler9 lsapi_moduler suexec_moduler;zyIt looks like you do not have mod_suphp or mod_suexec installed. CloudLinux PHP Selector doesn't work properly without it)r9rrrz php.conf:z with z, c3,K|]}| |VdSr?rF)rJsstatuss rC z$check_phpselector..is/=]=]ASYZ[S\=]a=]=]=]=]=]=]rEzFSome unknown php handler, perhaps we don't support it [found handler: -z and apache modules: c3,K|]}| |VdSr?rF)rJmodulers rCrz$check_phpselector..ms,@@V@&@@@@@@rE])rqrrr*r&rrrrrrr$open readlinescloseIOErrorrr% startswithsplitrget_apache_modulesanyrV) ok_prefix fail_prefix is_ubuntu_oshandler conf_pathfdconfigrlerrline default_vermodulescurrentrs @rCcheck_phpselectorrs#I JKQ&Q`cwQwJxJx ;;LS"QRRR 7>>2 3 3Q"OPPP  6%9%;%;6Y4555FG*I w~~i  8 8i%%B88888F HHJJJJ 8 8 8 8,5IIs1vvvv>CV[3%677 7 7 7 7 7 7 8 8 8Dz** #zz#q188::  > ICV[3%677 7 7 7Du{233 7::c??1-4466 ; ; ;>HCV[3%677 7'))G W $ $ee  )G3w(G3w*g5x w!12 3 3   U U   g2&*2w:[/[/[+277DII=]=]=]=]=]=]=]4]4]4]^Y0111G++ @@@@v@@@@@@@ BC V[3. / //sAD!! E#+-EE#E#zCheck fs.symlinkown_gidc dtdz}ttd}d|z}d}t jrtt dSt jtj} tj |n8#t$r+tt d|cYSwxYw tt|}nM#t $r@}tt"d|t%|cYd}~Sd}~wwxYwtj|kr|S t)j|j}n#t$rg}YnwxYw|r||vr|Stt"|||S) Nz~Fix the issue to provide symlink protection for apache user and as a result make your Web Server more secure. See details: {}z#check-symlinkowngidz>Web-server user is protected by Symlink Owner Match Protectionz@Web-server user '{}' is not in protected group specified in {}. z/proc/sys/fs/symlinkown_gidrz%>%C%C%E%E%K%K%M%M!N!N @@@!H &!4d1gg>>@@ @ @ @ @ @ @@222 l#9::A   ; & &M V\001DFF G GGsCB2C  C AD E5EEE1F FFz&Check existence of all user's packagesc: d d}d}gd gd}gtjdkrttdSt j|sttdStj|rt j|tj |tj tj |d }| \}}|j }|d kr*d |}tt|S d |dD}fd|D}nA#t"$r4} d | }tt|cYd} ~ Sd} ~ wwxYw fdt j D fd|D} | r=d d| }tt|Stt&dS)zL Return user's packages that do not exist in /var/cpanel/packages/ z/var/cpanel/packages/z/var/cpanel/users/z/var/cpanel/suspended/) undefineddefaultz#cPanel Ticket System temporary userCustom)z /bin/grepz-ezPLAN=z-rr-should be run on cPanel onlyzno users on this serverT)stdoutstderrcwdtextrz!error getting user's packages: {}cg|]c}|dddd|ddfdS)=rrr_)r r)rJplans rCrz9check_existence_of_all_users_packages..sr"K"K"K&*$(::c??1#5#;#;C#@#@#CTZZPS__UVEWE]E]E_E_"`"K"K"KrErPc&g|] \}}|v ||fSrFrF)rJuserpkgsuspended_userss rCrz9check_existence_of_all_users_packages..s8"B"B"B)$%)%@%@$(+%@%@%@rEz$error processing user's packages: {}Ncg|]A}tjtj|?|BSrF)rrisfilerV)rJpackagepackages_dir_paths rCrz9check_existence_of_all_users_packages..sSTTT7'..6G)Q)QRRTwTTTrEcRg|]#\}}|v |v d||$S)z{}: {})rq)rJr;r@excluded_packages_namesexists_packagess rCrz9check_existence_of_all_users_packages..sN!o!o!oMD'$+3J$J$Jw^mOmOm"*w!?!?OmOmOmrEzFound some nonexistent user's packages. List of "user: package" separated by semicolon: {}. If you want to apply package limits for those users - assign existing packages to them, otherwise limits will be applied incorrectly or not applied at all.z; z(nonexistent user's packages aren't found)rrr*r&rlistdirrr subprocessPopenPIPE communicate returncoderqr%rr rbrVr$)users_dir_pathsuspended_dir_path user_plan_cmdprocessstd_outstd_errret_coder,all_users_packagesrlnot_exists_users_packagesrCrDrAr=s @@@@rC%check_existence_of_all_users_packagesrTs0)N1 766MO X%%"@AAA :n % %=";<<< w~~())9*%788}&0o&0o#1$( ***G **,,GW!H1}}188AA%%% *"K"K.5mmoo.C.CD.I.I"K"K"K "B"B"B"B?Q"B"B"B   * * *8??BBCVS)) ) ) ) ) ) ) *TTTTbj9J.K.KTTTO!o!o!o!o!oUg!o!o!o I RVDII788 9 9 %%%GHHHs?E F#)F FFz$Check all resellers's packages filesctjdkrttdSGdd}ddlm} |5|dddn #1swxYwYttdS#t$r,}ttt|cYd}~Sd}~wwxYw) zT Check reseller packages files reading on any errors Caused by LU-2374 r/z!should be run on DirectAdmin onlyceZdZdZdZdZdS)7check_da_resellers_packages_files..HiddenPrintsz= Redirect stdout to /dev/null to hide output cptj|_ttjdt_dS)Nw)sysr3_original_stdoutrrdevnull)selfs rC __enter__zAcheck_da_resellers_packages_files..HiddenPrints.__enter__s#$'JD !bj#..CJJJrEcdtj|jt_dSr?)rZr3rr[)r]exc_typeexc_valexc_tbs rC__exit__z@check_da_resellers_packages_files..HiddenPrints.__exit__s$ J     .CJJJrEN)__name__ __module__ __qualname____doc__r^rcrFrErC HiddenPrintsrWs<   / / / / / / / /rErhr)r/Nz6all resellers packages are written in correct encoding) rrr*r& clcontrollibr/list_resellers_packagesr$rbr%r)rhr/rls rC!check_da_resellers_packages_filesrks8]**"EFFF / / / / / / / /)((((() \^^ 4 4 KMM 1 1 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4UVVV )))Q(((((((()sB B A4( B4A88B;A8<B C !C?C C z/etc/cl.selector/defaults.cfgz/etc/cl.selector/php.conf) DirectiveDefaultTypeCommentRangeRemark)valuelistboolcg}d}d}ttd5}|}dddn #1swxYwY|D]}|drt |dkrVd} ||n#|gYnxYw||||sd}|dz }|S)zL Parse php.conf and split it into blocks by empty line :return: rTrN#Fr_)r PHP_CONF_PATHrr lenrrU) line_blocks block_index new_blockconfrWrs rCparse_php_confr} sH KK I mS ! ! T~~                ??3     tzz||  q I 'K((( '""2&&&&&  $ + +DJJLL 9 9 9 9 I 1 K s=AA BB,cnd}d}|D]}|d}|dtvrd}|dzdt|zz}|ddkr;|d tvrd}|dzd t|zz}||gS) NTrr8rFrPzBlock %s has wrong param rnr_zBlock %s has wrong directive )r rPARAM_NAME_LISTblock_to_stringTYPES)blockrr,r line_partss rC check_blockr-s F C^^ZZ__ a=    7 7F*<u?U?UUUC a=   F * *!}""$$E11Dj#DW\G]G]#]] C=rEc>d}|D]}|t|zdz}|S)NrP)r)r res_stringrs rCrr<s3J33#d))+d2 rEz"Checking /etc/cl.selector/php.confc~d}d|}d}d}tjtst t dtzSt}|D]"}t|\}}|o|}|r|dz|z}#|st t||zSt tdS)Nz7https://docs.cloudlinux.com/custom_php_ini_options.htmlzTo fix the issue provide valid format for /etc/cl.selector/php.conf file. It is used for PHP Selector and invalid format lead to directives misconfiguration and as a result misconfiguration of selector Please, read more about php.conf file in {}TrzFile %s does not exist rPOk) rqrrrrwr*r&r}rr%r$)php_ini_doc_linkrrr,blocksrr1msg1s rCcheck_php_confrCsPEFLVL\E]E]F C 7>>- ( (N"<}"LMMM   F$$u%%DB  $*t#C #~!5666T"""rEz&Checking /etc/cl.selector/defaults.cfgc~dtdz}tjt st tdt zS tj dd}| t n9#t$r,}t tt|cYd}~Sd}~wwxYw |dd}n9#tjtjf$rt td|zcYSwxYw|D]}|dr|d d} ||d }n#tj$rd }YnwxYw ||d }n#tj$rd }YnwxYw||kr1|dkr+t td||cS|rBd|vr>|d}|D]&} | s"t(jd|z't t.dS)NzDetails: this config file is used by php selector and stores it`s global options, so it is important to keep needed configurations and valid syntax for PHP modules settings to avoid selector`s misconfiguration See details: {}z#cldiagz%s does not existF interpolationstrictversionsphpz!Default php version is undefined stateenablerrdisabledz%Default php version {} is disabled {},z0Warning: Modules list for version %s is strange r$)rqrrrrDEFAULTS_CFG_PATHr*r& configparser ConfigParserr"rbr%rget NoOptionErrorNoSectionErrorsectionsr r rZr4writer$) r defaults_cfgrldefault_php_versionsection php_versionrr module_namesr6s rCcheck_defaults_cfgrZs)*0)0K)L)L 7>>+ , ,K"58I"IJJJ)#0t>-    "k11ez6I6I )Q)X)XYd`n*p*pqqqqq p'>>#*==#5#5L ,pp#pJ,,-`cn-nooo R  sT 0B C!C<CC C""3DDE((E<;E<FF+*F+zChecking domains compatibilityctjdkrttdSd}d}t }|tt |Stt |S)Nr-r2zSome domains/subdomains don't use PHP Selector because they have a non-system default version (in MultiPHP Manager) or PHP_FPM enabled. You can find their list on domains tab and pass control to PHP Selector if necessary.r)rrr*r&domains_compatibility_checkerr$r%)rrrs rCcheck_domains_compatibilityrsf X%%"@AAAFNN * , ,F ~^,,,000rEch td}td}n#t$rYdSwxYw|dD]F}|d|dks|drdSGdS)Nphp_get_vhost_versionsphp_get_system_default_versionrversionphp_fpmzIncompatible version)rcallrr)domainssystem_versiondomains rCrrs 899>>@@&'GHHMMOO tt++j))**   i ( (FJJy,A,A A AVZZPYEZEZ A))) B**sAA AAdirpathctj|sdSd|}tj|dtjtjd}|jdkrdS |jdddd }n#t$rYdSwxYw|S) zZ Get mountpoint for dirpath directory from output of df -h {dirpath} utility. Nzdf -h rQT)r3r4r6rrPr_) rrisdirrFrunr rHrJr3 IndexError)rget_mountpoint_cmdrN mounted_ons rCget_dir_mountpointrs 7== ! !t+'++n/55c::$.O$.O"&(((GQt^))$//288==bA tt s49B.. B<;B<cd}tjdrjtd5}|D]?}|dr(t |dd}@ dddn #1swxYwY|S)z[ Returns maximum uid from /etc/login.defs If file does not exist returns 60000 i`z/etc/login.defszUID_MAX rQrN)rrr?rr r!r )max_uidrkrs rC get_max_uidrs G w~~'((7 # $ $ 7 7 7??:..7!$**S//""566G 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 NsABBBcpd}t|dd}t|}|S)z Returns min cagefs uid z!/usr/sbin/cagefsctl --get-min-uidrQT)convert_to_str)rr r!)get_min_uid_cmdr3min_uids rC get_min_uidrs9:O ..s33D I I IF&kkG NrEusernamecBt}t}||krtd|d|d|t|}||vr||S|s|}n1|}|}t||D] }||vr|}n ||krtd|d|dd|d|}t| d d \}} } |d krt| |S) z Creates user with max available uid that greater than min cagefs uid and less than max system uid. Does nothing if user already exists. z Can't create z user: min_uid z is greater than max_uid )rz user: uid z is too bigz#/usr/sbin/useradd -s /bin/false -u z -m rQT)return_full_outputr) rrrbr!get_user_full_dictget_uid get_uid_dictrangerr ) rrrclpwd custom_uidused_uids_dict_uid useradd_cmdrJrLrs rCuseraddrs mmGmmGOOO#*OOELOOPP P ' " " "E5++----}}X&&&       ++--'7++  D>))! *WUUUjUUUVVVR RRRRK$[%6%6s%;%;PTUUUJ3Qnn rEc ttd5}|}dddn #1swxYwY|S#tt f$rYnwxYwdS)zS Retrive cldiag username from file :return: username from file or None rN)r_CLDIAG_USERNAME_FILEr"rOSErrorr )rkcontents rCget_username_from_filers  ' - - ffhhG               }} W       4s-A8 A<A<AA+*A+c\t}tjd}|}|D]`\}}||s d|}t |dD#tttf$rY]wxYwdS)z3 Remove all trash cldiag users from system z^cldiaguser_[a-f0-9]{21}$z/usr/sbin/userdel -r rQN) r!recompileritemsmatchrr rr r)cl_pwd re_pattern users_dictrrL userdel_cmds rCremove_all_trash_cldiag_usersrsWWF788J**,,J!'')) !))   <(<tjdrtj|st t dStjd st t d Stst t|Sd}d }tjtrGt}|6 tj |}|j |j} } d }n#t$rYnwxYwnt!|sd t$t'jjdd}t-|tj |}|j |j} } t/td5} | |dddn #1swxYwYn#t2t4f$rYnwxYw|d| } |d|d|} |d|d|} d| dzz}d|d|d}t7t9j}t;||}tj|s"t=| dt=| dtAj!d|gt@j"t@j#d d |tI| | itj%ddi}|&\}}tO|5|(sGd|vrCt tR|cdddt=|dS|(st3||* dddn #1swxYwYt=|dn'#t=|dwxYwn%#tV$rt t|cYSwxYwt t|S)a Checker for check if /var/cagefs is located on partition with disk quota enabled. Algorithm for check: we trying to set cldiaguser's quota to 1 inode (so that this user can't create any file if the quota activated on this partition). Then we change uid of process to cldiaguser's uid, and try to create file with his permissions. If we can't create file (Disk quota exceeded) then it's alright and disc quota enabled. Else we warn user to enable quota on that partition. z3/var/cagefs located on partition with quota enabledzDetails: /var/cagefs located on partition with quota disabled. Please, activate quota for /var/cagefs for better security. See details: https://docs.cloudlinux.com/cloudlinux_os_components/#installation-and-update-2zYQuotas seems unworkable on this server. Please correctly setup quotas to run this checkerrz/usr/sbin/setquotaz /var/cagefsNrz/usr/share/cagefs-skeleton/binzCagefs is not initializedFTz{}_{} rYz --cpetc z -u z 0 0 1 1 z 0 0 0 0 z%02ddz /var/cagefs//z/etc/cl.selector/rQz /bin/touchLC_ALLC)r3r4r6start_new_sessionr5 preexec_fnenvzDisk quota exceeded),rrrrr?r*r&rr%rrrrpw_uidpw_gidr rrq_CLDIAG_TEST_USENAME_PREFIXuuiduuid4hexrrrrr rrandomrrr rFrGrHSTDOUTrenvironrIr"rr$unlinkr) ok_messagerquota_unworkable_message cagefsctlsetquotacagefs_mountpointris_testuser_existsuser_pwuser_uiduser_gidrkcreate_cagefs_dir_cmdset_quota_limit_cmdreset_quota_limit_cmdprefix tempfile_dir tempfile_nametempfile_full_pathpr3rLs rC!check_cagefs_partition_disk_quotar#s9GJgN {%I#H*=99  m(D(D 7>>),,!";<<< 7==9 : :?"=>>>   1000H w~~+,,()++   *,x00%,^W^( &*""       &'''  >>"=tz||?OPPQTRTQTU,x(($^W^( +S11 "Q!!! " " " " " " " " " " " " " " "!    D (==8==%QQ8QQ>OQQ'SSXSS@QSS; :x#~.FN&NN8NNNL 00M!%lM!B!B 7==.. >177<<=== +11#66 7 7 7 , !>(2(2(9&*37%1,28X,F,F%F %Fxo%FHHHA IFA ** 0 0)002207LPV7V7V$R44 0 0 0 0 0 0 0 -33C88 9 9 9 9 ,22440!&//)&--////  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -33C88 9 9 9 9K-33C88 9 9 9 9 9 ;;;!9:::::; V^ , ,,s?"D$$ D10D10G3G' G3'G++G3.G+/G33HH'DP-O!. P:"P77O! P!O%%P(O%)P,#P7$P33P77QQ c|d}t||kr7d|d|dzdgz|| dzdz|gzS|S)a. Handles error message making it shorter, if it is bigger than max limit :param error: error message to make shorter :param detailed_out: way for user to get full error manually :param max_error_lines: max lines for error :return: initial error (less than 10 lines) short error rPNrz...)r rxrV)errorrmax_error_lines error_liness rCrrs++d##K ;/))yy%:o&:%:;ugE UdTdhiTiTjTjHkk&()) ) LrEcJtjtjddd}|S)zY Return true if automatic cldiag email notifications about problems enabled. ENABLE_CLDIAGr8T) separator default_val)rget_boolean_paramCL_CONFIG_FILE) enable_cldiags rCis_email_notification_enabledrs0 ,4)))M rEcP tjddtdi}|tj|tt}n#tj$rgcYSwxYwd| dDS)zc Get list of disabled cldiag checkers which run by cron from /etc/sysconfig/cloudlinux NFr)rrdefaultsc:g|]}||SrFr)rJitems rCrz6get_list_of_disabled_cron_checkers..s% G G GT$ GDJJLL G G GrEr) rrcron_cldiag_checkers_param_namer"rrrcron_cldiag_section_nameErrorrr )rrs rC"get_list_of_disabled_cron_checkersrs */     F)*** $ +      H GV\\^^%9%9#%>%> G G GGsAA A43A4disabled_cron_cherkersc  tjdd}|tjt |vr|t t}|r| || t td |ttjd5}||ddddS#1swxYwYdS#tjt t"f$rb}t%dtjd|dt%d t%t&t)jd Yd}~dSd}~wwxYw) z` Set list of disabled cldiag checker which run by cron in /etc/sysconfig/cloudlinux NFrrzw+z3Can't set list of disabled cron checkers to config"z " because "rRz:Please check config's existence, integrity and permissionsr_)rrr"rrrr add_sectionrextendsetrrVrrrr rrerrZrf)rrcurrent_disabled_checkersrkrs rC"set_list_of_disabled_cron_checkersr$s *     F)*** #6??+<+< < <   7 8 8 8$F$H$H! ! E " ) )*C D D D $ + HH+ , ,   &' . . ! LLOOO                     1 ?(??7:??? @ @ @ JKKK "###  s=CDD5 DDD D DF +AFF z!Check mount with hidepid=2 optioncd}d|}d}d}tjdstt|St dkrtt |Stt|S)z7 Check if system mounted with hidepid=2 option zWhttps://docs.cloudlinux.com/cloudlinux_os_kernel/#remounting-procfs-with-hidepid-optionzDetails: hidepid protection disabled. Please, mount system with hidepid=2 for better security. Read more about hidepid option here: zhidepid protection enabledrrr)rrr?r*r&r#r%r$)hidepid_doc_linkrrskipped_messages rC check_hidepidr(s@P=MPPN2N/O 7>>/ 0 03/222&''1,,000 R ( ((rEzCheck user's low PMEM limitscd}d|z}d}tj}|rtt|Stt|S)z7 Checks low PMEM limits availability on server z5https://docs.cloudlinux.com/limits/#limits-validationzLSome user(s) on server has low PMEM LVE limit (lower than 512 MB). See doc: zCheck low PMEM limits passed)ris_low_pmem_limit_presentr*r%r$)rrrrs rCcheck_low_pmem_limitsr+sP GHcfnnN3N  6 8 8F 1000 R ( ((rE)F)FT)r ) __future__rrr$rrZrSrrrFr collectionsrpathlibrrr functoolsrtypingr r r r cldetectlibrclcommon.cpapir rclcommon.lib.constsrrclcommon.lib.cleditionrrclcommon.lib.jwt_tokenrcllimits_validatorrclcommon.utilsrrrrrrclcommon.lib.cmt_utilsrrclcommon.lib.whmapi_librrrclsentry.utilsr clcommon.clpwdr!r"cl_proc_hidepidr#r$r%r&r'rrrcl_plus_doc_linkrrrrwrr* SUEXEC_PATH SUPHP_PATHdictrrrr@r]rmrrr}rrrtrrrrrrrrrrrrrrrrrr-rTrkrrwrrr}rrrrrrrr!rrrrrrrrrrr$r(r+rFrErCrAs- &%%%%%&&&&&& """""" 000000000000>>>>>>>>KKKKKKKKNNNNNNNN222222......?>>>>>>>,,,,,,******11111111::::::   +C"A(JG5EGG:( S] J{  %   3&&&&&&&&   &#1%%%%%%   $&& 2$$ 3%%! /*66    ^OOO E$ *=$>    F,  '((" " )(" J! ! ! ! ! ! ! H  LMM%HH&%NMH  KLL%AA&%MLA(  FGG%AA&%HGA =%&%  *  PQQ&&RQ&*  STT11UT1*,,,*  +,,??-,?  *++::,+:  *++ i i,+ i  9::AA;:A$  344V0V054V0r  &'')G)G(')GX  677AIAI87AIH  455))65)<4+ PPP!!!D     122##32#,  566%%76%P  -.. 1 1/. 1 *** 2 S    SccB     $"  VWW_-_-XW_-D    tHD&1A,BHHHH2tHVDT?UZ^>  011))21)0  ,-- )y ) ) ).- ) ) )rE