cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7639f2d1fd37a6cfb6fc9ffdee242812f006b234
server/opt/psa/admin/bin/pci_compliance_resolver
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

1412 lines
35 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
#
#
# Plesk script
#
#default values
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
# vim:ft=sh:
#courier-imap
set_courier_imap_params()
{
COURIERIMAP_CONFDIR="/etc/courier-imap"
COURIERIMAP_PIDPATH="/run"
IMAPD_CERT="/usr/share/imapd.pem"
POP3D_CERT="/usr/share/pop3d.pem"
COURIER_DHPARAMS="/usr/share/dhparams.pem"
# Certificate paths for Courier-IMAP <= 3.0.8
OLD_IMAPD_CERT="/usr/share/courier-imap/imapd.pem"
OLD_POP3D_CERT="/usr/share/courier-imap/pop3d.pem"
COURIER_DELIVER_QUOTA="/usr/bin/deliverquota"
courier_imapd_service="courier-imapd"
courier_imaps_service="courier-imaps"
courier_pop3d_service="courier-pop3d"
courier_pop3s_service="courier-pop3s"
courier_authdaemon_service="courier-authdaemon"
# Service name for Courier-IMAP <= 3.0.8
old_courier_service="courier-imap"
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
# vim:ft=sh:
set_dovecot_params()
{
DOVECOT_CONFDIR="/etc/dovecot"
DOVECOT_INCLUDE_DIR="/etc/dovecot/conf.d"
DOVECOT_DIST_CONFDIR="/usr/share/doc/plesk-dovecot/dist-config"
DOVECOT_CERT_DIR="/etc/dovecot/private"
DOVECOT_CERT="$DOVECOT_CERT_DIR/ssl-cert-and-key.pem"
DOVECOT_INTERNAL_USERGROUP="dovecot"
DOVECOT_LOGIN_USERGROUP="dovenull"
DOVECOT_LDA="/usr/lib/dovecot/dovecot-lda"
dovecot_service="dovecot"
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
# vim:ft=sh
# Usage: pleskrc <service> <action>
pleskrc()
{
[ 2 -le $# ] || die "Not enough arguments"
local service_name=${1//[-.@]/_}
local action=$2
local ret=0
local inten
shift
shift
# Now check redefined functions
if test "$machine" = "linux" && is_function "${service_name}_${action}_${machine}_${linux_distr}"; then
"${service_name}_${action}_${machine}_${linux_distr}" "$@"
return $?
elif is_function "${service_name}_${action}_${machine}"; then
"${service_name}_${action}_${machine}" "$@"
return $?
elif is_function "${service_name}_${action}"; then
"${service_name}_${action}" "$@"
return $?
fi
# Not redefined - call default action
eval "service=\$${service_name}_service"
[ -n "$service" ] || die "$action $service_name service (Empty service name for '$service_name')"
if [ "$action" = "name" ]; then
echo "${service}.service"
return 0
fi
inten="$action service $service"
pleskrc_is_failure_for_action_ok "$action" || echo_try "$inten"
if [ -x "/bin/systemctl" -a "$do_upgrade" = "1" -a ! -f "/var/lock/parallels-panel-bootstrapper-running.lock" -a -z "$SYSTEMD_DAEMON_RELOADED" ]; then
# reload systemd units if requested from an upgrade package script - in case a unit was changed
/bin/systemctl daemon-reload
SYSTEMD_DAEMON_RELOADED="yes"
fi
service_ctl "$action" "$service" "$service_name"
ret="$?"
pleskrc_is_failure_for_action_ok "$action" || {
if [ "$ret" -eq 0 ]; then
suc
else
if [ -x "/bin/systemctl" ]; then
p_echo "`/bin/systemctl -l status \"${service}.service\" | awk 'BEGIN {s=0} s==1 {s=2} /^$/ {s=1} s==2 {print}'`"
fi
warn "$inten failed"
fi
}
return $ret
}
pleskrc_is_failure_for_action_ok()
{
local action="$1"
case "$action" in
status|exists|is-active|is-enabled|is-failed) return 0 ;;
esac
return 1
}
# NOTE:
# Function service_ctl is just helper for pleskrc().
# Do not call it directly, use pleskrc()!!!
service_ctl()
{
local action=$1
local service=$2
local service_name=$3
if [ "$action" != "exists" ]; then
_service_exec $service exists
if [ "$?" != "0" ]; then
p_echo "attempt to ${inten} - service doesn't exist (missing unit file or not executable control script)"
return 1
fi
fi
case "$action" in
start)
pleskrc "$service_name" status || _service_exec "$service" "$action"
;;
stop)
! pleskrc "$service_name" status || _service_exec "$service" "$action"
;;
restart)
if pleskrc "$service_name" status; then
_service_exec "$service" "$action"
else
_service_exec "$service" start
fi
;;
reload)
! pleskrc "$service_name" status || _service_exec "$service" "$action"
;;
status)
_service_exec "$service" status
;;
try-restart)
if [ -x "/bin/systemctl" ]; then
_service_exec "$service" "$action"
else
! pleskrc "$service_name" status || _service_exec "$service" "restart"
fi
;;
try-reload)
! pleskrc "$service_name" status || _service_exec "$service" "reload"
;;
reload-or-restart)
if [ -x "/bin/systemctl" ]; then
_service_exec "$service" "$action"
elif pleskrc "$service_name" status; then
_service_exec "$service" "reload"
else
_service_exec "$service" "start"
fi
;;
*)
_service_exec "$service" "$action"
;;
esac >> "$product_log"
}
_service_exec()
{
# Keep in sync with pylibplesk/plesk_service.py
local service=$1
local action=$2
local action_cmd
local sysvinit_service="/etc/init.d/$service"
if [ -x "/bin/systemctl" ]; then
case "${action}" in
exists)
if /bin/systemctl cat "$service.service" >/dev/null 2>&1; then
return 0 # systemd unit
elif [ -f "/lib/systemd/system/$service.service" ]; then
/bin/systemctl daemon-reload
return 0 # systemd unit which exists but was changed and has not been reloaded before
elif [ -x "$sysvinit_service" ]; then
return 0 # sysvinit compat
fi
return 1 # not found
;;
status)
action="is-active"
;;
reload|graceful)
action='reload-or-try-restart'
;;
esac
/bin/systemctl "$action" "${service}.service"
else
warn "Cannot $action $service on this system: no executable /bin/systemctl"
return 1
fi
}
is_function()
{
local type_output=$(type -t "$1")
test "X${type_output}" = "Xfunction"
}
# echo message to product log, also to console in debug mode
p_echo()
{
if [ -n "$product_log" ] ; then
echo "$@" >> "$product_log" 2>&1
fi
if [ -n "$PLESK_INSTALLER_DEBUG" -o -n "$PLESK_INSTALLER_VERBOSE" -o -z "$product_log" ] ; then
echo "$@" >&2
fi
}
# same as p_echo, but without new line
pnnl_echo()
{
p_echo -n "$@"
}
int_err()
{
report_problem "internal" "Internal error: $@"
exit 1
}
p_see_product_log()
{
log_is_in_dev "${product_log}" || printf " (see log file: ${product_log})" >&2
}
die()
{
report_problem "fatal" "ERROR while trying to $@"
printf "Check the error reason" >&2
p_see_product_log
echo ", fix and try again" >&2
selinux_close
exit 1
}
warn()
{
local inten="$1"
if [ -n "$PLESK_INSTALLER_DEBUG" -o -n "$PLESK_INSTALLER_VERBOSE" ]; then
p_echo
p_echo "WARNING!"
pnnl_echo "Some problems are found during $inten"
p_see_product_log
p_echo
p_echo "Continue..."
p_echo
fi
report_problem "warning" "Warning: $inten"
}
echo_try()
{
msg="$*"
pnnl_echo " Trying to $msg... "
}
suc()
{
p_echo "done"
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
reexec_with_clean_env()
{
# Usage: call this function as 'reexec_with_clean_env "$@"' at the start of a script.
# Don't use with scripts that require sensitive environment variables.
# Don't put the call under any input/output redirection.
# Purpose: make sure the script is executed with a sane environment.
local lc="`get_default_locale`"
export LANG="$lc" LC_MESSAGES="$lc" LC_ALL="$lc"
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
umask 022
PLESK_SCRIPT_COMMAND_LINE="$0 $*"
[ -z "$PLESK_INSTALLER_ENV_CLEANED" ] || { unset PLESK_INSTALLER_ENV_CLEANED; return 0; }
[ -n "$BASH" ] || exec /bin/bash "$0" "$@"
# N.B.: the following code requires Bash. On Dash it would cause syntax error upon parse w/o eval.
eval '
local extra_vars=() # list of variables to preserve
for var in "${!PLESK_@}"; do # enumerate all PLESK_* variables
extra_vars+=("$var=${!var}")
done
extra_vars+=("PLESK_INSTALLER_ENV_CLEANED=1")
# Exec self with clean env except for extra_vars, shell opts, and arguments.
exec /usr/bin/env -i "${extra_vars[@]}" /bin/bash ${-:+-$-} "$0" "$@" || {
echo "Failed to reexec self ($0) with clean environment" >&2
exit 91 # Just some relatively unique error code
}
'
}
get_default_locale()
{
# Note that CentOS 7 typically doesn't have C.UTF-8
for lc in "C.UTF-8" "en_US.UTF-8" "C"; do
if [ -z "`LC_ALL=$lc locale 2>&1 >/dev/null`" ]; then
echo "$lc"
return 0
fi
done
echo "C"
}
# accumulates chown and chmod
set_ac()
{
local u_owner g_owner perms node
u_owner="$1"
g_owner="$2"
perms="$3"
node="$4"
# A very small optimization - replacing of two execs by one,
# it works only if the following conditions are observed:
# - u_owner is username (not UID);
# - g_owner is group (not GID);
# - perms is in octal mode.
# If some conditions aren't observed,
# optimization doesn't work,
# but it doesn't break function
[ "$(stat -c '%U:%G 0%a' $node)" != "$u_owner:$g_owner $perms" ] || return 0
chown $u_owner:$g_owner $node || die "chown $u_owner:$g_owner $node"
chmod $perms $node || die "chmod $perms $node"
}
detect_vz()
{
[ -z "$PLESK_VZ_RESULT" ] || return $PLESK_VZ_RESULT
PLESK_VZ_RESULT=1
PLESK_VZ=0
PLESK_VE_HW_NODE=0
PLESK_VZ_TYPE=
local issue_file="/etc/issue"
local vzcheck_file="/proc/self/status"
[ -f "$vzcheck_file" ] || return 1
local env_id=`sed -ne 's|^envID\:[[:space:]]*\([[:digit:]]\+\)$|\1|p' "$vzcheck_file"`
[ -n "$env_id" ] || return 1
if [ "$env_id" = "0" ]; then
# Either VZ/OpenVZ HW node or unjailed CloudLinux
PLESK_VE_HW_NODE=1
return 1
fi
if grep -q "CloudLinux" "$issue_file" >/dev/null 2>&1 ; then
return 1
fi
if [ -f "/proc/vz/veredir" ]; then
PLESK_VZ_TYPE="vz"
elif [ -d "/proc/vz" ]; then
PLESK_VZ_TYPE="openvz"
fi
PLESK_VZ=1
PLESK_VZ_RESULT=0
return 0
}
# detects lxc and docker containers
detect_lxc()
{
[ -z "$PLESK_LXC_RESULT" ] || return $PLESK_LXC_RESULT
PLESK_LXC_RESULT=1
PLESK_LXC=0
if { [ -f /proc/1/cgroup ] && grep -q 'docker\|lxc' /proc/1/cgroup; } || \
{ [ -f /proc/1/environ ] && cat /proc/1/environ | tr \\0 \\n | grep -q "container=lxc"; };
then
PLESK_LXC_RESULT=0
PLESK_LXC=1
fi
return "$PLESK_LXC_RESULT"
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
#-*- vim:syntax=sh
product_log_name_ex()
{
local aux_descr="$1"
local action="${CUSTOM_LOG_ACTION_NAME-installation}"
if [ -n "$aux_descr" ]; then
aux_descr="_${aux_descr}"
fi
if [ -n "$CUSTOM_LOG_NAME" ]; then
echo "${CUSTOM_LOG_NAME}${action:+_$action}${aux_descr}.log"
else
get_product_versions
echo "plesk_${product_this_version}${action:+_$action}${aux_descr}.log"
fi
}
product_log_name()
{
product_log_name_ex
}
product_problems_log_name()
{
product_log_name_ex "problems"
}
problems_log_tail()
{
[ -f "$product_problems_log" ] || return 0
{
tac "$product_problems_log" | awk '/^START/ { exit } { print }' | tac
} 2>/dev/null
}
product_log_tail()
{
[ -f "$product_log" ] || return 0
{
tac "$product_log" | awk '/^START/ { exit } { print }' | tac
} 2>/dev/null
}
product_and_problems_log_tail()
{
product_log_tail
[ "$product_log" = "$product_problems_log" ] || problems_log_tail
}
cleanup_problems_log()
{
[ -f "$product_problems_log" ] || return 0
touch "$product_problems_log.tmp"
chmod 0600 "$product_problems_log.tmp"
awk 'BEGIN { st = "" }
/^START/ && (st ~ /^START/) { print st; }
/^START/ { st=$0; next }
/^STOP/ && (st ~ /^START/) { st=""; next }
(st != "") { print st; st="" }
{ print }
' "$product_problems_log" > "$product_problems_log.tmp" && \
mv -f "$product_problems_log.tmp" "$product_problems_log" || \
rm -f "$product_problems_log.tmp"
if [ ! -s "$product_problems_log" ]; then
rm -f "$product_problems_log"
fi
}
mktemp_log()
{
local logname="$1"
local dir="$2"
if [ "${logname:0:1}" != "/" ]; then
logname="$dir/$logname"
fi
dir="`dirname $logname`"
if [ ! -d "$dir" ]; then
mkdir -p "$dir" || { echo "Unable to create log directory : $dir"; exit 1; }
if [ "$EUID" -eq "0" ]; then
set_ac root root 0700 "$dir"
fi
fi
if [ "${logname%XXX}" != "$logname" ]; then
mktemp "$logname"
else
echo "$logname"
fi
}
log_is_in_dev()
{
test "${1:0:5}" = "/dev/"
}
start_writing_logfile()
{
local logfile="$1"
local title="$2"
! log_is_in_dev "$logfile" || return 0
echo "START $title" >> "$logfile" || { echo "Cannot write installation log $logfile" >&2; exit 1; }
[ "$EUID" -ne "0" ] || set_ac root root 0600 "$logfile"
}
log_start()
{
true product_log_name product_problems_log_name mktemp_log
local title="$1"
local custom_log="$2"
local custom_problems_log="$3"
local product_log_dir="/var/log/plesk/install"
product_log="$product_log_dir/`product_log_name`"
product_problems_log="$product_log_dir/`product_problems_log_name`"
problems_occured=0
# init product log
[ ! -n "$custom_log" ] || product_log="$custom_log"
product_log=`mktemp_log "$product_log" "$product_log_dir"`
# init problems log
if [ -n "$custom_problems_log" ]; then
product_problems_log=`mktemp_log "$custom_problems_log" "$product_log_dir"`
elif [ -n "$custom_log" ]; then
product_problems_log="$product_log"
else
product_problems_log=`mktemp_log "$product_problems_log" "$product_log_dir"`
fi
# write starting message into logs
start_writing_logfile "$product_log" "$title"
if [ "$product_log" != "$product_problems_log" ]; then
start_writing_logfile "$product_problems_log" "$title"
fi
is_function profiler_setup && profiler_setup "$title" || :
}
log_transaction_start()
{
LOG_TRANSACTION_TITLE="$1"
LOG_TRANSACTION_SUBJECT="$2"
local log_transaction_custom_logfile="$3"
local log_transaction_custom_problems_logfile="$4"
transaction_begin autocommit
log_start "$LOG_TRANSACTION_TITLE" "$log_transaction_custom_logfile" "$log_transaction_custom_problems_logfile"
transaction_add_commit_action "log_transaction_stop"
transaction_add_rollback_action "log_transaction_stop"
}
log_transaction_stop()
{
log_stop "$LOG_TRANSACTION_TITLE" "$LOG_TRANSACTION_SUBJECT"
}
log_stop()
{
local title="$1"
local subject="$2"
if [ "$product_log" = "$product_problems_log" ] || \
log_is_in_dev "$product_problems_log"; then
[ -e "$product_log" ] && echo "STOP $title" >>"$product_log"
is_function profiler_stop && profiler_stop || :
return
fi
if [ -z "$subject" ]; then
subject="[${title}]"
fi
# check if problems are non-empty, check for problems_occured
local status
local problem_lines="`problems_log_tail | wc -l`"
if [ "$problem_lines" -eq 0 ]; then
status="completed successfully"
else
if [ $problems_occured -ne 0 ]; then
status="failed"
else
status="completed with warnings"
fi
fi
if [ -e "$product_log" ]; then
p_echo
p_echo "**** $subject $status."
p_echo
fi
if [ "$problem_lines" -ne 0 ]; then
[ ! -e "$product_log" ] || problems_log_tail >>"$product_log" 2>&1
problems_log_tail
fi
[ ! -e "$product_log" ] || echo "STOP $title" >>"$product_log"
if [ $problems_occured -ne 0 ]; then
echo "STOP $title: PROBLEMS FOUND" >>"$product_problems_log"
else
[ ! -s "$product_problems_log" ] || echo "STOP $title: OK" >>"$product_problems_log"
fi
if [ "X${PLESK_INSTALLER_KEEP_PROBLEMS_LOG}" = "X" ]; then
cleanup_problems_log
fi
is_function profiler_stop && profiler_stop || :
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
construct_report_template()
{
local severity="${1:-error}"
local summary="$2"
local update_ticket="`get_update_ticket`"
set_error_report_source
set_error_report_component
set_error_report_params
set_error_report_environment
true construct_report_code construct_report_debug construct_report_message
cat <<-EOL
<?xml version="1.0" encoding="UTF-8" ?>
<error>
<source>$report_source</source>
<severity>$severity</severity>
<datetime>`date --iso-8601=seconds`</datetime>
<component>$report_component</component>
<summary><![CDATA[`echo "$summary" | sed -e 's/\]\]>/] ]>/g'`]]></summary>
<message encoding="base64">`construct_report_message | base64`</message>
<additional_info>
<component_params encoding="base64">$report_params</component_params>
<code encoding="base64">`construct_report_code | base64`</code>
<debug encoding="base64">`construct_report_debug | base64`</debug>
<environment encoding="base64">$report_environment</environment>
<update_ticket>$update_ticket</update_ticket>
</additional_info>
</error>
EOL
}
construct_report_code()
{
local call_level=${1:-5}
local func_level=$[call_level - 1]
local lineno_func=${BASH_LINENO[ $func_level ]}
local script_name=${BASH_SOURCE[ $[func_level + 1] ]}
echo "# Call of ${FUNCNAME[$func_level]}() from ${FUNCNAME[$[func_level + 1]]}() at `readlink -m $script_name`:${BASH_LINENO[$func_level]}"
head -n $[lineno_func + 4] "$script_name" 2>/dev/null | tail -n 8
}
construct_report_debug()
{
local call_level=${1:-5}
call_level=$[call_level-1]
# Generate calls stack trace.
for i in `seq $call_level ${#FUNCNAME[@]}`; do
[ "${FUNCNAME[$i]}" != "main" ] || break
local func_call="`sed -n -e "${BASH_LINENO[$i]}p" "${BASH_SOURCE[$[i+1]]}" 2>/dev/null |
sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//'`"
[ -n "$func_call" -a -z "${func_call##*${FUNCNAME[$i]}*}" ] || func_call="${FUNCNAME[$i]}"
echo "#$[i - $call_level] `readlink -m ${BASH_SOURCE[$[i+1]]}`(${BASH_LINENO[$i]}): $func_call"
done
}
construct_report_message()
{
product_and_problems_log_tail
echo ""
if [ -n "$report_context" ]; then
echo "Context: $report_context"
echo ""
fi
if [ -n "$RP_LOADED_PATCHES" ]; then
echo "Loaded runtime patches: $RP_LOADED_PATCHES"
echo ""
fi
}
# Construct report to send it to our errors tracker
construct_report()
{
local severity="${1:-error}"
local summary="$2"
[ -n "$summary" ] || int_err "Unable to send error report. Some parameters are not defined."
set_error_report_source
get_product_versions
construct_report_template "$severity" "$summary" \
| $PRODUCT_ROOT_D/admin/bin/send-error-report --version "$product_this_version" $report_source >/dev/null 2>&1
}
# Use this function to report failed actions.
# Typical report should contain
# - reason or problem description (example: file copying failed)
# - how to resolve or investigate problem (example: check file permissions, free disk space)
# - how to re-run action (example: perform specific command, restart bootstrapper script, run installation again)
report_problem()
{
local severity="${1:-error}"
# Get first string of error as a summary of report
shift
local summary="$1"
[ -n "$product_problems_log" ] || product_problems_log="/dev/stderr"
p_echo
if [ "0$problems_occured" -eq 0 ]; then
echo "***** $process problem report *****" >> "$product_problems_log" 2>&1
fi
for problem_message in "$@"; do
p_echo "$problem_message"
if [ "$product_log" != "$product_problems_log" ]; then
echo "$problem_message" >> "$product_problems_log" 2>&1
fi
done
p_echo
construct_report "$severity" "$summary"
[ -n "$PLESK_INSTALLER_DEBUG" -o -n "$PLESK_INSTALLER_VERBOSE" ] || \
product_log_tail
problems_occured=1
}
set_error_report_source()
{
[ -z "$1" ] || report_source="$1"
[ -n "$report_source" ] || {
if [ -n "$PACKAGE_ID" -o -n "$PACKAGE_ACTION" -o -n "$PACKAGE_NAME" -o -n "$PACKAGE_VERSION" ]; then
report_source="install"
else
report_source="backend"
fi
}
}
set_error_report_component()
{
local component="$1"
if [ "$report_source" = "install" ]; then
[ -n "$report_component" ] || report_component="$PACKAGE_ID"
return 0
fi
[ -z "$component" ] || report_component="$1"
[ -n "$report_component" ] || report_component="`basename $0`"
}
set_error_report_params()
{
if [ "$report_source" = "install" ]; then
[ -n "$report_params" ] || report_params="`echo "$PACKAGE_ACTION of $PACKAGE_NAME $PACKAGE_VERSION" | base64`"
return 0
fi
[ -z "$*" ] || report_params="`echo "$*" | base64`"
[ -n "$report_params" ] || report_params="`echo "$PLESK_SCRIPT_COMMAND_LINE" | base64`"
}
detect_virtualization()
{
detect_vz
detect_lxc
local is_docker="`[ -f "/.dockerenv" ] && echo yes || :`"
local systemd_detect_virt_ct="`/usr/bin/systemd-detect-virt -c 2>/dev/null | grep -v '^none$' || :`"
local systemd_detect_virt_vm="`/usr/bin/systemd-detect-virt -v 2>/dev/null | grep -v '^none$' || :`"
local virt_what="`/usr/sbin/virt-what 2>/dev/null | xargs || :`"
if [ -n "$is_docker" ]; then
echo "docker $virt_what"
elif [ "$PLESK_VZ" = "1" ]; then
echo "${PLESK_VZ_TYPE:-virtuozzo}"
elif [ "$PLESK_LXC" = "1" ]; then
echo "lxc $virt_what"
elif [ -n "$systemd_detect_virt_ct" ]; then
echo "$systemd_detect_virt_ct $systemd_detect_virt_vm"
elif [ -n "$virt_what" ]; then
echo "$virt_what"
elif [ -n "$systemd_detect_virt_vm" ]; then
echo "$systemd_detect_virt_vm"
fi
}
default_error_report_environment()
{
local virtualization="`detect_virtualization`"
if [ -n "$virtualization" ]; then
echo "virtualization: $virtualization"
fi
}
set_error_report_environment()
{
[ -z "$*" ] || report_environment="`echo "$*" | base64`"
[ -n "$report_environment" ] || report_environment="`default_error_report_environment | base64`"
}
get_update_ticket()
{
[ -r $PRODUCT_ROOT_D/var/update_ticket ] && cat $PRODUCT_ROOT_D/var/update_ticket | awk '{$1=$1};1'
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
#lib_test
test_for_root()
{
if [ "`id -u`" -ne 0 ]; then
echo "$0: This script must be run as root" >&2
echo "Log in as root then run this script again." >&2
echo >&2
exit 1
fi
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
transaction_begin()
{
[ -n "$TRANSACTION_STARTED" ] && die "Another transaction in progress!"
TRANSACTION_STARTED="true"
TRANSACTION_ROLLBACK_FUNCS=
TRANSACTION_COMMIT_FUNCS=
local transaction_autocommit="$1"
if [ -n "$transaction_autocommit" ]; then
trap "transaction_commit_auto" EXIT
trap "transaction_rollback" HUP PIPE INT QUIT TERM
else
trap "transaction_rollback" HUP PIPE INT QUIT TERM EXIT
fi
}
transaction_rollback()
{
TRANSACTION_RETURN_CODE="${TRANSACTION_RETURN_CODE:-$?}"
[ -z "$TRANSACTION_STARTED" ] && die "Transaction is not started!"
# perform rollback actions
local f
for f in ${TRANSACTION_ROLLBACK_FUNCS}; do
"$f"
done
TRANSACTION_STARTED=
TRANSACTION_ROLLBACK_FUNCS=
TRANSACTION_COMMIT_FUNCS=
trap - HUP PIPE INT QUIT TERM EXIT
exit 1
}
transaction_commit()
{
TRANSACTION_RETURN_CODE="${TRANSACTION_RETURN_CODE:-$?}"
[ -z "$TRANSACTION_STARTED" ] && die "Transaction is not started!"
# perform commit actions
local f
for f in ${TRANSACTION_COMMIT_FUNCS}; do
"$f"
done
TRANSACTION_STARTED=
TRANSACTION_ROLLBACK_FUNCS=
TRANSACTION_COMMIT_FUNCS=
trap - HUP PIPE INT QUIT TERM EXIT
}
transaction_commit_auto()
{
TRANSACTION_RETURN_CODE="$?"
if [ "$TRANSACTION_RETURN_CODE" -eq 0 ]; then
transaction_commit "$@"
else
transaction_rollback "$@"
fi
}
transaction_add_rollback_action()
{
[ -z "$TRANSACTION_STARTED" ] && die "Transaction is not started!"
# LIFO rollback order
[ -z "$TRANSACTION_ROLLBACK_FUNCS" ] \
&& TRANSACTION_ROLLBACK_FUNCS="$1" \
|| TRANSACTION_ROLLBACK_FUNCS="$1 $TRANSACTION_ROLLBACK_FUNCS"
}
transaction_add_commit_action()
{
[ -z "$TRANSACTION_STARTED" ] && die "Transaction is not started!"
# FIFO commit order
[ -z "$TRANSACTION_COMMIT_FUNCS" ] \
&& TRANSACTION_COMMIT_FUNCS="$1" \
|| TRANSACTION_COMMIT_FUNCS="$TRANSACTION_COMMIT_FUNCS $1"
}
read_conf()
{
[ -n "$prod_conf_t" ] || prod_conf_t=/etc/psa/psa.conf
if [ -s $prod_conf_t ]; then
tmp_var=`perl -e 'undef $/; $_=<>; s/#.*$//gm;
s/^\s*(\S+)\s*/$1=/mg;
print' $prod_conf_t`
eval $tmp_var
else
if ! is_product_installation; then
p_echo "Unable to find product configuration file: $prod_conf_t. Default values will be used."
return 1
fi
fi
return 0
}
selinux_close()
{
if [ -z "$SELINUX_ENFORCE" -o "$SELINUX_ENFORCE" = "Disabled" ]; then
return
fi
setenforce "$SELINUX_ENFORCE"
}
get_product_versions()
{
# Don't use global variables set elsewhere in this code. Use substitutions if needed.
local prod_root_d="/opt/psa"
product_name="psa"
if [ -z "$product_this_version" ]; then
# 1. Try to fetch version from file created by bootstrapper (should be 3-component).
product_this_version="`cat "/var/lock/plesk-target-version" 2>/dev/null`"
# 2. Fallback to $PRODUCT_ROOT_D/version (should be 3-component).
if [ -z "$product_this_version" -a -r "$prod_root_d/version" ]; then
product_this_version="`awk '{ print $1 }' "$prod_root_d/version"`"
fi
# 3. Fallback to hardcoded version (2-component). This may cause some other code to fail.
if [ -z "$product_this_version" ]; then
product_this_version="18.0"
echo "Unable to determine \$product_this_version, will use less precise value '$product_this_version'" >&2
fi
fi
product_version="$product_this_version"
if [ -z "$product_prev_version" ]; then
if [ -r "$prod_root_d/version.upg" ]; then
product_prev_version=`awk '{ print $1 }' "$prod_root_d/version.upg"`
elif [ -r "$prod_root_d/version" ]; then
product_prev_version=`awk '{ print $1 }' "$prod_root_d/version"`
else
product_prev_version="$product_this_version"
fi
fi
}
# Clean installation of the product is being performed
is_product_installation()
{
[ "X$do_upgrade" != "X1" -a ! -s "/opt/psa/version.upg" ]
}
### Copyright 1999-2025. WebPros International GmbH. All rights reserved.
# vim:syntax=sh
test_for_root
reexec_with_clean_env "$@"
# restore HOME after reexec_with_clean_env for openssl
export HOME="/root"
prog="`basename $0`"
action="$1"
service="$2"
cmds_num="$#"
usage()
{
echo "Usage: $prog {--enable|--disable} [<service>]"
echo ""
echo "SERVICES:"
echo " panel Applying patches for sw-cp-server."
echo " apache Applying patches for apache server."
echo " nginx Applying patches for nginx."
echo " courier Applying patches for courier-imap."
echo " dovecot Applying patches for dovecot."
echo " postfix Applying patches for postfix MTA."
echo " qmail Applying patches for qmail MTA."
echo " proftpd Applying patches for proftpd."
echo " all Applying patches for all installed services described above. (default)"
exit 1
}
[ "$cmds_num" -eq 1 -o "$cmds_num" -eq 2 ] || usage
[ -n "$service" ] || service=all
if [ "$action" = "--enable" ]; then
USE_PROTOCOLS="TLSv1.2 TLSv1.3"
USE_CIPHERS="EECDH+AESGCM:EECDH+AESCCM:EECDH+CHACHA20:EECDH+ARIAGCM"
USE_CIPHER_SERVER_ORDER="false"
else
USE_PROTOCOLS="TLSv1.2 TLSv1.3"
USE_CIPHERS="EECDH+AESGCM:EECDH+AESCCM:EECDH+CHACHA20:EECDH+ARIAGCM"
USE_CIPHER_SERVER_ORDER="false"
fi
services_list="panel apache nginx courier dovecot postfix qmail proftpd"
log_transaction_start "${prog}${*:+ $*}" "" "plesk-pci-compliance-resolver.log" "/dev/stderr"
read_conf
apache_ssl_conf="$HTTPD_CONF_D/mods-available/ssl.conf"
sw_server_ssl_conf="/etc/sw-cp-server/conf.d/ssl.conf"
courier_conf_imap="/etc/courier-imap/imapd"
courier_conf_pop="/etc/courier-imap/pop3d"
courier_ssl_conf="/etc/courier-imap/imapd-ssl /etc/courier-imap/pop3d-ssl"
dovecot_installed=0
courier_installed=0
# common things
#------------------------------------------------------------------
check_mail_services()
{
local mailmng="${PRODUCT_ROOT_D}/admin/sbin/mailmng-imap"
local imap_pop3_server
test -x "$mailmng" || return 0
imap_pop3_server=`"$mailmng" --features | grep "'IMAP_POP3_Server'"`
echo "$imap_pop3_server" | grep -qi "dovecot" && dovecot_installed=1 || :
echo "$imap_pop3_server" | grep -qi "Courier-IMAP" && courier_installed=1 || :
}
true check_services fail do_disable do_enable
check_services()
{
local service="$1"
local flag
[ "$service" = "all" ] && return 0
for entry in $services_list; do
if [ "$1" = "$entry" ]; then
flag=1
break
fi
done
[ -z "$flag" ] && return 1
return 0
}
fail()
{
p_echo "failed"
}
do_enable()
{
local service="$1"
local key="$2"
local value="$3"
local config="$4"
local bkp_file="$5"
echo_try "enable PCI compliance fixes for $service"
[ -z "$bkp_file" ] && bkp_file="${config}.pci"
# checking on already modified file and config file exists
if [ -e "$bkp_file" ]; then
echo -n "already modified... "
suc
return 2
fi
if [ ! -e "$config" ]; then
echo -n "file: $config not found... "
fail
return 1
fi
# Comment default strings for RedHat based distros
if [ "$service" = "apache service" ]; then
cat "$config" | awk '{
if (/^<VirtualHost _default_/) {
flag=1;
}
if (/^<\/VirtualHost/) {
flag=0;
}
if (flag && (/^SSLProtocol/ || /^SSLCipherSuite/)) {
printf ("# ");
print;
next;
}
print;
}' > ${config}.new
mv -f ${config}.new $config
fi
# Get original record and backup
original_str="`cat $config | grep -- \"$key\" |grep -v \"^#\"`"
echo "$original_str" > $bkp_file
# Replace record to new value
if [ -z "$original_str" ]; then
# Hack for apache
val="`cat $config | grep -- \"<IfModule mod_ssl.c>\" |grep -v \"^#\"`"
if [ -z "$val" ]; then
echo "$value" >> ${config}
else
sed -e "s|<IfModule mod_ssl.c>|<IfModule mod_ssl.c>\n$value|" \
< $config > ${config}.new && mv -f ${config}.new $config
fi
else
sed -e "s|^$original_str$|$value|" < $config > ${config}.new && \
mv -f ${config}.new $config
fi
suc
return 0
}
do_disable()
{
local service="$1"
local key="$2"
local value="$3" # for compat with 'enable' action
local config="$4"
local bkp_file="$5"
echo_try "disable PCI compliance fixes for $service"
[ -z "$bkp_file" ] && bkp_file="${config}.pci"
# checking on already modified file and config file exists
if [ ! -e "$bkp_file" ]; then
echo -n "already original config... "
suc
return 2
fi
if [ ! -e "$config" ]; then
echo -n "file: $config not found... "
fail
return 1
fi
# Get record from config and original record
value="`cat $config | grep -- \"$key\" |grep -v \"^#\"`"
original_str="`cat $bkp_file`"
# Replace record to new value
sed -e "s|^$value$|$original_str|" < $config > ${config}.new && \
mv -f ${config}.new $config && \
rm -f $bkp_file
suc
return 0
}
service_restart()
{
local serv="$1"
local status="$2"
if [ "$status" -eq 0 ]; then
echo_try "restart $serv"
pleskrc $serv restart >/dev/null && suc || fail
fi
return $?
}
#-----------------------------------------------------------------------------
# service specific routines
#-----------------------------------------------------------------------------
# panel routines
#-----------------------------------------------------------------------------
true panel_action panel_status
panel_status()
{
return 0
}
sslmng_run()
{
local service=$1
local action=$2
local skip_sslmng=$3
local additional_opts=
[ ! "$action" = "enable" ] || additional_opts="--strong-dh --disable-tls-compression"
[ "$skip_sslmng" != "skip_sslmng" ] || return 0
"${PRODUCT_ROOT_D}/admin/sbin/sslmng" --services="$service" --ciphers="$USE_CIPHERS" --protocols="$USE_PROTOCOLS" --cipher-server-order="$USE_CIPHER_SERVER_ORDER" $additional_opts
}
panel_action()
{
sslmng_run sw-cp-server "$@"
}
true courier_action
courier_action()
{
local action="$1"
if [ "$courier_installed" != 1 ]; then
echo "service courier-imap is not installed, skip modifying."
return 0
fi
sslmng_run "courier" "$@"
local value
local flag=0
value="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
do_$action "courier-imap IMAP4 service" "IMAP_CAPABILITY=" "IMAP_CAPABILITY=\"$value\"" \
"$courier_conf_imap" "${courier_conf_imap}.pci.1" || flag=1
do_$action "courier-imap IMAP4 service" "IMAP_CAPABILITY_ORIG=" "IMAP_CAPABILITY_ORIG=\"$value\"" \
"$courier_conf_imap" "${courier_conf_imap}.pci.2" || flag=1
value="\$IMAP_CAPABILITY AUTH=PLAIN"
do_$action "courier-imap IMAP4 TLS service" "IMAP_CAPABILITY_TLS=" "IMAP_CAPABILITY_TLS=\"$value\"" \
"$courier_conf_imap" "${courier_conf_imap}.pci.3" || flag=1
value="\$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
do_$action "courier-imap IMAP4 TLS service" "IMAP_CAPABILITY_TLS_ORIG=" "IMAP_CAPABILITY_TLS_ORIG=\"$value\"" \
"$courier_conf_imap" "${courier_conf_imap}.pci.4" || flag=1
value="LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
do_$action "courier-imap POP3 service" "POP3AUTH=" "POP3AUTH=\"$value\"" \
"$courier_conf_pop" "${courier_conf_pop}.pci.1" || flag=1
do_$action "courier-imap POP3 service" "POP3AUTH_ORIG=" "POP3AUTH_ORIG=\"$value\"" \
"$courier_conf_pop" "${courier_conf_pop}.pci.2" || flag=1
value="LOGIN PLAIN"
do_$action "courier-imap POP3 TLS service" "POP3AUTH_TLS=" "POP3AUTH_TLS=\"$value\"" \
"$courier_conf_pop" "${courier_conf_pop}.pci.3" || flag=1
do_$action "courier-imap POP3 TLS service" "POP3AUTH_TLS_ORIG=" "POP3AUTH_TLS_ORIG=\"$value\"" \
"$courier_conf_pop" "${courier_conf_pop}.pci.4" || flag=1
set_courier_imap_params
service_restart courier_imapd "$flag"
service_restart courier_imaps "$flag"
service_restart courier_pop3d "$flag"
service_restart courier_pop3s "$flag"
return $flag
}
true default_action
default_action()
{
service=$1
shift
sslmng_run "$service" "$@"
}
true qmail_action
qmail_action()
{
local action="$1"
local flag="/var/qmail/control/rejectplain"
if [ ! -d "/var/qmail/control" ]; then
return 0
fi
case "$action" in
enable) touch $flag >/dev/null 2>&1 ;;
*) rm -f $flag >/dev/null 2>&1 ;;
esac
}
true dovecot_action
dovecot_action()
{
local action="$1"
set_dovecot_params
local pci_compliance_config="${DOVECOT_INCLUDE_DIR}/11-plesk-security-pci.conf"
local no_restart=0
local res=0
if [ "$dovecot_installed" != 1 ]; then
echo "service dovecot is not installed, skip modifying."
return 0
fi
case "$action" in
enable)
echo_try "apply PCI compliance fixes for service Dovecot"
cat > "$pci_compliance_config" <<EOF
##
## PCI compliance changes made by admin/bin/pci_compliance_resolver utility.
## Do not edit this file directly. Use the utility instead.
##
auth_allow_cleartext = no
EOF
suc # need real check?
;;
disable)
echo_try "remove PCI compliance fixes for service Dovecot"
test -f "$pci_compliance_config" && rm -f "$pci_compliance_config" || no_restart=1
suc
;;
esac
service_restart dovecot $no_restart
sslmng_run "dovecot" "$@"
}
true all_action
all_action()
{
local ret=0
local action="$1"
"${PRODUCT_ROOT_D}/bin/server_pref" --update -ssl-protocols "$USE_PROTOCOLS" -ssl-ciphers "$USE_CIPHERS" -ssl-cipher-server-order "$USE_CIPHER_SERVER_ORDER" || ret=1
if [ "$action" = "enable" ]; then
"${PRODUCT_ROOT_D}/admin/sbin/sslmng" --strong-dh --disable-tls-compression || ret=1
fi
for entry in $services_list; do
service="$entry"
if is_function ${service}_action; then
${service}_action $action 'skip_sslmng' || ret=1
continue
fi
default_action $service $action 'skip_sslmng' || ret=1
done
return $ret
}
check_mail_services
is_function ${service}_action && func="${service}_action" || func="default_action $service"
# getopt like selector
#-----------------------------------------------------------------------------
case "$action" in
--enable)
if ! check_services $service; then
echo "Unsupported service: $service"
exit 1
fi
$func enable
exit $?
break
;;
--disable)
check_services $service || echo "Unsupported service: $service"
$func disable
exit $?
break
;;
*)
usage
;;
esac
Reference in New Issue View Git Blame Copy Permalink