PNG  IHDR* pHYs+ IDATx]n#; cdLb Ǚ[at¤_:uP}>!Usă cag޿ ֵNu`ݼTâabO7uL&y^wFٝA"l[|ŲHLN밪4*sG3|Dv}?+y߉{OuOAt4Jj.u]Gz*҉sP'VQKbA1u\`& Af;HWj hsO;ogTu uj7S3/QzUr&wS`M$X_L7r2;aE+ώ%vikDA:dR+%KzƉo>eOth$z%: :{WwaQ:wz%4foɹE[9<]#ERINƻv溂E%P1i01 |Jvҗ&{b?9g=^wζXn/lK::90KwrюO\!ջ3uzuGv^;騢wq<Iatv09:tt~hEG`v;3@MNZD.1]L:{ծI3`L(÷ba")Y.iljCɄae#I"1 `3*Bdz>j<fU40⨬%O$3cGt]j%Fߠ_twJ;ABU8vP3uEԑwQ V:h%))LfraqX-ۿX]v-\9I gl8tzX ]ecm)-cgʒ#Uw=Wlێn(0hPP/ӨtQ“&J35 $=]r1{tLuǮ*i0_;NƝ8;-vݏr8+U-kruȕYr0RnC]*ެ(M:]gE;{]tg(#ZJ9y>utRDRMdr9㪩̞zֹb<ģ&wzJM"iI( .ꮅX)Qw:9,i좜\Ԛi7&N0:asϓc];=ΗOӣ APqz93 y $)A*kVHZwBƺnWNaby>XMN*45~ղM6Nvm;A=jֲ.~1}(9`KJ/V F9[=`~[;sRuk]rєT!)iQO)Y$V ی ۤmzWz5IM Zb )ˆC`6 rRa}qNmUfDsWuˤV{ Pݝ'=Kֳbg,UҘVz2ﴻnjNgBb{? ߮tcsͻQuxVCIY۠:(V뺕 ٥2;t`@Fo{Z9`;]wMzU~%UA蛚dI vGq\r82iu +St`cR.6U/M9IENDB`#!/bin/bash # CloudLinux Links Traversal Protection configure utility set -o pipefail source /opt/cloudlinux-linksafe/lib.sh # just exit if it is solo edition skip_on_cl_solo PARAM_ALLOW_SGID="fs.protected_symlinks_allow_gid" PARAM_ALLOW_HGID="fs.protected_hardlinks_allow_gid" PARAM_S_CREATE="fs.protected_symlinks_create" PARAM_H_CREATE="fs.protected_hardlinks_create" SYSCTL_FILE="/etc/sysctl.d/cloudlinux-linksafe.conf" SYSTEM_LINKSAFE_GID="$(getent group linksafe | cut -d: -f3)" MAIN_SYSCTL_FILE="/etc/sysctl.conf" if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function fix_linksafe { # fix permissions for alt-php packages installed without linksafe group find /opt/alt/php* \( -user root -a ! -group root -a ! -group linksafe \) -exec chown -h root:linksafe {} \; &> /dev/null # fix permissions for alt-python packages installed without linksafe group find /opt/alt/python* \( -user root -a ! -group root -a ! -group linksafe \) -exec chown -h root:linksafe {} \; &> /dev/null # fix permissions for alt-ruby packages installed without linksafe group find /opt/alt/ruby* \( -user root -a ! -group root -a ! -group linksafe \) -exec chown -h root:linksafe {} \; &> /dev/null # fix permissions for native php chown root:linksafe /usr/selector.etc/php.ini &> /dev/null chown root:linksafe /usr/selector/lsphp &> /dev/null chown root:linksafe /usr/selector/php &> /dev/null chown root:linksafe /usr/selector/php-cli &> /dev/null if [ -e /usr/sbin/cagefsctl ] && [ -e /usr/share/cagefs-skeleton/bin ]; then if /usr/sbin/cagefsctl --skip-php-reload --setup-cl-selector &> /dev/null; then if [ -e /usr/share/cagefs/need.remount ]; then if /usr/sbin/cagefsctl --remount-all &> /dev/null; then rm -f /usr/share/cagefs/need.remount &> /dev/null fi fi fi fi } function check_params_in_sysctl_file { local ret_code=0 if ! grep "$PARAM_ALLOW_SGID" "$SYSCTL_FILE" > /dev/null; then let ret_code+=1 fi if ! grep "$PARAM_ALLOW_HGID" "$SYSCTL_FILE" > /dev/null; then let ret_code+=1 fi if ! grep "$PARAM_S_CREATE" "$SYSCTL_FILE" > /dev/null; then let ret_code+=1 fi if ! grep "$PARAM_H_CREATE" "$SYSCTL_FILE" > /dev/null; then let ret_code+=1 fi echo ${ret_code} return ${ret_code} } function migrate_linksafe_params { if [ -n "$SYSTEM_LINKSAFE_GID" ]; then if ! grep "# SecureLinks Link Traversal" "${SYSCTL_FILE}" > /dev/null; then echo "# SecureLinks Link Traversal Protection Section" >> "${SYSCTL_FILE}" fi if grep "$PARAM_S_CREATE" "$MAIN_SYSCTL_FILE" > /dev/null; then migrate_symlink_value=$(grep "$PARAM_S_CREATE" ${MAIN_SYSCTL_FILE} | awk -F "=" '{print $2}' | sed "s/\ //g") fi if ! grep "$PARAM_S_CREATE" "${SYSCTL_FILE}" > /dev/null; then if [[ 1 != "$migrate_symlink_value" ]]; then echo "$PARAM_S_CREATE = 0" >> "${SYSCTL_FILE}" else echo "$PARAM_S_CREATE = 1" >> "${SYSCTL_FILE}" fi fi if grep "$PARAM_H_CREATE" "$MAIN_SYSCTL_FILE" > /dev/null; then migrate_hardlink_value=$(grep "$PARAM_H_CREATE" ${MAIN_SYSCTL_FILE} | awk -F "=" '{print $2}' | sed "s/\ //g") fi if ! grep "$PARAM_H_CREATE" "${SYSCTL_FILE}" > /dev/null; then if [[ 1 != "$migrate_hardlink_value" ]]; then echo "$PARAM_H_CREATE = 0" >> "${SYSCTL_FILE}" else echo "$PARAM_H_CREATE = 1" >> "${SYSCTL_FILE}" fi fi if ! grep "$PARAM_ALLOW_SGID" "${SYSCTL_FILE}" > /dev/null; then echo "$PARAM_ALLOW_SGID = $SYSTEM_LINKSAFE_GID" >> "${SYSCTL_FILE}" fi if ! grep "$PARAM_ALLOW_HGID" "${SYSCTL_FILE}" > /dev/null; then echo "$PARAM_ALLOW_HGID = $SYSTEM_LINKSAFE_GID" >> "${SYSCTL_FILE}" fi fi } if [[ "$SYSTEM_LINKSAFE_GID" == "" ]]; then groupadd -r linksafe SYSTEM_LINKSAFE_GID="$(getent group linksafe | cut -d: -f3)" fi if id mailman &> /dev/null; then usermod -a -G linksafe mailman &> /dev/null fi if [ ! -e "$SYSCTL_FILE" ]; then touch "$SYSCTL_FILE" fi SYSCTL_LINKSAFE_GID=$(grep -F "$PARAM_ALLOW_SGID" "$SYSCTL_FILE" | awk '{print $3}') if [[ 0 != "$(check_params_in_sysctl_file)" ]]; then migrate_linksafe_params fi if [[ "$SYSCTL_LINKSAFE_GID" != "$SYSTEM_LINKSAFE_GID" ]]; then sed -i -e "s/${PARAM_ALLOW_SGID}\s*=.*/${PARAM_ALLOW_SGID} = ${SYSTEM_LINKSAFE_GID}/" "$SYSCTL_FILE" &> /dev/null sed -i -e "s/${PARAM_ALLOW_HGID}\s*=.*/${PARAM_ALLOW_HGID} = ${SYSTEM_LINKSAFE_GID}/" "$SYSCTL_FILE" &> /dev/null fi fix_linksafe /usr/bin/plesk_configure /usr/share/cloudlinux-linksafe/cpanel/hooks/cpanel-linksafe-install-hooks sysctl --system &> /dev/null