#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - scripts/mailperm Copyright 2022 cPanel, L.L.C. # All rights reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited package scripts::mailperm; use strict; use Digest::MD5 (); use Getopt::Long (); use IO::Handle (); use Try::Tiny; use Cpanel::PwCache::Helpers (); use Cpanel::PwCache::Build (); use Cpanel::Exim (); use Cpanel::Signal (); use Cpanel::SafeFind (); use Cpanel::Logger (); use Cpanel::FileUtils::TouchFile (); use Cpanel::Rlimit (); use Cpanel::AccessIds::ReducedPrivileges (); use Cpanel::PwCache (); use Cpanel::Config::LoadUserDomains (); use Cpanel::ConfigFiles (); use Cpanel::Email::MX (); use Cpanel::Email::Perms (); use Cpanel::Email::Perms::System (); use Cpanel::Email::Perms::User (); use Cpanel::MailTools::DBS (); use Cpanel::LoginDefs (); use Cpanel::Config::LoadConfig (); my $logger = Cpanel::Logger->new(); my @MAILDIR_FILES_TO_SKIP = qw( courierimapkeywords courierimapuiddb courierpop3dsizelist dovecot-keywords dovecot-uidlist dovecot-uidvalidity.* dovecot\\.index dovecot\\.index.cache dovecot\\.index.log dovecot\\.index.log.2 maildirsize subscriptions ); my $maildir_files_to_skip_re = join '|', @MAILDIR_FILES_TO_SKIP; exit main(@ARGV) unless caller; sub main { my (@args) = @_; local $@; my $verbose = 0; my $skiplocal = 0; my $skipmxcheck = 0; my $skipperm = 0; my $dirsonly = 0; my $no_restart_cpsrvd = 0; my $help = 0; # Argument processing my %arg_ops = ( 'help' => \$help, 'verbose' => \$verbose, 'skiplocaldomains' => \$skiplocal, 'skipmxcheck' => \$skipmxcheck, 'skipserverperm' => \$skipperm, 'dirsonly' => \$dirsonly, 'no-restart-cpsrvd' => \$no_restart_cpsrvd, ); Getopt::Long::GetOptionsFromArray( \@args, %arg_ops, ) or return _usage(1); return _usage(0) if $help; my %opts = map { $_ => ${ $arg_ops{$_} } } keys %arg_ops; if (@args) { $opts{'checkuser'} = $args[-1]; } my ( $status, $message ) = eval { __PACKAGE__->script(%opts) }; if ($@) { print "$@\n"; return 1; } return 0 if $status; if ($message) { print STDERR $message . "\n"; } return 1; } sub script { my ( $class, %OPTS ) = @_; my ( $checkuser, $skiplocal, $skipmxcheck, $skipperm, $dirsonly, $verbose ) = @OPTS{qw( checkuser skiplocaldomains skipmxcheck skipserverperm dirsonly verbose)}; return 1 if ( $ENV{'DONT_RUN_MAILPERM'} ); Cpanel::Rlimit::set_rlimit(); my $pidfile = '/var/run/mailperms.pid'; my $is_global = 0; my $previous_command_name = $0; if ($checkuser) { if ( !( Cpanel::PwCache::getpwnam($checkuser) )[0] ) { warn "!! Specified user is not a valid system account !!\n\n"; _usage(); return ( 0, "The specified user '$checkuser' is not a valid system account" ); } $0 = 'mailperm - single user'; } else { $is_global = 1; $0 = 'mailperm - global'; require Cpanel::Unix::PID::Tiny; my $upid = Cpanel::Unix::PID::Tiny->new(); if ( !$upid->pid_file($pidfile) ) { my $pid = $upid->get_pid_from_pidfile($pidfile); $logger->warn("mailperm - previous instance: [$pid]"); $0 = $previous_command_name; return ( 0, 'Another mailperm instance is running' ); } } my ( $exim_bin, $exim_version, $exim_caps ) = Cpanel::Exim::fetch_caps(); my $needs_mail_gid_shadow = ( $exim_caps->{'dovecot'} ) ? 0 : 1; $Cpanel::Email::Perms::VERBOSE = $verbose; my $changed_external_auth = 0; # Signal cpsrvd to reload its config. # do not restart cpsrvd on a fresh install ( cpsrvd is running but is restarted later ) # this avoids to solve continuously "perl dependencies issues" in the exim rpm Cpanel::Signal::send_hup_cpsrvd() if $changed_external_auth && !$OPTS{'no-restart-cpsrvd'}; Cpanel::Email::Perms::System::ensure_system_perms(); if ( !$skipperm ) { require '/usr/local/cpanel/scripts/checkexim.pl'; ## no critic qw(RequireBarewordIncludes) scripts::checkexim::checkeximperms(); } chmod( 0666, '/dev/null' ); _update_local_domains( 'checkuser' => $checkuser, 'skipmxcheck' => $skipmxcheck, 'verbose' => $verbose ) if !$skiplocal; _set_perms( 'checkuser' => $checkuser, 'dirsonly' => $dirsonly, 'verbose' => $verbose, 'is_global' => $is_global ) if !$skipperm; chmod( 0666, '/dev/null' ); $0 = $previous_command_name; return 1; } sub _update_local_domains { my (%OPTS) = @_; my ( $checkuser, $skipmxcheck, $verbose ) = @OPTS{qw( checkuser skipmxcheck verbose )}; Cpanel::FileUtils::TouchFile::touchfile($Cpanel::ConfigFiles::REMOTEDOMAINS_FILE); Cpanel::FileUtils::TouchFile::touchfile($Cpanel::ConfigFiles::LOCALDOMAINS_FILE); my $localdomains_ref = Cpanel::Config::LoadConfig::loadConfig( $Cpanel::ConfigFiles::LOCALDOMAINS_FILE, undef, '' ); my $remotedomains_ref = Cpanel::Config::LoadConfig::loadConfig( $Cpanel::ConfigFiles::REMOTEDOMAINS_FILE, undef, '' ); my $secondarymx_ref = Cpanel::Config::LoadConfig::loadConfig( $Cpanel::ConfigFiles::SECONDARYMX_FILE, undef, '' ); my $userdomains_ref = Cpanel::Config::LoadUserDomains::loaduserdomains( undef, 1 ); my %missing_domains; require Cpanel::Hostname; my $hostname = Cpanel::Hostname::gethostname(); $userdomains_ref->{$hostname} = 1; foreach my $domain ( keys %{$userdomains_ref} ) { if ( !exists $localdomains_ref->{$domain} && !exists $remotedomains_ref->{$domain} ) { $missing_domains{$domain} = 1; } } if ( !$skipmxcheck ) { require Whostmgr::DNS::MX; foreach my $domain ( sort keys %{$userdomains_ref} ) { next if ( $domain =~ m/^\*/ ); my $user = $userdomains_ref->{$domain}; next if ( !$user || $user eq 'root' || ( $checkuser && $checkuser ne $user ) ); print "Checking mx configuration for $domain ($user)..." if $verbose; my $alwaysaccept = Cpanel::Email::MX::get_mxcheck_configuration( $domain, $user ); print "[$alwaysaccept]..." if $verbose; # # We need to update proxysubdomains here because nothing else # will be doing it for us # if ( $alwaysaccept eq 'local' && ( !exists $localdomains_ref->{$domain} || exists $remotedomains_ref->{$domain} || exists $secondarymx_ref->{$domain} ) ) { Cpanel::MailTools::DBS::setup( $domain, 'localdomains' => 1, 'remotedomains' => 0, 'secondarymx' => 0, 'update_proxy_subdomains' => 1 ); } elsif (( $alwaysaccept eq 'secondary' || $alwaysaccept eq 'backup' ) && ( exists $localdomains_ref->{$domain} || !exists $remotedomains_ref->{$domain} || !exists $secondarymx_ref->{$domain} ) ) { Cpanel::MailTools::DBS::setup( $domain, 'localdomains' => 0, 'remotedomains' => 1, 'secondarymx' => 1, 'update_proxy_subdomains' => 1 ); } elsif ( $alwaysaccept eq 'remote' && ( exists $localdomains_ref->{$domain} || !exists $remotedomains_ref->{$domain} || exists $secondarymx_ref->{$domain} ) ) { Cpanel::MailTools::DBS::setup( $domain, 'localdomains' => 0, 'remotedomains' => 1, 'secondarymx' => 0, 'update_proxy_subdomains' => 1 ); } elsif ( $missing_domains{$domain} ) { { no warnings 'once'; my $checkmx = Whostmgr::DNS::MX::checkmx( $domain, undef, $alwaysaccept, $Whostmgr::DNS::MX::NO_UPDATEUSERDOMAINS, $Whostmgr::DNS::MX::DO_UPDATE_PROXY_SUBDOMAINS ); } } print "Done\n" if $verbose; } } else { foreach my $domain ( keys %missing_domains ) { Cpanel::MailTools::DBS::setup( $domain, 'localdomains' => 1, 'remotedomains' => 0, 'secondarymx' => 0, 'update_proxy_subdomains' => 1 ); } } return; } sub _set_perms { ## no critic (Subroutines::ProhibitExcessComplexity) my (%OPTS) = @_; my $checkuser = $OPTS{'checkuser'}; my $dirsonly = $OPTS{'dirsonly'} ? 1 : 0; my $verbose = $OPTS{'verbose'} ? 1 : 0; my $is_global = $OPTS{'is_global'} || 0; my $mailgid = ( Cpanel::PwCache::getpwnam('mail') )[3]; my $pwcache_ref; if ($checkuser) { my @pw_data = Cpanel::PwCache::getpwnam($checkuser); $pwcache_ref = [ \@pw_data ]; } else { Cpanel::PwCache::Build::init_passwdless_pwcache(); Cpanel::PwCache::Helpers::no_uid_cache(); #uid cache only needed if we are going to make lots of getpwuid calls $pwcache_ref = Cpanel::PwCache::Build::fetch_pwcache(); } Cpanel::SafeFind::find( sub { }, '/dev/null' ); #init File::Find my $userdomains_ref = Cpanel::Config::LoadUserDomains::loaduserdomains( undef, 0, 1 ); my $uid_min = Cpanel::LoginDefs::get_uid_min(); my ( $cpuser, $useruid, $usergid, $homedir ); foreach my $pwref ( sort { $a->[0] cmp $b->[0] } grep { exists $userdomains_ref->{ $_->[0] } && $_->[2] >= $uid_min } @$pwcache_ref ) { ( $cpuser, $useruid, $usergid, $homedir ) = ( (@$pwref)[ 0, 2, 3, 7 ] ); next if ( $checkuser && $cpuser ne $checkuser ); if ( !$useruid || !$usergid || !$homedir ) { warn "Skipping invalid user $cpuser"; next; } if ( exists $userdomains_ref->{$cpuser} ) { foreach my $domain ( @{ $userdomains_ref->{$cpuser} } ) { Cpanel::Email::Perms::System::ensure_domain_system_perms( $useruid, $domain ); } } if ( -e "$homedir/mail" || -e "$homedir/etc" ) { Cpanel::AccessIds::ReducedPrivileges::call_as_user( sub { local $0 = 'mailperm - ' . ( $is_global ? 'global ' : '' ) . 'processing ' . $cpuser; my ( $mode, $fuid, $fgid, $safefile ); Cpanel::SafeFind::find( { 'wanted' => sub { return if ( !$File::Find::name || -l $File::Find::name ); ( $mode, $fuid, $fgid ) = ( stat(_) )[ 2, 4, 5 ]; ($safefile) = $File::Find::name =~ /(.*)/; if ( $fuid != $useruid || ( $fgid != $usergid && $fgid != $mailgid ) ) { my $changed = chown( $useruid, $usergid, $safefile ); if ($verbose) { if ($changed) { print "Fixed ownership on $File::Find::name: was ($fuid:$fgid), now ($useruid:$usergid)\n"; } else { print "Unable to fix ownership on $File::Find::name: currently ($fuid:$fgid), should be ($useruid:$usergid)\n"; } } } return if ( $File::Find::name =~ m/\/(?:$maildir_files_to_skip_re)$/ || $File::Find::name =~ m/\.cppop\.cache(?:\.msgs)?$/ ); ( $mode, my $want ) = map { sprintf '%04o', $_ & 07777 } $mode, $Cpanel::Email::Perms::MAILDIR_PERMS; if ( -d _ ) { # All dirs must now be 0751 with dovecot 2.2. # in order to avoid: # "Renaming not supported across conflicting directory permissions." if ( $mode ne $want ) { #all of these are ok my $changed = chmod( $Cpanel::Email::Perms::MAILDIR_PERMS, $safefile ); if ($verbose) { if ($changed) { print "Fixed permissions on $File::Find::name : was ($mode), now ($want)\n"; } else { print "Unable to fix permissions on $File::Find::name : currently ($mode), should be ($want)\n"; } } } if ( $dirsonly && $safefile =~ m{\/\.[^\/]+\/[^\/]+$} ) { no warnings 'once'; return ( $File::Find::prune = 1 ); } return; } #NOTE: Until 11.54 this was 0660. Cobra #couldn’t think of any reason why anyone #but the user should be modifying the home #directory, though, so we changed it to 0640. # elsif ( !$dirsonly && $mode ne '0640' ) { my $changed = chmod( 0640, $safefile ); if ($verbose) { if ($changed) { print "Fixed permissions on $File::Find::name: was ($mode), now (0640)\n"; } else { print "Unable to fix permissions on $File::Find::name: currently ($mode), should be (0640)\n"; } } } }, 'follow' => 0, 'no_chdir' => 1 }, $homedir . '/mail' ); return 1; }, $useruid, $usergid, $mailgid ) || do { warn "Could not setuid to $cpuser ($useruid,$usergid + $mailgid)"; }; try { Cpanel::Email::Perms::User::ensure_all_perms($homedir); } catch { warn $_; }; } else { print "Skipping $homedir (etc and mail missing)\n"; } } return; } sub _usage { my ($retval) = @_; my $fh = $retval ? \*STDERR : \*STDOUT; $fh->print(<<'EOM'); Usage: mailperm Arguments: - Optional argument to specify the scope of the permissions checks. The specified user must be a valid system account. Modifier Flags: --skiplocaldomains - This optional argument bypasses addition of missing domains to the /etc/localdomains file when specified. The localdomains file specifies to Exim that it should always accept delivery for the listed domains. Remote domains are removed from /etc/localdomains regardless of this flag. --skipmxcheck - This optional argument bypasses synchronizing the mail exchanger setting from the cpanel users file to the system. --dirsonly - This optional flag limits setting permissions to only modifying directories. NOTE: The “maildirsize” files are always fixed if needed. --skipserverperm - This optional flag prevents modification of the mail system files used by Exim and limits the scope of permission modifications to the mail account files. --verbose - This optional flag signals the utility to report detected permissions problems per user prior to modifying any permissions. --help - display this message and exit. EOM return $retval; } 1;