Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
8853 lines (7829 sloc) 344 KB
#!/usr/bin/perl
# SSP - System Status Probe
# Find and print useful troubleshooting info on cPanel servers
=head1 COPYRIGHT
This software is Copyright 2017 by cPanel, Inc.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THE SOFTWARE LICENSED HEREUNDER IS PROVIDED "AS IS" AND CPANEL HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, RELATING TO THE SOFTWARE, ITS THIRD PARTY COMPONENTS, AND ANY DATA ACCESSED THEREFROM, OR THE ACCURACY, TIMELINESS, COMPLETENESS, OR ADEQUACY OF THE SOFTWARE, ITS THIRD PARTY COMPONENTS, AND ANY DATA ACCESSED THEREFROM, INCLUDING THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CPANEL DOES NOT WARRANT THAT THE SOFTWARE OR ITS THIRD PARTY COMPONENTS ARE ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION. IF THE SOFTWARE, ITS THIRD PARTY COMPONENTS, OR ANY DATA ACCESSED THEREFROM IS DEFECTIVE, YOU ASSUME THE SOLE RESPONSIBILITY FOR THE ENTIRE COST OF ALL REPAIR OR INJURY OF ANY KIND, EVEN IF CPANEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DEFECTS OR DAMAGES. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CPANEL, ITS AFFILIATES, LICENSEES, DEALERS, SUB-LICENSORS, AGENTS OR EMPLOYEES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF ANY WARRANTY.
=cut
package SSP;
use 5.006;
use strict;
use warnings;
use File::Find;
use Socket;
use IO::Socket::INET;
use Sys::Hostname;
use Term::ANSIColor qw(:constants);
use Time::Local qw{timelocal timegm};
use IPC::Open3;
use Cwd qw(abs_path);
use Getopt::Long();
# Application version (The project maintainer will bump this, don't modify it.)
our $VERSION = '4.99.199';
# Global variables that alter application runtime
our $OPT_SKIP_NETWORKING; # Disable network calls
our $OPT_TIMEOUT; # How long to wait for system commands to finish executing
# Global variables updated throughout application
our $CRIT_BUFFER; # Critical output to be printed at the end
# Things that are the same but used many places
our $CPANEL_LICENSE_FILE = '/usr/local/cpanel/cpanel.lisc';
our $CPANEL_VERSION_FILE = '/usr/local/cpanel/version';
our $CPANEL_CONFIG_FILE = '/var/cpanel/cpanel.config';
our $MYSQL_CONF_FILE = '/etc/my.cnf';
our $PURE_FTPD_CONF_FILE = '/etc/pure-ftpd.conf';
# Global variables initialized at application initialization
our %CPCONF; # cpanel.config
our $ORIGINAL_PATH;
our %SOCKET; # Dispatcher for optional Socket module usage
our $RUN_STATE;
our $HTTP_GET_HOST_CACHE;
our %MEMOIZE_CACHE;
run(@ARGV) unless caller;
# Initialize application by setting loading all global variables
# (except the RPM variables). That's done within run()
sub init {
if ( $^O ne 'linux' ) {
die "Unknown OS: $^O (only Linux is supported)";
}
if ( $< != 0 ) {
die "SSP must be run as root\n";
}
$ORIGINAL_PATH = $ENV{'PATH'};
## no critic (LocalizedPunctuationVars)
$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin';
$| = 1;
## use critic
$Term::ANSIColor::AUTORESET = 1;
# It is only helpful to memoize something that is used at least twice.
# There is some memoize overhead, but it is a safe bet for anything with unpredictable runtimes (network, heavy disk I/O, external processes).
_memoize(
qw (
check_for_non_default_permissions
check_roots_cron_for_certain_commands
find_httpd_bin
get_apache_modules_href
get_apache_version_href
get_clock_skew
get_cpanel_license_file_info_href
get_cpuinfo_href
get_cpupdate_conf
get_ea3_php_conf_href
get_exim_localopts_href
get_external_ip
get_external_license_ip
get_hostinfo_href
get_hostname
get_installed_ea4_php_href
get_ipcs_href
get_license_info
get_local_ipaddrs_aref
get_lsof_port_href
get_lsws_version_aref
get_meminfo
get_mysql_conf_href
get_mysql_full_version
get_mysql_numeric_version
get_new_backup_conf_href
get_old_backup_conf_href
get_openssl_rpm_changelog_sref
get_phpini_aref
get_process_pid_href
get_rpm_href
get_tiers_file
get_tiers_json_href
)
);
_populate_run_state();
if ( i_am_one_of( 'cpanel', 'dnsonly' ) ) {
%CPCONF = get_cpanel_conf();
}
## no critic (StringyEval)
# This avoids compile-time errors on old Perl where Socket::get(addr|name)info and related constants don't exist.
eval q( # Perl 5.14+
# The import is redundant but guarantees the desirable failure of this eval at run-time if anything is missing.
Socket->import(qw(getaddrinfo getnameinfo NI_NAMEREQD NI_NUMERICHOST NIx_NOSERV SOCK_RAW));
%SOCKET = (
'getaddrinfo' => \&Socket::getaddrinfo,
'getnameinfo' => \&Socket::getnameinfo,
'NI_NAMEREQD' => Socket::NI_NAMEREQD,
'NI_NUMERICHOST' => Socket::NI_NUMERICHOST,
'NIx_NOSERV' => Socket::NIx_NOSERV,
'SOCK_RAW' => Socket::SOCK_RAW,
);
return 1;
);
## use critic
$SIG{'INT'} = sub { ## no critic (LocalizedPunctuationVars)
print "\n\nJust being impatient, or did SSP actually hang? What if it didn't get a chance to check something really important?\n";
print "\nIf you really want out of here and it didn't work the first time then you interrupted a child and not the parent process. Keep hitting CTRL+C.\n";
if ($CRIT_BUFFER) {
print_magenta("\nThere was critical-level output above, here it is again:");
print $CRIT_BUFFER;
}
die;
};
return 1;
}
sub run {
local @ARGV = @_; # Because GetOptionsFromArray available in Getopt::Long 2.36 and later only, Perl 5.8.8 on CentOS 5.11 includes 2.35
Getopt::Long::GetOptions(
'bugreport' => sub { init(); exit print_bug_report(); },
'csi' => sub { init(); exit csi_checks_only(); },
'docreport' => sub { init(); exit print_doc_bug_report(); },
'no-network' => \$OPT_SKIP_NETWORKING,
'no-speed' => sub { $MEMOIZE_CACHE{'PRECACHE'} = { disabled => 1 }; },
'profiling' => sub {
load_module_with_fallbacks(
'needed_subs' => [qw{tv_interval gettimeofday}],
'modules' => [qw{Time::HiRes}],
'fail_warning' => 'Profiling won\'t work without this',
'fail_fatal' => 1,
);
$MEMOIZE_CACHE{'PROFILING'} = { enabled => 1 };
},
'simulatestate=s@' => sub { _simulate_run_state( $_[1] ); },
'simulatevar=s%' => sub { _simulate_run_var( $_[1], $_[2] ); },
'timeout=i' => \$OPT_TIMEOUT,
);
if ($OPT_TIMEOUT) {
$OPT_TIMEOUT = int $OPT_TIMEOUT;
if ( $OPT_TIMEOUT < 5 ) {
$OPT_TIMEOUT = 5;
}
}
init();
######################
## END GLOBALS ##
######################
print "\n";
for ( 1 .. 3 ) {
print BOLD GREEN ON_RED "\tPlease DO NOT paste output from SSP into tickets unless it is relevant to an issue" . RESET . "\n";
}
if ( i_am('dnsonly') ) {
print_start("\n\t\tDNSONLY: ");
print_warning("/var/cpanel/dnsonly or DNSONLY license detected, assuming DNSONLY operation\n");
}
unless ( i_am_one_of( 'cpanel', 'dnsonly' ) ) {
print_critical("\nCPANEL IS NOT INSTALLED ON THIS SERVER! SOME SSP OUTPUT MAY NOT BE RELEVANT!\n");
}
print "\n";
print_tip();
print_version();
print "\n";
## [CRIT] -- only stuff that we should check as early as possible
check_for_hacked_server_touchfile();
check_for_multiple_tech_logins();
check_for_lve_environment();
check_for_systemd();
check_for_os_release_5();
check_for_os_release_32bit();
check_for_ea3();
find_httpd_bin(); # Cache result now, it is used by get_apache_* below. The following must be memoized in init() first.
_memoize_parallel_populate_cache(
qw(
check_for_non_default_permissions
check_roots_cron_for_certain_commands
get_apache_modules_href
get_apache_version_href
get_clock_skew
get_external_license_ip
get_installed_ea4_php_href
get_license_info
get_local_ipaddrs_aref
get_lsof_port_href
get_process_pid_href
get_rpm_href
get_tiers_file
get_tiers_json_href
)
);
print "\n";
## [INFO]
print_hostname();
print_os();
print_kernel_and_cpu();
print_kernelcare_info();
print_cpanel_info();
check_for_cpanel_update();
print_uptime();
print_apache_info();
print_lsws_info();
check_for_lsws_update();
print_ea3_php_configuration();
print_ea4_php_configuration();
check_for_clustering();
check_sysinfo();
check_for_remote_mysql();
print_if_using_other_dns();
print_mysql_version();
print_backups_info();
print_mailserver_info();
print_ftpserver_info();
print_exim_info();
print_roundcube_db();
check_for_custom_webtemplates();
check_for_custom_restoremodules();
check_for_custom_zonetemplates();
check_for_license_info();
## [WARN]
check_for_license_error();
check_var_cpanel_users();
check_port_hash();
check_selinux_status();
check_runlevel();
check_for_missing_root_cron();
check_for_missing_usr_bin_crontab();
check_if_upcp_is_running();
check_valid_upcp();
check_cpupdate_conf();
check_interface_lo();
check_cpanelconfig_filetype();
check_cpanelsync_exclude();
check_for_rawopts();
check_for_rawenv();
check_for_custom_opt_mods();
check_for_local_templates();
check_for_missing_account_suspensions_conf();
check_for_custom_apache_includes();
check_for_tomcatoptions();
check_for_sneaky_htaccess();
check_ea4_paths_conf();
check_apache_modules();
check_apache_niceness();
check_perl_sanity();
check_for_non_default_permissions();
check_for_non_default_file_capabilities();
check_for_non_default_sysctl();
check_for_stale_lockfiles();
check_root_suspended();
check_limitsconf();
check_disk_space();
check_disk_inodes();
check_mounts();
check_for_hooks_in_scripts_directory();
check_for_huge_logs();
check_easy_skip_cpanelsync();
check_pkgacct_override();
check_for_gdm();
check_for_redhat_firewall();
check_easyapache();
check_for_missing_ea3_php();
check_for_ea3_hooks();
check_for_unsupported_nat();
check_for_oracle_linux();
check_for_usr_local_cpanel_hooks();
check_for_sql_safe_mode();
check_for_domain_forwarding();
check_for_empty_apache_templates();
check_for_empty_postgres_config();
check_for_empty_easyapache_profiles();
check_for_missing_timezone_from_phpini();
check_for_proc_mdstat_recovery();
check_usr_local_cpanel_path_for_symlinks();
check_for_system_mem_below_required();
check_yum_conf();
check_for_cpanel_files();
check_bash_history_for_certain_commands();
check_roots_cron_for_certain_commands();
check_for_missing_or_commented_customlog();
check_for_cpsources_conf();
check_for_apache_rlimits();
check_for_usr_local_lib_libz_so();
check_for_non_default_modsec_rules();
check_etc_hosts_sanity();
check_localhost_resolution();
check_for_apache_listen_host_is_localhost();
check_roundcube_mysql_pass_mismatch();
check_for_hooks_from_var_cpanel_hooks_yaml();
check_mysqld_warnings_errors();
check_mysql_config();
check_mysql_datadir();
check_for_extra_mysql_config_files();
check_perl_version_less_than_588();
check_for_low_ulimit_for_root();
check_for_fork_bomb_protection();
check_for_harmful_php_mode_600_cron();
check_for_custom_exim_conf_local();
check_for_maxclients_or_maxrequestworkers_reached();
check_for_non_default_umask();
check_for_multiple_imagemagick_installs();
check_eximstats_size();
check_for_broken_mysql_tables();
check_for_clock_skew();
check_for_zlib_h();
check_if_httpdconf_ipaddrs_exist();
check_distcache_and_libapr();
check_for_custom_postgres_repo();
check_for_rpm_overrides();
check_var_cpanel_immutable_files();
check_for_noxsave_in_grub_conf();
check_for_rpm_dist_ver_unknown();
check_for_homeloader_php_extension();
check_for_networkmanager();
check_for_dhclient();
check_for_var_cpanel_roundcube_install();
check_for_missing_etc_localtime();
check_cpanel_config();
check_pure_ftpd_conf_for_upload_script_and_dead();
check_for_perl_env_var();
check_for_disabled_services();
check_for_cpbackup_exclude_everything();
check_for_usr_local_include_jpeglib_h();
check_for_bw_module_and_more_than_1024_vhosts();
check_for_uppercase_chars_in_hostname();
check_for_bad_permissions_on_named_ca();
check_for_jailshell_additional_mounts_trailing_slash();
check_for_allow_query_localhost();
check_for_nocloudlinux_touchfile();
check_for_stupid_touchfile();
check_for_phphandler_and_opcode_caching_incompatibility();
check_for_invalid_HOMEDIR();
check_for_unsupported_options_in_phpini(); # FB-75397
check_for_suphp_but_no_fileprotect();
check_if_hostname_missing_from_localdomains();
check_for_eximstats_newline();
check_for_processes_killed_by_lfd();
check_for_processes_killed_by_oom();
check_for_processes_killed_by_prm();
check_for_broken_userdatadomains();
check_ssl_db_perms();
check_for_stray_index_php();
check_for_port_80_not_apache();
check_for_missing_groups();
check_for_noquotafs();
check_for_roundcube_overlay();
check_for_hostname_park_zoneexists();
check_for_pgpass_colon_in_password_field();
check_for_dirs_that_break_ea();
check_for_extra_uid_0_user();
check_for_easyparams_attributes();
check_for_allow_update_in_named_conf();
check_for_broken_mysqldump();
check_exim_log_sanity();
check_exim_localopts();
check_updatelog();
check_for_readonly_filesystems();
check_for_cl_unsupported_memory_limits();
check_for_eblockers();
check_for_php_selector_incompatibilities();
check_cloudlinux_sanity();
check_for_modsec2_stage_files();
check_for_cron_allow();
check_for_dev_sandbox();
check_for_jail_owner();
check_sshd_config();
check_for_saltstack();
check_for_puppet_agent();
check_imunify360_running();
# [3RDP]
check_smtp_processes();
check_for_varnish();
check_for_nginx();
check_for_mailscanner();
check_for_apf();
check_for_csf();
check_for_prm();
check_for_les();
check_for_1h();
check_for_webmin();
check_for_symantec();
check_for_newrelic();
check_for_multilevel_reseller();
check_for_cpremote();
check_for_whmxtra();
check_for_usr_local_mis();
check_for_opt_gsi_tools();
# [CRIT] - Anything that requires a pre-defined response to be sent, escalation, or extreme care.
check_for_unsupported_php(); # Extreme care!
check_for_bash_secadv_20140924(); # advisory
check_for_exim_cve_2018_6789(); # advisory
all_malware_checks();
check_for_openssl_heartbleed_bug();
check_for_openssl_secadv_20140605();
check_for_additional_rpms();
check_for_percona_rpms();
check_for_duplicate_rpms();
check_for_kernel_headers_rpm();
check_for_frontpage_rpms();
check_for_broken_rpm();
check_for_ea4_mismatch();
print_info2('Done.');
if ($CRIT_BUFFER) {
print_magenta("\n\nThere was critical-level output above, here it is again:");
print $CRIT_BUFFER;
}
print_profiling_data();
return 0;
}
sub csi_checks_only {
check_port_hash();
check_for_bash_secadv_20140924(); # advisory
all_malware_checks();
check_for_openssl_heartbleed_bug();
check_for_openssl_secadv_20140605();
print_info2('SSP checks done.');
}
sub all_malware_checks {
check_for_UMBREON_rootkit();
check_for_libms_rootkit();
check_for_jynx2_rootkit();
check_for_cdorked_A();
check_for_cdorked_B();
check_for_libkeyutils_symbols();
check_for_libkeyutils_filenames();
check_sha1_sigs_libkeyutils();
check_sha1_sigs_httpd();
check_sha1_sigs_named();
check_sha1_sigs_ssh();
check_sha1_sigs_ssh_add();
check_sha1_sigs_sshd();
check_for_ebury_ssh_G();
check_for_ebury_ssh_shmem();
check_for_ebury_root_file();
check_for_bg_botnet();
check_for_dragnet();
check_for_xor_ddos();
check_for_shellbot();
check_for_ncom_filenames();
check_for_dirtycow_passwd();
check_for_cpro();
check_for_fkcplisc();
check_for_yoncu();
check_for_cgls();
check_for_ctls();
}
sub get_phpini_aref {
my $phpini = '/usr/local/lib/php.ini';
my @phpini;
return () if !-f $phpini;
if ( open my $fh, '<', $phpini ) {
while (<$fh>) {
next if (/^(?:;|$|\[)/);
chomp;
push @phpini, $_;
}
close $fh;
}
return \@phpini;
}
sub find_httpd_bin {
if ( i_am('ea4') ) {
return '/usr/sbin/httpd' if -x '/usr/sbin/httpd';
}
elsif ( i_am('ea3') ) {
return '/usr/local/apache/bin/httpd' if -x '/usr/local/apache/bin/httpd';
}
return;
}
sub get_apache_version_href {
return unless my $httpd_bin = find_httpd_bin();
return unless my @output = split /\n/, timed_run( 0, $httpd_bin, '-v' );
my %info;
foreach (@output) {
if (m{ \A Server \s+ version: \s+ Apache/([^\s]+) \s }xms) {
$info{'version'} = $1;
}
if (m{ \A Server \s+ built: \s+ (.*) \z }xms) {
$info{'built'} = $1;
$info{'built'} =~ s/^\s+//g;
}
if (m{ \A Cpanel::Easy::Apache \s+ (.*) \z }xms) {
$info{'ea_version'} = $1;
}
}
if ( i_am('ea4') ) {
chomp( $info{'ea_version'} = timed_run( 0, 'rpm', '-qf', $httpd_bin ) );
$info{'ea_version'} =~ s/\.\w\d{1,3}\D+\d+\n//;
}
return \%info;
}
sub get_apache_version {
return unless my $href = get_apache_version_href();
return unless defined $href->{'version'};
return $href->{'version'};
}
sub get_apache_modules_href {
return unless my $httpd_bin = find_httpd_bin();
my %modules = map { ( split( /\s+/, $_, 3 ) )[1] => 1 } split /\n/, timed_run( 0, $httpd_bin, '-M' );
return \%modules;
}
sub get_cpanel_license_file_info_href {
my %license;
if ( open my $license_fh, '<', $CPANEL_LICENSE_FILE ) {
my @license_text;
while (<$license_fh>) {
last if m{ \A -----BEGIN }xms;
next unless m{ \A \p{IsPrint}+ \Z }xms;
chomp;
push @license_text, $_;
}
close $license_fh;
%license = map { ( split( /:\s+/, $_, 2 ) )[ 0, 1 ] } @license_text;
}
return \%license;
}
sub license_file_is_cloudlinux {
my $href = get_cpanel_license_file_info_href();
return if not exists $href->{products};
return 1 if grep { /cloudlinux/ } $href->{products};
return 0;
}
sub license_file_is_cpanel {
my $href = get_cpanel_license_file_info_href();
return if not exists $href->{products};
return 1 if grep { /cpanel/ } $href->{products};
return 0;
}
sub license_file_is_dnsonly {
my $href = get_cpanel_license_file_info_href();
return if not exists $href->{products};
return 1 if grep { /dnsonly/ } $href->{products};
return 0;
}
sub license_file_is_solo {
# products =~ cpanel and maxusers = 1 indicates Solo.
my $href = get_cpanel_license_file_info_href();
return if not exists $href->{products} or not exists $href->{maxusers};
return 1 if ( grep { /cpanel/ } $href->{products} and $href->{maxusers} == 1 );
return 0;
}
sub get_cpanel_conf {
my %cpconf;
if ( open( my $cpconf_fh, '<', $CPANEL_CONFIG_FILE ) ) {
local $/ = undef;
%cpconf = map { ( split( /=/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($cpconf_fh) );
close $cpconf_fh;
return %cpconf;
}
else {
print_crit('cpanel.config: ');
print_critical("$CPANEL_CONFIG_FILE could not be opened.\n");
}
}
sub get_cpanel_version {
my $numeric_version;
my $original_version;
if ( open my $file_fh, '<', $CPANEL_VERSION_FILE ) {
$original_version = readline($file_fh);
close $file_fh;
}
return ( 'UNKNOWN', 'UNKNOWN' ) unless defined $original_version;
chomp $original_version;
# Parse either 1.2.3.4 or 1.2.3-THING_4 to 1.2.3.4
$numeric_version = join( '.', split( /\.|-[a-zA-Z]+_/, $original_version ) );
$numeric_version = 'UNKNOWN' unless $numeric_version =~ /^\d+\.\d+\.\d+\.\d+$/;
return ( $numeric_version, $original_version );
}
sub _version_cmp {
my ( $first, $second ) = @_;
my ( $a1, $b1, $c1, $d1 ) = split /[\._]/, $first;
my ( $a2, $b2, $c2, $d2 ) = split /[\._]/, $second;
for my $ref ( \$a1, \$b1, \$c1, \$d1, \$a2, \$b2, \$c2, \$d2, ) { # Fill empties with 0
$$ref = 0 unless defined $$ref;
}
return $a1 <=> $a2 || $b1 <=> $b2 || $c1 <=> $c2 || $d1 <=> $d2;
}
sub version_compare {
# example: return if version_compare($ver_string, qw( >= 1.2.3.3 ));
# Must be no more than four version numbers separated by periods and/or underscores.
my ( $ver1, $mode, $ver2 ) = @_;
return if ( !defined($ver1) || ( $ver1 =~ /[^\._0-9]/ ) );
return if ( !defined($ver2) || ( $ver2 =~ /[^\._0-9]/ ) );
# Shamelessly copied the comparison logic out of Cpanel::Version::Compare
my %modes = (
'>' => sub {
return if $_[0] eq $_[1];
return _version_cmp(@_) > 0;
},
'<' => sub {
return if $_[0] eq $_[1];
return _version_cmp(@_) < 0;
},
'==' => sub { return $_[0] eq $_[1] || _version_cmp(@_) == 0; },
'!=' => sub { return $_[0] ne $_[1] && _version_cmp(@_) != 0; },
'>=' => sub {
return 1 if $_[0] eq $_[1];
return _version_cmp(@_) >= 0;
},
'<=' => sub {
return 1 if $_[0] eq $_[1];
return _version_cmp(@_) <= 0;
}
);
return if ( !exists $modes{$mode} );
return $modes{$mode}->( $ver1, $ver2 );
}
sub _timedsaferun { # Borrowed from WHM 66 Cpanel::SafeRun::Timed and modified
# We need to be sure to never return undef, return an empty string instead.
my ( $timer, $stderr_to_stdout, @PROGA ) = @_;
return '' if ( substr( $PROGA[0], 0, 1 ) eq '/' && !-x $PROGA[0] );
$timer = $timer ? $timer : 25; # A timer value of 0 means use the default, currently 25.
$timer = $OPT_TIMEOUT ? $OPT_TIMEOUT : $timer;
my $output;
my $complete = 0;
my $pid;
my $fh; # FB-63723: must declare $fh before eval block in order to avoid unwanted implicit waitpid on die
eval {
local $SIG{'__DIE__'} = 'DEFAULT';
local $SIG{'ALRM'} = sub { $output = ''; print RED ON_BLACK 'Timeout while executing: ' . join( ' ', @PROGA ) . "\n"; die; };
alarm($timer);
if ( $pid = open( $fh, '-|' ) ) { ## no critic (BriefOpen)
local $/;
$output = readline($fh);
close($fh);
}
elsif ( defined $pid ) {
open( STDIN, '<', '/dev/null' ); ## no critic (BriefOpen)
if ($stderr_to_stdout) {
open( STDERR, '>&', 'STDOUT' ); ## no critic (BriefOpen)
}
else {
open( STDERR, '>', '/dev/null' ); ## no critic (BriefOpen)
}
exec(@PROGA) or exit 1;
}
else {
print RED ON_BLACK 'Error while executing: [ ' . join( ' ', @PROGA ) . ' ]: ' . $! . "\n";
alarm 0;
die;
}
$complete = 1;
alarm 0;
};
alarm 0;
if ( !$complete && $pid && $pid > 0 ) {
kill( 15, $pid ); #TERM
sleep(2); # Give the process a chance to die 'nicely'
kill( 9, $pid ); #KILL
}
return defined $output ? $output : '';
}
sub timed_run {
my ( $timer, @PROGA ) = @_;
return _timedsaferun( $timer, 0, @PROGA );
}
sub timed_run_trap_stderr {
my ( $timer, @PROGA ) = @_;
return _timedsaferun( $timer, 1, @PROGA );
}
sub get_local_ipaddrs_aref {
my @local_ipaddrs_list;
my @output;
unless ( @output = split /\n/, timed_run( 0, 'ip', 'addr' ) ) {
@output = split /\n/, timed_run( 0, 'ifconfig', '-a' );
}
for my $line (@output) {
if ( $line =~ m{ (\d+\.\d+\.\d+\.\d+) }xms ) {
push @local_ipaddrs_list, $1;
}
}
return \@local_ipaddrs_list;
}
sub print_version {
print BOLD YELLOW ON_BLACK "\tSSP $VERSION\n\n";
}
sub print_tip {
my @tips = (
'[FB-86549] (Fixed in 11.42.1.1) cPHulk may report root logins to Pure-FTPd despite no evidence being found',
'[FB-78617] (By design) sysup always installs bind',
'[FB-75793] (By design) Proxy subdomains are not created for addon domains',
'[FB-73369] Can\'t log into SquirrelMail, but Horde and Roundcube work? Check if webmail pass contains "odd" characters',
'[FB-72801] (By design) File Manager creates new files with 0600 perms, even when saving an existing file as a new one',
'[FB-72733] (By design) File Manager\'s "Compress" feature has a hard coded timeout due to using cPanel\'s form upload logic',
'[FB-63530] When setting up a remote MySQL server, that server must have the openssh-clients package installed',
'[FB-63193] File Manager showing "Out of memory" in cPanel error_log? Try renaming $HOME/$USER/.cpanel/datastore/SYSTEMMIME',
'[FB-62819] "License File Expired: LTD: 1334782495 NOW: 1246416504 FUT!" likely just means the server clock is wrong',
'[FB-62054] (By design) The "Dedicated IP" box can only be modified when creating a package - not when editing',
'[FB-61735] (By design) "/u/l/c/whostmgr/bin/whostmgr2 --updatetweaksettings" destroys custom proxy subdomain records. Use WHM >> Tweak Settings instead.',
'[FB-59450] (By design) Email quotas cannot exceed 2048MB, but they can be unlimited',
'[FB-58625] Apache 2.0.x links to the wrong PCRE libs. This can cause preg_match*() errors, and "PCRE is not compiled with UTF-8 support"',
'[FB-57237] (By design) Per ISO 3166-1, the country code for the UK is GB (not UK). Look for this in WHM >> Generate an SSL Certificate [...]',
'[FB-50745] (By design) The cPanel UI displays differently (more columns than rows) when changing your locale',
'[FB-46853] Customer complaining that they can\'t log into cPanel as root? Update FB-46853',
'[FB-44884] upcp resets Mailman lists\' hostnames. pre/postupcp hooks workaround in ticket 3541643',
'[FB-42027] "Recently Uploaded Cgi Script Mail" scans and sends email alerts about downloaded files too',
'[FB-21774] Pure-FTPd is not linked against libwrap. As such, Host Access Control does nothing for it',
'The cpanel-postgresql* packages are for phpPgAdmin. The postgresql-* packages are for PostgreSQL',
'For a list of obscure issues, see the RareIssues wiki article',
'11.35+: Use /scripts/check_cpanel_rpms to fix problems in /usr/local/cpanel/3rdparty/ - not checkperlmodules',
'php.ini for phpMyAdmin, phpPgAdmin, Horde, and RoundCube can be found in /usr/local/cpanel/3rdparty/etc/',
'If Dovecot/POP/IMAP dies every day around the same time, the server\'s clock could be skewed. Check /var/log/maillog for "moved backwards"',
'"Allowed memory size of x bytes exhausted" when uploading a db via phpMyAdmin may be resolved by increasing max_allowed_packet',
'Need to edit php.ini for Horde, RoundCube, phpMyAdmin, or phpPgAdmin? Edit /u/l/c/3rdparty/etc/php.ini, then run /u/l/c/b/install_php_inis',
'Seeing "domainadmin" errors (e.g. "domainadmin-domainexistsglobal")? Check the Domainadmin-Errors wiki article',
'Transfers showing "sshcmdpermissiondeny"? Check for modified openssh-clients package (see ticket 3664533)',
'Learn how cPanel 11.36+ handles rpms: http://go.cpanel.net/rpmversions',
'Use "rlog <file>" to see a file\'s revision history, and "co -p1.1 <file>" (for example) to see that revision',
'Files under revision control: fstab, localdomains, named.conf, passwd, shadow, trueuserowners, httpd.conf, php.ini (system and cPanel)',
'Imagick install issues on PHP 5.4? You may need to run \'pear config-set preferred_state beta\' (see ticket 3754991)',
'Need to enable ZTS support for PHP? Try \'--enable-maintainer-zts\' (see ticket 3769493)',
'WHM\'s "Apache mod_userdir Tweak" can be toggled via /scripts/userdirctl',
'Issues with MySQL for a single user? Check for /home/${USER}/.my.cnf',
'Services reported as failing while backups are running? chksrvd may be simply timing out due to excessive disk I/O',
'Blank page in File Manager\'s HTML Editor and iconv "illegal input sequence" in cPanel error_log? Try windows-1251 encoding (see ticket 4088633)',
'Older CentOS 5.x and CloudLinux 5.x do not support SNI. See the "SNI" wiki article for more info',
'domlogs are created 0644 by default. cpanellogd changes permissions on them to 0640 a few minutes later',
'cPanel >> Error Log only searches "recent" logs in Apache\'s error_log . Showing as blank? Maybe there are no recent errors',
'Horde showing "server configuration did not allow file to be uploaded"? Check disk/inode usage on /tmp',
'IMAP/webmail showing no email? The cPanel account may have been over its quota. Try renaming dovecot-uidlist, send account an email (see ticket 4314723)',
'ClamAV not scanning emails? Check if /var/clamd is missing. This will be reflected in Exim\'s logs as well',
'Use custom_vhost_template_ap(1|2) in userdata files to make changes for an individual vhost',
'File Manager upload size limits can be adjusted at WHM >> Tweak Settings >> Max HTTP submission size',
'/var/cpanel/conf/apache/local can potentially cause issues. See ticket 3915299 for an example',
'System backups are not uploaded via FTP by default, requires manual config. See http://documentation.cpanel.net/display/1144Docs/System+Backups#SystemBackups-Manualconfigurationmethod',
'$PATH may differ when executing something via cron rather than the command line. See ticket 4419531',
'"failed to open scan directory /var/spool/exim/scan/[...]: Too many links" could mean a directory has reached limit of 32,000 files/dirs',
'If innodb_force_recovery is enabled in the MySQL configuration, this can sometimes prevent mysqldump from working (see ticket 5193581).',
'"Spawned \'ossec-dbd\' with \'/sbin/service restart ossec-hids\'" is from ASL (Atomic Secured Linux). Have customer contact ASL Support if necessary.',
'You can run SSP with the --bugreport option to print a pre-filled template for submitting a WHM/cPanel bug report.',
'The path for the modsec_audit.log changes with Mod Ruid2 or MPM ITK installed to /usr/local/apache/conf/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique-id]',
'LiteSpeed (lsws) does NOT support the Apache web status page - see: http://www.litespeedtech.com/support/forum/threads/solved-cpanel-after-litespeed-installation-whm-server-status-gives-a-404-error.5536/',
'You can submit new ideas or bug reports for SSP by emailing ssp-requests(at)cpanel.net',
'You can format json files for more readability: python -m tool.json < file.json | less',
);
my $num = int rand scalar $#tips;
print BOLD WHITE ON_BLACK "\tDid you know? $tips[$num]" . RESET . "\n\n";
}
sub get_tiers_file { #TODO: Get rid of this in favor of get_tiers_json_href if it works out.
return _http_get( Host => 'httpupdate.cpanel.net', Path => '/cpanelsync/TIERS' );
}
sub get_process_pid_href {
# Tested on CentOS 5 through 7.
# 'ps' is horrible at providing reliably-parseable output. This is probably as close as we can get.
# etimes field doesn't exist until CentOS 7 but can be derived from etime.
my $field_separator = '#^#'; # Any sequence unlikely to occur in normal ps output. ps will also pad everything with spaces.
my $ps_format_opt = join( $field_separator, qw( %p %P %U %t %n %c %a ) ); # like 'pid#^#ppid#^#user#^#etime#^#nice#^#comm#^#args'
my %hash = map {
my ( $pid, $ppid, $user, $etime, $nice, $comm, $args ) = split /\s*\Q$field_separator\E\s*/, $_;
$pid =~ s/^\s+//;
$args =~ s/\s+$//;
my ( $sec, $min, $hou, $day ) = reverse split( /[:-]/, $etime );
$day += 0;
$hou += 0;
$min += 0;
$sec += $day * 86400 + $hou * 3600 + $min * 60;
$pid => {
'PPID' => defined $ppid ? $ppid : '',
'USER' => defined $user ? $user : '',
'ETIME' => defined $etime ? $etime : '',
'NICE' => defined $nice ? $nice : '0',
'COMM' => defined $comm ? $comm : '',
'ARGS' => defined $args ? $args : '',
'ETIMES' => $sec,
}
} split /\n/, timed_run( 0, 'ps', '--no-headers', '--width=1000', '-eo', $ps_format_opt );
return \%hash;
}
sub grep_process_cmd {
# Matches short (COMM) or long (ARGS) command columns
my ( $pattern, $user ) = @_;
my $procs = get_process_pid_href();
my %result;
for my $pid ( keys %{$procs} ) {
next if defined $user ? $procs->{$pid}->{'USER'} ne $user : 0;
$result{$pid} = $procs->{$pid} if grep { /$pattern/ } @{ $procs->{$pid} }{ 'COMM', 'ARGS' };
}
return %result;
}
sub exists_process_cmd {
my ( $pattern, $user ) = @_;
my %procs = grep_process_cmd( $pattern, $user );
return scalar keys %procs ? 1 : 0;
}
sub get_lsof_port_href {
my %hash;
for ( split /\n/, timed_run( 0, 'lsof', '+c15', '-n', '-P', '-i' ) ) {
# cmd will be max 15 characaters due to lsof limitation
# Example from CentOS 6:
# spamd 1781 root 5u IPv4 10887 0t0 TCP 127.0.0.1:783 (LISTEN)
# nc 9468 root 3u IPv6 84415 0t0 TCP [::1]:25 (LISTEN)
# Example from an older CentOS 5 system (note empty SIZE column):
# exim 3066 mailnull 3u IPv6 2566011 TCP *:smtp (LISTEN)
my @lsof = split( /\s+/, $_, 10 );
if ( defined( $lsof[9] ) && $lsof[9] =~ /LISTEN/ ) {
splice( @lsof, 6, 1 ); # Drop the SIZE/OFF column which can sometimes be blank and throw everything off
}
if ( defined( $lsof[8] ) && $lsof[8] =~ /LISTEN/ ) { # SIZE/OFF column is blank, or has been dropped
if ( $lsof[7] =~ /^(.*):(\d+)$/ ) {
my ( $ip, $port ) = ( $1, $2 );
push @{ $hash{$port} },
{
'CMD' => $lsof[0],
'PID' => $lsof[1],
'USER' => $lsof[2],
'IPV' => $lsof[4],
'PROTO' => $lsof[6],
'IP' => $ip
};
}
}
}
return \%hash;
}
sub get_ipcs_href {
my %hash;
my $header = 0;
# For now, all we need is shared memory segment owner and creator-pid, but the data structure is extensible.
# ipcs -m -p
#
#------ Shared Memory Creator/Last-op --------
#shmid owner cpid lpid
#2228224 root 992 992
#2588673 root 1309 1315
#2195458 root 985 985
#2621443 root 1309 1315
for ( split /\n/, timed_run( 0, 'ipcs', '-m', '-p' ) ) {
if ( $header == 0 ) {
$header = 1 if m/^ shmid \s+ owner \s+ cpid \s+ lpid \s* $/ix;
next;
}
my @ipcs = split( /\s+/, $_, 5 );
push @{ $hash{ $ipcs[1] }{mp} }, { # Key by owner, type 'mp' (-m -p output)
'shmid' => $ipcs[0],
'cpid' => $ipcs[2],
'lpid' => $ipcs[3]
};
}
return \%hash;
}
sub get_mysql_conf_href {
return unless open( my $mycnf_fh, '<', $MYSQL_CONF_FILE );
my %conf;
my $section = 'unknown';
while (<$mycnf_fh>) {
chomp;
next if /^(#|$)/;
if (m{ \A \s* \[([^\]]+)] }x) {
$section = lc($1);
$section =~ s/^\s*//g;
$section =~ s/\s*$//g;
next;
}
if (m{ \A \s* ([^=]+?) \s* = \s* (?:["']?) ([^"']*?) (?:["']?) \s* \Z }x) {
my $key = lc($1);
$key =~ tr/_-//d;
$conf{$section}{$key} = [ $1, $2 ];
next;
}
if (m{ \A \s* ([^\s]+) \s* \Z }x) {
my $key = lc($1);
$key =~ tr/_-//d;
$conf{$section}{$key} = [ $1, 'enabled' ];
}
}
close $mycnf_fh;
return unless scalar keys(%conf);
return \%conf;
}
sub get_pureftpd_conf_href {
my %conf;
if ( open( my $pureftpdconf_fh, '<', $PURE_FTPD_CONF_FILE ) ) {
while (<$pureftpdconf_fh>) {
next if /^(#|$)/;
if (m{ \A \s* ([^\s]+?) \s+ (.*) \Z }x) {
my $key = lc($1);
$conf{$key} = { name => $1, value => $2 };
}
}
close $pureftpdconf_fh;
}
return \%conf;
}
sub get_proftpd_conf_href {
my %conf;
if ( open( my $proftpdconf_fh, '<', '/etc/proftpd.conf' ) ) {
while (<$proftpdconf_fh>) {
next if /^(#|$)/;
if (m{ \A \s* ([^\s]+?) \s+ (.*) \Z }x) {
my $key = lc($1);
$conf{$key} = { name => $1, value => $2 };
}
}
close $proftpdconf_fh;
}
return \%conf;
}
sub get_exim_localopts_href {
my %conf;
if ( open( my $conf_fh, '<', '/etc/exim.conf.localopts' ) ) {
local $/ = undef;
%conf = map { ( split( /=/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($conf_fh) );
close $conf_fh;
}
return \%conf;
}
sub get_hostinfo_href {
my $info = {
'environment' => get_environment(),
'hardware' => timed_run( 0, 'uname', '-i' ),
'kernel' => timed_run( 0, 'uname', '-r' ),
'installtime' => undef,
'installtime_epoch' => undef,
};
chomp @$info{qw(hardware kernel)};
my $rpm_name = 'basesystem';
my $rpms;
if ( $rpms = get_rpm_href() and exists $rpms->{$rpm_name}->[0]->{'installtime'} ) {
$info->{'installtime_epoch'} = $rpms->{$rpm_name}->[0]->{'installtime'};
$info->{'installtime'} = scalar localtime( $info->{'installtime_epoch'} );
}
return $info;
}
sub get_environment {
my $envtype;
if ( open my $envtype_fh, '<', '/var/cpanel/envtype' ) {
$envtype = readline($envtype_fh);
close $envtype_fh;
}
else {
$envtype = timed_run( 0, '/usr/local/cpanel/bin/envtype' );
}
chomp $envtype if $envtype;
if ( !$envtype ) {
return 'unknown-envtype';
}
return $envtype;
}
sub get_cpuinfo_href {
my %cpuinfos;
open my $cpuinfo_fh, '<', '/proc/cpuinfo';
for my $line ( readline $cpuinfo_fh ) {
if ( $line =~ /^model name/m ) {
$line =~ s/^model name\s+:\s+//;
$line =~ s/\(R\)//g;
$line =~ s/\(tm\)//g;
$line =~ s/\s{2,}/ /;
$line =~ s/\s*\@/ \@/;
$cpuinfos{'model'} = $line;
$cpuinfos{'numcores'}++;
}
if ( $line =~ /^cpu MHz/m ) {
$line =~ s/^cpu MHz\s+:\s+//;
$cpuinfos{'mhz'} = $line;
}
}
close $cpuinfo_fh;
chomp %cpuinfos;
return \%cpuinfos;
}
sub get_meminfo {
# General logic from WHM 56 Cpanel::Sys::Hardware::Memory
my $proc_meminfo = '/proc/meminfo';
my $proc_beancounters = '/proc/user_beancounters';
my %meminfo;
my $hostinfo = get_hostinfo_href();
if ( defined( $hostinfo->{'environment'} ) && $hostinfo->{'environment'} eq 'virtuozzo' ) {
# https://wiki.openvz.org/UBC_primary_parameters#vmguarpages
# https://wiki.openvz.org/UBC_secondary_parameters#privvmpages
if ( open( my $proc_beancounters_fh, '<', $proc_beancounters ) ) {
while (<$proc_beancounters_fh>) {
if (m/^\s*(\S+)\s+(.*)/) {
my $type = $1;
my $parm = $2;
chomp($parm);
my ( $held, $maxheld, $barrier, $limit, $failcnt ) = split( /\s+/, $parm );
next if $held eq '-';
# NOTE: VZ uses the # of 4-KiB pages, convert to KiB.
# installed value is the lowest of privvmpages, physpages, or vmguarpages barrier (ignoring 0)
if ( $type =~ /^(privvmpages|physpages|vmguarpages)$/ ) {
unless ( $barrier eq "0" || ( defined( $meminfo{'installed'} ) && $meminfo{'installed'} <= ( $barrier * 4 ) ) ) {
$meminfo{'installed'} = $barrier * 4;
}
}
elsif ( $type eq 'oomguarpages' ) {
$meminfo{'used'} = $held * 4;
}
elsif ( $type eq 'swappages' ) {
$meminfo{'swapinstalled'} = $limit * 4;
}
}
}
close($proc_beancounters_fh);
$meminfo{'available'} = $meminfo{'installed'} - $meminfo{'used'};
}
}
elsif ( open my $proc_meminfo_fh, '<', $proc_meminfo ) {
while (<$proc_meminfo_fh>) {
if (/^\s*([^\:]+):\s+(\d+)/) {
$meminfo{ lc($1) } = $2;
}
}
close $proc_meminfo_fh;
$meminfo{'available'} = $meminfo{'memfree'} + $meminfo{'buffers'} + $meminfo{'cached'};
$meminfo{'installed'} = $meminfo{'memtotal'};
$meminfo{'used'} = sprintf( '%u', $meminfo{'memtotal'} - $meminfo{'memfree'} );
$meminfo{'swapinstalled'} = $meminfo{'swaptotal'};
}
chomp %meminfo;
return \%meminfo;
}
sub get_cpupdate_conf {
my %conf;
if ( open( my $conf_fh, '<', '/etc/cpupdate.conf' ) ) {
local $/ = undef;
%conf = map { ( split( /=/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($conf_fh) );
close $conf_fh;
}
return \%conf;
}
sub format_meminfo {
my ($num) = @_;
return 'none or unknown' if ( !defined($num) );
my $hostinfo = get_hostinfo_href();
# The original values are 9223372036854775807 and 2147483647 4-KiB pages
if ( defined( $hostinfo->{'environment'} ) && $hostinfo->{'environment'} eq 'virtuozzo' ) {
return $num = 'unlimited' if $num == '36893488147419103228' + 0; # KiB
if ( defined( $hostinfo->{'hardware'} ) && $hostinfo->{'hardware'} eq 'i386' ) {
return $num = 'unlimited' if $num == '8589934588' + 0; # KiB
}
}
return int( $num / 1024 ) . "MB";
}
sub get_whm_install_info {
my $info = {
'installtime' => undef,
'installtime_epoch' => undef,
'installversion' => undef,
'lastupdatetime' => undef,
'lastupdatetime_epoch' => undef,
};
my $install_log = '/var/log/cpanel-install.log';
if ( -f $install_log ) {
my $birthday_mtime = ( stat($install_log) )[9];
$info->{'installtime'} = scalar localtime($birthday_mtime);
$info->{'installtime_epoch'} = $birthday_mtime;
if ( open( my $conf_fh, '<', $install_log ) ) {
while ( readline($conf_fh) ) {
if (m{Target \s version \s set \s to \s '(\d+\.\d+[^']+)'}xms) {
$info->{'installversion'} = $1;
if (m{(\d+-\d+-\d+ \s+ \d+:\d+:\d+ (?:\s \-\d+)?)}xms) {
$info->{'installtime'} = $1;
}
last;
}
last if $. >= 20_000;
}
close $conf_fh;
}
}
if ( my $update_mtime = ( stat($CPANEL_VERSION_FILE) )[9] ) {
$info->{'lastupdatetime'} = scalar localtime($update_mtime);
$info->{'lastupdatetime_epoch'} = $update_mtime;
}
return $info;
}
sub print_info {
my $text = shift;
print BOLD YELLOW ON_BLACK "[INFO] * $text";
}
sub print_warn {
my $text = shift;
print BOLD RED ON_BLACK "[WARN] * $text";
}
sub print_crit {
my $text = shift;
$CRIT_BUFFER .= BOLD MAGENTA ON_BLACK '[CRIT] * ' . $text;
print BOLD MAGENTA ON_BLACK '[CRIT] * ' . $text;
}
sub print_critical {
my $text = shift;
$text = $text ? $text : "";
$CRIT_BUFFER .= BOLD MAGENTA ON_BLACK $text . "\n";
print BOLD MAGENTA ON_BLACK $text . "\n";
}
sub print_3rdp {
my $text = shift;
print BOLD GREEN ON_BLACK "[3RDP] * $text";
}
sub print_3rdp2 {
my $text = shift;
print BOLD GREEN ON_BLACK "$text\n";
}
## precedes informational items (e.g., "Hostname:")
sub print_start {
my $text = shift;
print BOLD YELLOW ON_BLACK $text;
}
## for informational items (e.g., the server's hostname)
sub print_normal {
my $text = shift;
print BOLD CYAN ON_BLACK "$text\n";
}
## for important things (e.g., "Hostname is not a FQDN")
sub print_warning {
my $text = shift;
print BOLD RED ON_BLACK "$text\n";
}
## for other imporant things (e.g., "You are in an LVE, do not restart services")
sub print_warning_underline {
my $text = shift;
print BOLD UNDERLINE "$text\n";
}
sub print_info2 {
my $text = shift;
print BOLD GREEN ON_BLACK "$text\n";
}
sub print_magenta {
my $text = shift;
print BOLD MAGENTA ON_BLACK "$text\n";
}
sub print_red {
my $text = shift;
print BOLD RED ON_BLACK "$text\n";
}
sub check_for_hacked_server_touchfile {
return unless i_am('cptech');
my $docdir = '/usr/share/doc';
return unless -d $docdir;
opendir( my $fh, $docdir ) or return;
# .cp.jeff.2014-04-09_10.5.40.209_1234567
my @touchfiles = grep { /^\.cp\.([^\d]+)\.(\d{4}-\d{2}-\d{2})_([^_]+)_(\d+)$/ } readdir $fh;
closedir $fh;
return if scalar @touchfiles == 0;
print_generic_hack_predef('HACKED SERVER');
for my $touchfile (@touchfiles) {
if ( $touchfile =~ /^\.cp\.([^\d]+)\.(\d{4}-\d{2}-\d{2})_([^_]+)_(\d+)$/ ) {
my ( $cptech, $date, $ipaddr, $ticket ) = ( $1, $2, $3, $4 );
$date =~ s#-#/#g;
$cptech = ucfirst $cptech;
print_critical("\tL3: $cptech reported this server at $ipaddr as compromised on $date local server time in ticket $ticket");
if ( !grep { /^$ipaddr$/ } @{ get_local_ipaddrs_aref() } ) {
print_critical("\t \\_ NOTE: IP address $ipaddr not found on the server!");
}
}
}
print_critical();
}
sub check_for_multiple_tech_logins {
return unless i_am('cptech');
# Prefer 'who' over 'w' because of FROM field length limit in 'w'
# who -H
#NAME LINE TIME COMMENT
#root pts/0 2014-07-29 07:24 (192.168.130.1)
# we can sometimes get additional text after the IP or hostname
#root pts/2 2014-08-07 07:17 (208.74.121.102:S.0)
my $who = '/usr/bin/who';
return if !-x $who;
my @tech_logins = ();
my $header = "";
my $num_logins = 0;
for my $line ( split /\n/, timed_run( 0, $who, '-H' ) ) {
if ( $line =~ m{ \A NAME\s+ }xms ) {
$header = $line;
next;
}
if ( $line =~ m{ \((.+)\)\Z }xms ) {
if ( $1 =~ m{ \A (.*\.)?(cptxoffice\.net|cloudlinux\.com|litespeedtech.com)(:|$) }xms
|| $1 =~ m{ \A (208\.74\.12[0-7]\.\d+|69\.175\.92\.(4[89]|5[0-9]|6[0-4])|69\.10\.42\.69)(:|$) }xms ) {
push( @tech_logins, $line );
$num_logins++;
}
}
}
return if $num_logins <= 1;
print_critical();
print_crit('Multiple tech SSH sessions are active (run "ls /var/cpanel/users/ |grep cptkt" for a complete list of ticket users):');
print_critical("\n");
print_critical($header) if $header;
print_critical( join( "\n", @tech_logins ) );
print_critical();
}
sub check_for_lve_environment {
my $hostinfo = get_hostinfo_href();
# pam_lve 0.2 prints this after su or sudo:
#
# # /bin/su -
# Password:
# ***************************************************************************
# * *
# * !!!! WARNING: YOU ARE INSIDE LVE !!!! *
# *IF YOU RESTART ANY SERVICES STABILITY OF YOUR SYSTEM WILL BE COMPROMIZED *
# * CHANGE UID OF THE USER YOU ARE USING TO SU/SUDO *
# * MORE INFO: *
# *http://www.cloudlinux.com/blog/clnews/read-this-if-you-use-su-or-sudo.php*
# * *
# ***************************************************************************
# pam_lve 0.3 won't put wheel users in an LVE after su or sudo:
# http://cloudlinux.com/blog/clnews/read-this-if-you-use-su-or-sudo.php
if ( $hostinfo->{'kernel'} =~ /\.lve/ and -x '/usr/sbin/lveps' ) {
if (`/usr/sbin/lveps -p | grep " $$ "`) {
print_critical();
print_crit(" You are inside a CloudLinux LVE - DO *NOT* RESTART ANY SERVICES!\n");
print_critical(" \\_ The pam_lve configuration may not be excluding the wheel group, or your ssh login user was not in the wheel group.");
print_critical(" \\_ http://docs.cloudlinux.com/index.html?lve_pam_module.html");
print_critical();
}
}
}
sub get_lsws_version_aref {
my $lshttpd = '/usr/local/lsws/bin/lshttpd';
return [] unless my @lshttpd_version_output = split /\n/, timed_run( 0, $lshttpd, '-v' );
my ( $lsws_full_version, $lsws_numeric_version ) = ();
for (@lshttpd_version_output) {
if (m{ \A (LiteSpeed/(\d+(?:\.\d+){1,2}).*) }xms) {
$lsws_full_version = $1;
$lsws_numeric_version = $2;
}
}
$lsws_full_version = "unknown" if !$lsws_full_version;
$lsws_numeric_version = "unknown" if !$lsws_numeric_version;
return [ $lsws_full_version, $lsws_numeric_version ];
}
sub check_for_systemd {
return unless ( -e '/usr/bin/systemctl' or -e '/bin/systemctl' ) and ( -e '/usr/lib/systemd/systemd' or -e '/lib/systemd/systemd' ); # Don't assume /bin or /lib symlinks to /usr are in place
print_crit('Systemd: ');
print_critical('Use /scripts/restartsrv_* (preferred) or systemctl to restart services -- never use /etc/init.d scripts.');
}
sub check_for_os_release_5 {
return unless os_version_is(qw( < 6 ));
print_crit('CentOS/RHEL/CL 5 (or older): ');
print_critical('This operating system is not supported in WHM 58 and later (OS version 6+ only).');
print_critical(' \_ Send customer this premade: "MIGRATION - CentOS/RHEL/CL 5 EOL"');
}
sub check_for_os_release_32bit {
my $hostinfo = get_hostinfo_href();
return unless ( defined( $hostinfo->{'hardware'} ) && $hostinfo->{'hardware'} eq 'i386' );
return unless os_version_is(qw( >= 6 )); # There is an unofficial CentOS 7 i386 build.
print_crit('CentOS/RHEL/CL i386 (32-bit): ');
print_critical('This operating system is not supported in WHM 58 and later (x86_64 only).');
print_critical(' \_ Send customer this premade: "MIGRATION - 32-bit CentOS/RHEL/CL EOL"');
}
sub check_for_ea3 {
return unless i_am('ea3');
my $hostinfo = get_hostinfo_href();
return if ( defined( $hostinfo->{'hardware'} ) && $hostinfo->{'hardware'} eq 'i386' ); # Do not report on 32-bit systems.
print_crit('EasyApache 3: ');
print_critical('Support is ending in 2018.');
print_critical(' \_ Send customer this premade: "MIGRATION - EA3 EOL"');
}
##############################
# BEGIN [INFO] CHECKS
##############################
sub print_hostname {
my $hostname = get_hostname();
print_info('Hostname: ');
if ( $hostname !~ /([\w-]+)\.([\w-]+)\.(\w+)/ ) {
print_warning("$hostname may not be a FQDN ( en.wikipedia.org/wiki/Fully_qualified_domain_name )");
}
else {
print_normal($hostname);
}
}
sub print_os {
return unless my $hostinfo = get_hostinfo_href();
my $install_info = '';
if ( defined $hostinfo->{'installtime'} ) {
$install_info = ' [ Installed: ' . $hostinfo->{'installtime'} . ' ]';
}
print_info('OS: ');
print_normal( _get_run_var('os_release') . ' [ ' . $hostinfo->{'environment'} . ' ]' . $install_info );
}
sub print_kernel_and_cpu {
return unless my $hostinfo = get_hostinfo_href();
return unless my $cpuinfo = get_cpuinfo_href();
print_info('Kernel/CPU: ');
print_normal("$hostinfo->{'kernel'} $hostinfo->{'hardware'} $hostinfo->{'environment'} $cpuinfo->{'model'} w/ $cpuinfo->{'numcores'} core(s)");
if ( $hostinfo->{'environment'} eq 'virtuozzo' && $hostinfo->{'kernel'} eq '2.6.32-042stab113.11' ) {
print_warning(' \\_ This kernel has broken quota support [ https://bugs.openvz.org/browse/OVZ-6661 ]');
}
}
sub print_kernelcare_info {
return unless i_am('kernelcare');
my $kcarectl_path = '/usr/bin/kcarectl';
my $kcarectl_info = "Installed";
my $license_output;
my $uname_output;
if ( -x $kcarectl_path ) {
chomp( $license_output = timed_run( 0, $kcarectl_path, '--license-info' ) );
if ( $license_output =~ /Valid license found/ ) {
$kcarectl_info .= ' and licensed';
}
else {
$kcarectl_info .= ' (license not detected)';
}
chomp( $uname_output = timed_run( 0, $kcarectl_path, '--uname' ) );
if ( ( $uname_output =~ /^\d+\.\d+\.\d+/ ) && ( $uname_output !~ /\n/ ) ) {
$kcarectl_info .= ' [ ' . $uname_output . ' ]';
}
}
print_info('KernelCare: ');
print_normal($kcarectl_info);
}
sub print_cpanel_info {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my $cpupdate_conf = get_cpupdate_conf();
my $whm_info = get_whm_install_info();
my $cpanel_tier = defined $cpupdate_conf->{CPANEL} ? $cpupdate_conf->{CPANEL} : 'Unknown (could not open/read /etc/cpupdate.conf ?)';
my $last_update = defined $whm_info->{'lastupdatetime_epoch'} ? sprintf '%.1f', ( time() - $whm_info->{'lastupdatetime_epoch'} ) / 86400 : 'UNKNOWN';
my $birthday = defined $whm_info->{'installversion'} ? $whm_info->{'installversion'} . ' on ' : '';
$birthday .= defined $whm_info->{'installtime'} ? $whm_info->{'installtime'} : '';
my $output = _get_run_var('cpanel_original_version') . ' (' . uc($cpanel_tier) . ' tier)' . " Last update: $last_update days ago";
$output .= " [ Installed: $birthday ]" if length $birthday;
print_info('cPanel Info: ');
print_normal($output);
my %eol = (
'56' => { expires => 0, text => 'October 31, 2017' },
'58' => { expires => 0, text => 'July 31, 2017' },
'60' => { expires => 0, text => 'October 31, 2017' },
'62' => { expires => 0, text => 'June 30, 2018' },
'64' => { expires => 0, text => 'September 21, 2017' },
'66' => { expires => 0, text => 'December 4, 2017' },
'68' => { expires => 0, text => 'June 6, 2018' },
'72' => { expires => 0, text => 'September 4, 2018' },
);
my ( $parent_ver, $major_ver ) = split( /\./, _get_run_var('cpanel_numeric_version'), 3 );
my $expire_info;
if ( defined $parent_ver and defined $major_ver ) {
$major_ver++ if $major_ver % 2; # Bump odd dev versions
$expire_info = 'has expired.' if $major_ver <= 54;
my $found_tiers_aref = get_tiers_for_version_aref( $parent_ver . '.' . $major_ver );
if ( defined $found_tiers_aref and scalar @{$found_tiers_aref} == 0 ) {
$expire_info = 'has expired (version is not a named or LTS tier in TIERS.json)';
}
$expire_info = 'ended on ' . $eol{$major_ver}->{'text'} . '.' if exists $eol{$major_ver} && $eol{$major_ver}->{'expires'} <= time();
}
if ($expire_info) {
print_crit('cPanel Info: ');
print_critical( "Support for this version of WHM/cPanel " . $expire_info );
print_critical(' \_ Send customer this premade: "EOL version of cPanel"');
print_critical(' \_ Some SSP output may be irrelevant, incomplete, or inaccurate for EOL versions!');
}
}
sub check_for_cpanel_update {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
return unless my $cpupdate_conf = get_cpupdate_conf();
return unless defined $cpupdate_conf->{CPANEL};
my ( $available_tier_version, $local_tier_name );
my $match = 0;
if ( _get_run_var('cpanel_numeric_version') eq 'UNKNOWN' ) {
print_info('cPanel update check: ');
print_warning("unknown or old cPanel version, check $CPANEL_VERSION_FILE");
return;
}
my $tiers = get_tiers_file();
return unless $tiers;
my @tiers = split /\n/, $tiers;
for my $line (@tiers) {
if ( $line =~ m{ \A (.*) : (\d+\.\d+\.\d+\.\d+) \z }xms ) {
my $tier = $1;
$available_tier_version = $2;
if ( $tier =~ /^$cpupdate_conf->{CPANEL}$/i ) {
$match = 1;
last;
}
}
}
if ( $match == 0 ) {
print_info('cPanel update check: ');
print_warning("server is configured to use an unknown tier ($cpupdate_conf->{CPANEL})");
return;
}
if ( cpanel_version_is( '<', $available_tier_version ) ) {
print_info('cPanel update check: ');
print_warning( "UPDATE AVAILABLE (" . _get_run_var('cpanel_original_version') . " -> $available_tier_version)" );
}
}
sub check_perl_version_less_than_588 {
my $perl_version = $^V;
if ( $perl_version =~ /^v(.+)$/ ) {
$perl_version = $1;
}
return if !$perl_version;
if ( version_compare( $perl_version, qw( < 5.8.8 ) ) ) {
print_warn('Perl Version: ');
print_warning("less than 5.8.8: [ $perl_version ]");
}
if ( version_compare( $perl_version, qw( < 5.14.0 ) ) ) {
print_warn('Perl Version: ');
print_warning('better resolver results can be obtained when running SSP with Perl 5.14 or later');
}
}
sub print_uptime {
my $uptime = timed_run( 0, 'uptime' );
chomp $uptime if $uptime;
$uptime = $uptime ? $uptime : 'UNKNOWN';
print_info('Uptime: ');
print_normal($uptime);
}
sub check_for_clustering {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
return unless -e '/var/cpanel/useclusteringdns';
print_info('DNS Clustering: ');
print_normal('is enabled');
my $cluster_dir = '/var/cpanel/cluster/root/config';
my @dir_contents;
my @cluster_members;
if ( -d $cluster_dir ) {
opendir( my $dir_fh, $cluster_dir );
@dir_contents = grep { !/^\.\.?$/ } readdir $dir_fh;
closedir $dir_fh;
}
chdir $cluster_dir or return;
for my $dirent (@dir_contents) {
my ( $cluster_member, $cluster_member_hostname, $cluster_member_role );
my %cluster_conf;
# only active cluster members have -dnsrole files
if ( $dirent =~ m{ \A (.+)-dnsrole \z }xms ) {
$cluster_member = $1;
if ( open my $file_fh, '<', $cluster_member ) {
local $/;
%cluster_conf = map { ( split( /=/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($file_fh) );
close $file_fh;
}
$cluster_member_hostname = defined $cluster_conf{host} ? $cluster_conf{host} : '?';
if ( $cluster_member =~ m{ \A (vps\.net|softlayer) \z}xmsi ) {
$cluster_member_hostname = '';
}
if ( open my $file_fh, '<', "${cluster_member}-dnsrole" ) {
while (<$file_fh>) {
$cluster_member_role = $_;
chomp $cluster_member_role;
}
close $file_fh;
}
$cluster_member_role = defined $cluster_member_role ? $cluster_member_role : '?';
push @cluster_members, $cluster_member_hostname . ' ' . $cluster_member . ' ' . "[" . $cluster_member_role . "]";
}
}
return unless @cluster_members;
@cluster_members = sort @cluster_members;
for my $member (@cluster_members) {
print_magenta( "\t \\_ " . $member );
}
}
sub print_apache_info {
return unless i_am_one_of( 'cpanel', 'ea4', 'ea3' );
my $apache_version = get_apache_version_href();
my $output;
$output .= "[ EA4 ] " if i_am('ea4');
if ( not defined $apache_version->{'version'} or not defined $apache_version->{'built'} or not defined $apache_version->{'ea_version'} ) {
$output .= 'could not determine Apache info!';
}
else {
$output .= "[ $apache_version->{'version'} ] [ $apache_version->{'built'} w/ $apache_version->{'ea_version'} ]";
}
my ( $apache_uptime, $apache_generations );
my $apache_configured_port = 80;
my $attempted_port = ( split( ':', $CPCONF{'apache_port'} ) )[1];
if ($attempted_port) {
$apache_configured_port = $attempted_port;
}
my $apache_status = _http_get( Host => '127.0.0.1', Port => $apache_configured_port, Path => '/whm-server-status', MultiHomed => 0, Timeout => 5 );
if ( not $OPT_SKIP_NETWORKING ) {
if ($apache_status) {
my @apache_status = split /\n/, $apache_status;
for my $line (@apache_status) {
if ( $line =~ m{ Server \s uptime: \s+ (.*) </dt> }xms ) {
$apache_uptime = 'Up ' . $1;
}
if ( $line =~ m{ Parent \s Server \s Generation: (.*) </dt> }xms ) {
$apache_generations = $1 . ' generation(s)';
}
}
$output .= ' [ ' . $apache_uptime . ' ]' if defined $apache_uptime;
$output .= ' [ ' . $apache_generations . ' ]' if defined $apache_generations;
}
else {
my $warning = "";
if ( $apache_configured_port == 80 ) {
$warning = 'Is Apache up/slow to respond? (failed: http://127.0.0.1/whm-server-status). ';
}
else {
$warning = 'Is Apache up/slow to respond? (failed: http://127.0.0.1:' . $apache_configured_port . '/whm-server-status). ';
}
my $ports = get_lsof_port_href();
if ( exists $ports->{'80'} ) {
$warning .= 'Something is listening on port 80.';
}
else {
$warning .= 'Nothing is listening on port 80';
}
print_info('Apache: ');
print_warning($warning);
}
}
if ($output) {
print_info('Apache: ');
print_normal($output);
}
my %apache_ports;
my %root_httpd;
my $ports = get_lsof_port_href();
my $procs = get_process_pid_href();
while ( my ( $portnum, $aref ) = each(%$ports) ) {
for my $href (@$aref) {
next unless $href->{USER} eq "root";
next unless $href->{CMD} eq "httpd";
my $pid = $href->{PID};
if ( defined $procs->{$pid} and $procs->{$pid}->{ETIMES} > 60 ) {
next if $procs->{$pid}->{ARGS} =~ m{ \A /apache/bin/httpd }xms; # Ignore these - see TECH-334
$root_httpd{$pid} = 1;
}
$apache_ports{$portnum} = 1;
}
}
if ( scalar keys(%apache_ports) ) {
print_info('Apache: ');
print_normal( 'is listening on ports [ ' . join( " ", sort( keys(%apache_ports) ) ) . ' ]' );
}
if ( scalar keys(%root_httpd) > 1 ) {
my $pids = scalar keys(%root_httpd) > 4 ? 'More than 4!' : join( ' ', sort( keys(%root_httpd) ) );
print_warn('Apache: ');
print_warning( 'multiple root httpd processes (more than 60 seconds old) found [ ' . $pids . ' ] -- See TECH-314.' );
}
}
sub get_ea3_php_conf_href {
return unless i_am('ea3');
my $phpconf = '/usr/local/apache/conf/php.conf.yaml';
my %conf;
if ( open( my $phpconf_fh, '<', $phpconf ) ) {
while (<$phpconf_fh>) {
chomp;
if (/^phpversion: (\d)/) {
$conf{'phpversion'} = $1;
}
if (/^php4:[ \t]+['"]?([^'"]+)/) {
$conf{'php4handler'} = $1;
}
if (/^php5:[ \t]+['"]?([^'"]+)/) {
$conf{'php5handler'} = $1;
}
if (/^suexec:[ \t]+['"]?([^'"]+)/) {
$conf{'suexec'} = $1;
}
}
close $phpconf_fh;
}
else {
$conf{'php_conf_yaml_missing'} = 1;
}
my @php_5_v = split /\n/, timed_run( 0, '/usr/bin/php', '-n', '-v' );
if ( @php_5_v && $php_5_v[0] =~ /^PHP\s(\S+)\s(\S+)/ ) {
$conf{'php5version'} = $1;
$conf{'php5version_valid'} = 1;
}
else {
$conf{'php5version'} = '(version unknown)';
$conf{'php5version_valid'} = 0;
}
my @php_4_v = split /\n/, timed_run( 0, '/usr/local/php4/bin/php', '-v' );
if ( @php_4_v && $php_4_v[0] =~ /^PHP\s(\S+)\s(\S+)/ ) {
$conf{'php4version'} = $1;
$conf{'php4version_valid'} = 1;
}
else {
$conf{'php4version'} = '(version unknown)';
$conf{'php4version_valid'} = 0;
}
return \%conf;
}
sub print_ea3_php_configuration {
return unless i_am('ea3');
my $conf = get_ea3_php_conf_href();
unless ( defined $conf && !exists $conf->{'php_conf_yaml_missing'} && exists $conf->{'phpversion'} ) {
print_info('PHP: ');
print_warning('/usr/local/apache/conf/php.conf.yaml missing or incomplete. Some PHP checks may be skipped.');
}
my $has_ea3_suexec = $conf->{'suexec'} ? 'with suexec' : 'without suexec';
if ( defined $conf->{'phpversion'} and $conf->{'phpversion'} == 5 ) {
if ( defined $conf->{'php5version'} and defined $conf->{'php5handler'} ) {
print_info('PHP Default: ');
print_normal("PHP $conf->{'php5version'} $conf->{'php5handler'} $has_ea3_suexec");
}
if ( defined $conf->{'php4version'} and defined $conf->{'php4handler'} and $conf->{'php4handler'} ne 'none' ) {
print_info('PHP Secondary: ');
print_normal("PHP $conf->{'php4version'} $conf->{'php4handler'} $has_ea3_suexec");
}
}
if ( defined $conf->{'phpversion'} and $conf->{'phpversion'} == 4 ) {
if ( defined $conf->{'php4version'} and defined $conf->{'php4handler'} ) {
if ( $conf->{'php4handler'} eq 'fcgi' ) {
print_info('PHP Default: ');
print_warning("PHP $conf->{'php4version'} $conf->{'php4handler'} $has_ea3_suexec (mod_userdir style URLs don't work with fcgi!)");
}
else {
print_info('PHP Default: ');
print_normal("PHP $conf->{'php4version'} $conf->{'php4handler'} $has_ea3_suexec");
}
}
if ( defined $conf->{'php5version'} and defined $conf->{'php5handler'} and $conf->{'php5handler'} ne 'none' ) {
print_info('PHP Secondary: ');
print_normal("PHP $conf->{'php5version'} $conf->{'php5handler'} $has_ea3_suexec");
}
}
}
sub print_ea4_php_configuration {
return unless i_am('ea4');
my $info = 'UNKNOWN';
my $fpm_jail_toggle = '/var/cpanel/feature_toggles/apachefpmjail';
my $ea4_php = get_installed_ea4_php_href();
my $modules = get_apache_modules_href();
print_info('PHP Default: ');
if ( defined($ea4_php) && defined( $ea4_php->{default} ) && defined( $ea4_php->{ $ea4_php->{default} }->{release_version} ) && defined( $ea4_php->{ $ea4_php->{default} }->{handler} ) ) {
$info = '[ EA4 ]';
$info .= " [ $ea4_php->{ $ea4_php->{default} }->{release_version} ( $ea4_php->{default} ) ]";
$info .= " [ $ea4_php->{ $ea4_php->{default} }->{handler} ]";
}
print_normal($info);
if ( -e $fpm_jail_toggle ) {
print_info('PHP-FPM: ');
print_normal( $fpm_jail_toggle . ' exists, PHP-FPM will jail PHP scripts for users that have Jailed or Disabled shells.' );
if ( defined $modules and not( defined $modules->{'ruid2_module'} and defined $CPCONF{'jailapache'} and $CPCONF{'jailapache'} == 1 ) ) {
print_warn('PHP-FPM: ');
print_warning('Jail is enabled without mod_ruid2 and/or Jail Apache Virtual Hosts tweak setting enabled, these MUST also be enabled for proper functioning unless EA-5524 is resolved.');
}
}
}
sub get_installed_ea4_php_href {
# Only supports WHM 54+
return unless i_am('ea4');
my $php = {};
my @available_php;
my @current_php;
my ( $available_php, $current_php );
(@current_php) = split( /\n/, timed_run( 0, '/usr/local/cpanel/bin/rebuild_phpconf', '--current' ) );
foreach my $line (@current_php) {
my $pkg;
if ( $line =~ m{ DEFAULT \s PHP: \s (\S+) }xms ) {
$pkg = $1;
$php->{$pkg}->{default_php} = 1;
$php->{default} = $pkg;
next;
}
if ( $line =~ m{ (\S+) \s SAPI: \s (\S+) }xms ) {
$pkg = $1;
$php->{$pkg}->{handler} = $2;
foreach ( split( /\n/, timed_run( 0, 'scl', 'enable', $pkg, 'php -v' ) ) ) {
if (m{ PHP \s (\d+\.\S+) \s \(cli\) \s \(built: \s (\w+\s+\d+\s\d+\s\d+:\d+:\d+) }xms) { # Must accept release version like 7.1.11 or 7.2.0RC5
$php->{$pkg}->{release_version} = $1;
$php->{$pkg}->{build_time} = $2;
$php->{$pkg}->{build_time} =~ s/ / /;
}
if (/Zend\sEngine\sv(\d+\.\d+\.\d+)/) {
$php->{$pkg}->{zend} = $1;
}
}
# Gather a list of modules for this given PHP Binary - not used currently, enable when needed.
# @{ $php->{$pkg}->{module_list} } = grep { !/\[PHP\sModules\]/ && /\w/ && !/Zend/ } split( /\n/, timed_run( 0, 'scl', 'enable', $pkg, 'php -m' ) );
}
}
return $php;
}
sub check_sysinfo {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
return unless my $hostinfo = get_hostinfo_href();
my $sysinfo_config = '/var/cpanel/sysinfo.config';
my $rebuild = 0;
if ( !-e $sysinfo_config ) {
print_crit('sysinfo: ');
print_critical('does not exist, run /scripts/gensysinfo to fix');
}
else {
open my $sysinfo_fh, '<', $sysinfo_config;
while (<$sysinfo_fh>) {
chomp;
if (m{ \A rpm_arch=(.*) }xms) {
if ( $hostinfo->{'hardware'} ne $1 ) {
$rebuild = 1;
}
}
if (m{ \A release=(.*) }xms) {
if ( _get_run_var('os_version') ne $1 ) {
$rebuild = 1;
}
}
if (m{ \A ises=(.*) }xms) {
if ( _get_run_var('os_ises') ne $1 ) {
$rebuild = 1;
}
}
}
close $sysinfo_fh;
}
if ( $rebuild == 1 ) {
print_crit('sysinfo: ');
print_critical('/var/cpanel/sysinfo.config contains errors -- run /scripts/gensysinfo to fix');
}
}
sub check_for_remote_mysql {
my $mysql_host;
my $mysql_is_local;
## obtain mysql host, if exists
my $my_cnf = '/root/.my.cnf';
if ( open my $my_cnf_fh, '<', $my_cnf ) {
while (<$my_cnf_fh>) {
chomp( my $line = $_ );
if ( $line =~ m{ \A host \s* = \s* (?:["']?) ([^"']+) }xms ) {
$mysql_host = $1;
}
}
close $my_cnf_fh;
}
if ($mysql_host) {
if ( $mysql_host =~ m{ ( \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} ) }xms ) {
return if ( $mysql_host eq '127.0.0.1' );
for my $ipaddr ( @{ get_local_ipaddrs_aref() } ) {
if ( $ipaddr eq $mysql_host ) {
$mysql_is_local = 1;
last;
}
}
}
elsif ( $mysql_host eq 'localhost' or $mysql_host eq get_hostname() ) {
$mysql_is_local = 1;
}
if ( !$mysql_is_local ) {
print_info('Remote MySQL Host: ');
print_warning($mysql_host);
}
}
}
sub print_if_using_other_dns {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my %service = (
'/var/cpanel/usensd' => 'NSD',
'/var/cpanel/usemydns' => 'MyDNS',
'/var/cpanel/usepowerdns' => 'PowerDNS',
);
my @found = grep { -e $_ } keys(%service);
return unless scalar @found;
if ( scalar @found > 1 ) {
print_warn('DNS Service: ');
print_warning( 'multiple service touchfiles found! [ ' . join( ' ', @found ) . ' ]' );
}
for my $found (@found) {
print_info('DNS Service: ');
print_normal( $service{$found} );
}
}
sub print_mysql_version {
return unless my $mysql_full_version = get_mysql_full_version();
print_info('MySQL Version: ');
print_normal($mysql_full_version);
return unless my $mysql_numeric_version = get_mysql_numeric_version();
if ( defined $CPCONF{'mysql-version'} ) {
my $test_version = $CPCONF{'mysql-version'} . '.';
unless ( index( $mysql_numeric_version, $test_version ) == 0 ) {
print_warning( "\t \\_ mysql-version=" . $CPCONF{'mysql-version'} . ' in cpanel.config does not match installed version!' );
}
}
}
sub get_new_backup_conf_href {
my $new_backup_config = '/var/cpanel/backups/config';
return unless -f $new_backup_config;
return unless open( my $backupconf_fh, '<', $new_backup_config );
local $/ = undef;
my $new = { map { ( split( /:\s/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($backupconf_fh) ) };
close $backupconf_fh;
return $new;
}
sub get_old_backup_conf_href {
my $old_backup_config = '/etc/cpbackup.conf';
return unless -f $old_backup_config;
return unless open( my $backupconf_fh, '<', $old_backup_config );
local $/ = undef;
my $old = { map { ( split( /\s/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($backupconf_fh) ) };
close $backupconf_fh;
return $old;
}
sub print_roundcube_db {
if ( defined $CPCONF{'roundcube_db'} and $CPCONF{'roundcube_db'} eq 'mysql' ) {
print_info('Roundcube: ');
print_normal('using mysql database');
}
}
sub print_backups_info {
return unless i_am('cpanel');
my $old_backup_conf = get_old_backup_conf_href();
my $new_backup_conf = get_new_backup_conf_href();
my %new_dest = ();
my ( $new_backups_cron, $new_backups_status ) = ( 0, 'No Config' );
my ( $old_backups_cron, $old_backups_status ) = ( 0, 'No Config' );
my $warning = 0;
my $new_backup_dir = '/var/cpanel/backups/';
if ( defined $new_backup_conf and defined $new_backup_conf->{'BACKUPENABLE'} and $new_backup_conf->{'BACKUPENABLE'} =~ /yes/ ) {
my @dir_contents = ();
if ( opendir( my $dir_fh, $new_backup_dir ) ) {
@dir_contents = readdir $dir_fh;
closedir $dir_fh;
}
for my $dest (@dir_contents) {
if ( $dest =~ m{ \.backup_destination \z }xms ) {
if ( open( my $destconf_fh, '<', $new_backup_dir . $dest ) ) {
local $/ = undef;
%{ $new_dest{$dest} } = map { ( split( /:\s/, $_, 2 ) )[ 0, 1 ] } split( /\n/, readline($destconf_fh) );
close $destconf_fh;
}
}
}
}
if ( ( defined $old_backup_conf and defined $old_backup_conf->{'BACKUPENABLE'} and $old_backup_conf->{'BACKUPENABLE'} eq 'yes' ) or ( defined $new_backup_conf and defined $new_backup_conf->{'BACKUPENABLE'} and $new_backup_conf->{'BACKUPENABLE'} =~ /yes/ ) ) {
if ( open my $file_fh, '<', '/var/spool/cron/root' ) {
while (<$file_fh>) {
if (m{ \A [^#] .+ /usr/local/cpanel/scripts/cpbackup }xms) {
$old_backups_cron = 1;
}
if (m{ \A [^#] .+ /usr/local/cpanel/bin/backup }xms) {
$new_backups_cron = 1;
}
}
close $file_fh;
}
}
if ( defined $new_backup_conf and defined $new_backup_conf->{'BACKUPENABLE'} ) {
if ( $new_backup_conf->{'BACKUPENABLE'} =~ /yes/ ) {
$new_backups_status = 'Enabled';
if ( defined( $new_backup_conf->{'BACKUPACCTS'} ) && $new_backup_conf->{'BACKUPACCTS'} =~ /yes/ ) {
$new_backups_status .= '/WithAccounts';
}
elsif ( defined( $new_backup_conf->{'BACKUPACCTS'} ) && $new_backup_conf->{'BACKUPACCTS'} =~ /no/ ) {
$new_backups_status .= '/NoAccounts';
}
if ( defined( $new_backup_conf->{'BACKUPTYPE'} ) && $new_backup_conf->{'BACKUPTYPE'} =~ /uncompressed/ ) {
$new_backups_status .= '/Uncompressed';
}
elsif ( defined( $new_backup_conf->{'BACKUPTYPE'} ) && $new_backup_conf->{'BACKUPTYPE'} =~ /compressed/ ) {
$new_backups_status .= '/Compressed';
}
elsif ( defined( $new_backup_conf->{'BACKUPTYPE'} ) && $new_backup_conf->{'BACKUPTYPE'} =~ /incremental/ ) {
$new_backups_status .= '/Incremental';
}
else {
$new_backups_status .= '/Unknown';
}
if ( $new_backups_cron != 1 ) {
$new_backups_status .= ' (MISSING CRON!)';
$warning = 1;
}
}
elsif ( $new_backup_conf->{'BACKUPENABLE'} =~ /no/ ) {
$new_backups_status = 'Disabled';
}
}
if ( defined $old_backup_conf and defined $old_backup_conf->{'BACKUPENABLE'} ) {
if ( $old_backup_conf->{'BACKUPENABLE'} eq 'restoreonly' ) {
$old_backups_status = 'RestoreOnly';
}
elsif ( $old_backup_conf->{'BACKUPENABLE'} eq 'yes' ) {
$old_backups_status = 'Enabled';
if ( defined( $old_backup_conf->{'BACKUPACCTS'} ) && $old_backup_conf->{'BACKUPACCTS'} eq 'yes' ) {
$old_backups_status .= '/WithAccounts';
}
elsif ( defined( $old_backup_conf->{'BACKUPACCTS'} ) && $old_backup_conf->{'BACKUPACCTS'} eq 'no' ) {
$old_backups_status .= '/NoAccounts';
}
if ( defined( $old_backup_conf->{'BACKUPINC'} ) && $old_backup_conf->{'BACKUPINC'} eq 'yes' ) {
$old_backups_status .= '/Incremental';
}
elsif ( defined( $old_backup_conf->{'COMPRESSACCTS'} ) && $old_backup_conf->{'COMPRESSACCTS'} eq 'yes' ) {
$old_backups_status .= '/Compressed';
}
elsif ( defined( $old_backup_conf->{'COMPRESSACCTS'} ) && $old_backup_conf->{'COMPRESSACCTS'} eq 'no' ) {
$old_backups_status .= '/Uncompressed';
}
else {
$old_backups_status .= '/Unknown';
}
if ( $old_backups_cron != 1 ) {
$old_backups_status .= ' (MISSING CRON!)';
$warning = 1;
}
}
elsif ( $old_backup_conf->{'BACKUPENABLE'} eq 'no' ) {
$old_backups_status = 'Disabled';
}
}
if ( keys(%new_dest) ) {
if ( defined $new_backup_conf and defined $new_backup_conf->{'KEEPLOCAL'} and $new_backup_conf->{'KEEPLOCAL'} =~ /1/ ) {
$new_backups_status .= '/RetainLocal';
}
else {
$new_backups_status .= '/NoRetainLocal';
}
}
print_info('Backups: ');
if ($warning) {
print_warning("[New: $new_backups_status] [Legacy: $old_backups_status]");
}
else {
print_normal("[New: $new_backups_status] [Legacy: $old_backups_status]");
}
for my $dest ( keys(%new_dest) ) {
my $type = exists $new_dest{$dest}->{'type'} ? $new_dest{$dest}{'type'} : 'UNKNOWN';
my $disabled = exists $new_dest{$dest}{'disabled'} ? ( $new_dest{$dest}{'disabled'} ? "Yes" : "No" ) : 'UNKNOWN';
my $name = exists $new_dest{$dest}{'name'} ? $new_dest{$dest}{'name'} : 'UNKNOWN';
my $timeoutdest = exists $new_dest{$dest}->{'timeout'} ? $new_dest{$dest}{'timeout'} : 'UNKNOWN';
print_normal( "\t\t\\_ Remote dest: [Type: " . $type . "] [Disabled: " . $disabled . "] [Name: " . $name . "] [Timeout: " . $timeoutdest . "]" );
if ( $type eq "SFTP" && exists $new_dest{$dest}{'privatekey'} && exists $new_dest{$dest}{'passphrase'} ) {
my $key_is_encrypted = 0;
if ( open my $privatekey_fh, '<', $new_dest{$dest}->{'privatekey'} ) {
while (<$privatekey_fh>) {
if (/ENCRYPTED/) {
$key_is_encrypted = 1;
last;
}
}
close $privatekey_fh;
}
if ( !$key_is_encrypted ) {
print_warning("\t\t \\_ The SFTP private key is not encrypted but the transport config contains a passphrase. See FB-152341 and FB-152337.");
}
}
}
}
sub print_mailserver_info {
return unless i_am('cpanel');
return unless defined $CPCONF{'mailserver'};
return unless cpanel_version_is(qw( < 11.53.0.0 )); # 54+ only supports Dovecot
print_info('Mailserver: ');
print_normal( $CPCONF{'mailserver'} );
}
sub print_ftpserver_info {
return unless i_am('cpanel');
my $external_ip_address = get_external_ip();
my $pureftpd_conf = get_pureftpd_conf_href();
my $proftpd_conf = get_proftpd_conf_href();
print_info('FTP Server: ');
my $passiveports = "";
my $passiveip = "";
if ( defined( $CPCONF{'ftpserver'} ) ) {
if ( $CPCONF{'ftpserver'} eq 'pure-ftpd' ) {
if ( defined( $pureftpd_conf->{'passiveportrange'} ) && defined( $pureftpd_conf->{'passiveportrange'}->{value} ) ) {
$passiveports = $pureftpd_conf->{'passiveportrange'}->{value};
}
if ( defined( $pureftpd_conf->{'forcepassiveip'} ) && defined( $pureftpd_conf->{'forcepassiveip'}->{value} ) ) {
$passiveip = $pureftpd_conf->{'forcepassiveip'}->{value};
}
}
if ( $CPCONF{'ftpserver'} eq 'proftpd' ) {
if ( defined( $proftpd_conf->{'passiveports'} ) && defined( $proftpd_conf->{'passiveports'}->{value} ) ) {
$passiveports = $proftpd_conf->{'passiveports'}->{value};
}
if ( defined( $proftpd_conf->{'masqueradeaddress'} ) && defined( $proftpd_conf->{'masqueradeaddress'}->{value} ) ) {
$passiveip = $proftpd_conf->{'masqueradeaddress'}->{value};
}
}
}
my $fwppactive = 0;
if ($passiveports) {
$passiveports =~ s/\s+/:/;
my @fwcommand = timed_run( 10, '/sbin/iptables', '-nL' );
foreach my $fwline (@fwcommand) {
chomp($fwline);
if ( $fwline =~ m/$passiveports/ and $fwline =~ m/ACCEPT/ ) {
$fwppactive = 1;
last;
}
}
}
my $passivetext = $passiveports ? "enabled - " . ( $fwppactive ? "allowed in iptables" : "not found in iptables" ) : "not enabled";
if ( $passiveip ne "" && defined($external_ip_address) && $passiveip ne $external_ip_address && defined( $CPCONF{'ftpserver'} ) ) {
if ( $CPCONF{'ftpserver'} eq 'proftpd' ) {
$passivetext .= " - MasqueradeAddress ( $passiveip ) doesn't match license IP";
}
elsif ( $CPCONF{'ftpserver'} eq 'pure-ftpd' ) {
$passivetext .= " - ForcePassiveIP ( $passiveip ) doesn't match license IP";
}
}
if ( defined( $CPCONF{'ftpserver'} ) ) {
print_normal("$CPCONF{ftpserver} ( Passive ports $passivetext )");
}
else {
print_warning('missing ftpserver setting in cpanel.config');
}
return;
}
sub print_exim_info {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
return unless my $exim_localopts = get_exim_localopts_href();
if ( defined $exim_localopts->{acl_delay_unknown_hosts} && $exim_localopts->{acl_delay_unknown_hosts} ) {
my $info = '20 second SMTP delay active (by default) for unknown hosts and spam, see DOC-6092.';
my $disabled = '';
if ( defined $exim_localopts->{acl_dont_delay_greylisting_trusted_hosts} && $exim_localopts->{acl_dont_delay_greylisting_trusted_hosts} ) {
$disabled .= ' [Greylisting Trusted Hosts]';
}
if ( defined $exim_localopts->{acl_dont_delay_greylisting_common_mail_providers} && $exim_localopts->{acl_dont_delay_greylisting_common_mail_providers} ) {
$disabled .= ' [Greylisting Common Mail Providers]';
}
$info .= ' Disabled for:' . $disabled if length $disabled;
print_info('Exim: ');
print_normal($info);
}
}
sub check_for_custom_webtemplates {
return unless i_am('cpanel');
my $template_dir = '/var/cpanel/webtemplates';
return unless -d $template_dir;
my $found;
find(
sub {
return unless /\.tmpl$/s;
$found = 1;
},
$template_dir
);
return unless $found;
print_info('Web templates: ');
print_normal("found in ${template_dir} -- https://documentation.cpanel.net/display/ALD/Web+Template+Editor");
}
sub check_for_custom_restoremodules {
return unless i_am('cpanel');
my $restoremodule_dir = '/var/cpanel/perl/Whostmgr/Transfers/Systems';
return unless -d $restoremodule_dir;
my $found;
find(
sub {
return unless /\.pm$/s;
$found = 1;
},
$restoremodule_dir
);
return unless $found;
print_info('Custom Restore Modules: ');
print_normal("found in ${restoremodule_dir} -- can cause issues with restoration process -- check ticket #9858879");
}
sub check_for_custom_zonetemplates {
return unless i_am('cpanel');
my $template_dir = '/var/cpanel/zonetemplates';
return unless -d $template_dir;
my $is_empty = 0;
opendir( my $fh, $template_dir ) or return;
my @dirents = grep { !/^\.\.?/ } readdir $fh;
closedir $fh;
return if !@dirents;
for my $file (@dirents) {
if ( -z "${template_dir}/${file}" ) {
$is_empty = 1;
last;
}
}
print_info('Zone templates: ');
if ( $is_empty == 1 ) {
print_red("found in $template_dir - some may be empty! See ticket 4897373");
}
else {
print_normal("found in $template_dir");
}
}
sub print_lsws_info {
return unless i_am('cpanel');
return unless my ( $lsws_full_version, $lsws_numeric_version ) = @{ get_lsws_version_aref() };
print_info('LiteSpeed Web Server: ');
print_normal("version [ $lsws_full_version ]");
my %lshttpd_ports = ();
my $ports = get_lsof_port_href();
while ( my ( $portnum, $aref ) = each(%$ports) ) {
for my $href (@$aref) {
next if not $href->{USER} eq "root";
next if not $href->{CMD} eq "litespeed";
$lshttpd_ports{$portnum} = 1;
}
}
if ( scalar keys(%lshttpd_ports) ) {
print_info('LiteSpeed Web Server: ');
print_normal( 'is listening on ports [ ' . join( " ", sort( keys(%lshttpd_ports) ) ) . ' ]' );
}
print_info('LiteSpeed Web Server: ');
if ( $lsws_full_version =~ /Enterprise/ ) {
print_normal('is supported, see http://cpanel.wiki/display/LS/LiteSpeed');
}
else {
print_warning('non-Enterprise editions of LiteSpeed are NOT directly supported');
}
print_info('LiteSpeed Web Server: ');
print_warning('whm-server-status is incompatible with LiteSpeed');
}
sub check_for_lsws_update {
return unless i_am('cpanel');
return unless my ( $lsws_full_version, $lsws_numeric_version ) = @{ get_lsws_version_aref() };
return if $lsws_numeric_version eq "unknown";
return unless $lsws_full_version =~ /Enterprise/;
my $reply = _http_get( Host => 'update.litespeedtech.com', Path => '/ws/latest.php', MultiHomed => 0, Timeout => 5 );
return unless defined $reply;
my $available_lsws_version;
my @lsws_data = split /\n/, $reply;
for (@lsws_data) {
if (m{ \A LSWS=(\d+\.\d+\.\d+) \z }xms) {
$available_lsws_version = $1;
last;
}
}
return unless $available_lsws_version;
if ( version_compare( $lsws_numeric_version, '<', $available_lsws_version ) ) {
print_info('LiteSpeed Web Server: ');
print_warning("UPDATE AVAILABLE ($lsws_numeric_version -> $available_lsws_version)");
}
}
##############################
# END [INFO] CHECKS
##############################
##############################
# BEGIN [WARN] CHECKS
##############################
sub check_for_license_error {
my $license_error_file = '/usr/local/cpanel/logs/license_error.display';
stat($license_error_file);
return unless -f _;
return unless -s _;
my $license_error;
if ( open( my $license_error_fh, '<', $license_error_file ) ) {
while (<$license_error_fh>) {
if (m{\AThe exact message was: (.+)\Z}ms) {
$license_error = $1;
chomp $license_error;
last;
}
}
close $license_error_fh;
}
return unless defined $license_error;
if ( cpanel_version_is(qw( < 11.32.0.0 )) ) {
print_warn('License Error: ');
print_warning( '[ ' . $license_error . ' ]' );
print_warning(' \_ Try updating to WHM 11.32 or later to resolve any license-related problems.');
return;
}
if (
$license_error =~ m{ \A
\QThe hostname must be a Fully Qualified Domain Name! (\E.+\)
| \QAbort, Retry, Fail?\E
\Z }xms
) {
print_warn('License Error: ');
print_warning( '[ ' . $license_error . ' ]' );
print_warning(' \_ If this license error is not resolved after correctly setting the hostname AND ensuring that the hostname can be pinged from the local host ( ping `hostname` ), then fork ticket for license issue if not related to current issue, send "ESCALATE - License issue to Dev" response, and escalate ticket to "QA/Development".');
return;
}
if (
$license_error =~ m{ \A
\QDoes not compute!\E
| \QReturn without Gosub.\E
| \QPrinting is not supported on this printer.\E
| \QCannot issue a license to \E[^ ]+\Q without a \E(DISTRO|OSVER)\.
\Z }xms
) {
print_crit('License Error: ');
print_critical( '[ ' . $license_error . ' ]' );
print_critical(' \_ Fork ticket for license issue if not related to current issue, send "ESCALATE - License issue to Dev" response, and escalate ticket to "QA/Development".');
return;
}
# Not any of the above
print_warn('License Error: ');
print_warning( '[ ' . $license_error . ' ]' );
}
sub check_port_hash {
my $ports = get_lsof_port_href();
return if scalar keys(%$ports);
print_warn('lsof: ');
print_warning('Did not return a list of TCP ports in LISTEN state. Either lsof is broken or there are zero listening services. Some port-based checks will be skipped!');
}
sub check_selinux_status {
my @selinux_status = split /\n/, timed_run( 0, 'sestatus' );
return if !@selinux_status;
for my $line (@selinux_status) {
if ( $line =~ m{ \A SELinux \s status: \s+ ([^\s\n]+) }xms ) {
return if $1 eq "disabled";
}
elsif ( $line =~ m{ \A Current \s mode: \s+ ([^\s\n]+) }xms ) {
if ( $1 eq "permissive" ) {
print_info('SELinux: ');
print_normal('Permissive');
return;
}
else {
print_warn('SELinux: ');
print_warning('is ENFORCING!');
return;
}
}
}
}
sub check_runlevel {
my $runlevel;
my $who_r = timed_run( 0, 'who', '-r' );
# CentOS 5.7, 5.8:
# run-level 3 2012-01-25 10:38 last=S
if ( $who_r =~ m{ \A \s* run-level \s (\S+) }xms ) {
$runlevel = $1;
if ( $runlevel ne "3" ) {
print_warn('Runlevel: ');
print_warning("runlevel is not 3 (current runlevel: $runlevel)");
}
}
}
sub check_for_missing_root_cron {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my $cron = '/var/spool/cron/root';
return if -f $cron;
print_warn('Missing cron: ');
print_warning("root's cron file $cron is missing!");
}
sub check_for_missing_usr_bin_crontab {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my $crontab = '/usr/bin/crontab';
return if -f $crontab;
print_warn('Missing crontab binary: ');
print_warning( 'file ' . $crontab . ' is missing! Seeing "warn [jail_safe_crontab] Cpanel::Wrap::send_cpwrapd_request error"? This may be why.' );
}
sub check_if_upcp_is_running {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
if ( exists_process_cmd( qr{ cPanel \s Update \s \(upcp\) }xms, 'root' ) ) {
print_warn('upcp check: ');
print_warning('upcp is currently running');
}
elsif ( -e '/usr/local/cpanel/upgrade_in_progress.txt' ) {
print_warn('upcp check: ');
print_warning('/usr/local/cpanel/upgrade_in_progress.txt found, but upcp doesn\'t appear to be running. Last run failed? If Tweak Settings is not loading, this may be why.');
}
}
sub check_valid_upcp {
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my $updatenow_static = '/scripts/updatenow.static';
if ( !-f $updatenow_static ) {
print_warn('Valid updatenow.static: ');
print_warning("$updatenow_static does not exist as a file!");
}
else {
my $update_now_text = '';
if ( open( my $updatenow_fh, '<', $updatenow_static ) ) {
local $/ = undef;
$update_now_text = readline($updatenow_fh);
close $updatenow_fh;
}
if ( $update_now_text !~ m/our \$VERSION_BUILD/s ) {
print_warn('Valid updatenow.static: ');
print_warning("No VERSION_BUILD info found in $updatenow_static, could be broken!");
}
}
}
sub check_cpupdate_conf {
return unless my $cpupdate_conf = get_cpupdate_conf();
my $_is_allowed = sub {
my ($type) = @_;
return 0 if ( defined $cpupdate_conf->{$type} and ( $cpupdate_conf->{$type} eq "never" or $cpupdate_conf->{$type} eq "manual" ) );
return 1;
};
unless ( $_is_allowed->('UPDATES') ) {
print_warn('/etc/cpupdate.conf: ');
print_warning('UPDATES set to never or manual -- do not run /scripts/upcp without customer approval. Recommend enabling automatic updates if the issue would be resolved by an update.');
}
unless ( $_is_allowed->('RPMUP') ) {
print_warn('/etc/cpupdate.conf: ');
print_warning('RPMUP set to never or manual -- prevents automatic updates to EA4 and other yum-managed packages. Recommend enabling automatic updates if the issue would be resolved by an update.');
}
unless ( $_is_allowed->('SARULESUP') ) {
print_warn('/etc/cpupdate.conf: ');
print_warning('SARULESUP set to never or manual -- prevents automatic updates of SpamAssassin rules. Recommend enabling automatic updates if the issue would be resolved by an update.');
}
}
sub check_interface_lo {
my $output = timed_run( 0, 'ip', 'addr', 'show', 'dev', 'lo' );
$output ||= timed_run( 0, 'ifconfig', 'lo' );
return check_loopback_connection() if $output =~ /UP.LOOPBACK|LOOPBACK.UP/; # ip addr and ifconfig swap the LOOPBACK and UP keywords
print_warn('Loopback Interface: ');
print_warning('loopback interface is not up!');
}
sub check_loopback_connection {
return if $OPT_SKIP_NETWORKING;
return unless i_am_one_of( 'cpanel', 'dnsonly' );
my @ports = qw( 25 80 2086 );
my $connected = 0;
for my $port (@ports) {
my $sock = IO::Socket::INET->new(
PeerAddr => '127.0.0.1',
PeerPort => $port,
Proto => 'tcp',
Timeout => '1',
);
if ($sock) {
$connected = 1;
close $sock;
last;
}
}
if ( !$connected ) {
print_warn('Loopback connectivity: ');
print_warning('could not connect to 127.0.0.1 on port 25, 80, or 2086');
}
}
sub check_cpanelconfig_filetype {
return unless -e $CPANEL_CONFIG_FILE;
chomp( my $file = timed_run( 0, 'file', $CPANEL_CONFIG_FILE ) );
if ( $file !~ m{ \A \Q$CPANEL_CONFIG_FILE\E: \s ASCII \s text (, \s with \s very \s long \s lines)? \z }xms ) {
print_warn("$CPANEL_CONFIG_FILE: ");
print_warning("filetype is something other than 'ASCII text'! ($file)");
}
}
sub check_cpanelsync_exclude {
my $cpanelsync_exclude = '/etc/cpanelsync.exclude';
return unless -f $cpanelsync_exclude;
return unless -s $cpanelsync_exclude;
my $rpmversions_file = '/usr/local/cpanel/etc/rpm.versions';
print_warn('cpanelsync exclude: ');
print_warning("$cpanelsync_exclude is not empty!");
if ( open my $file_fh, '<', $cpanelsync_exclude ) {
while (<$file_fh>) {
chomp;
if (m{ \A \s* $rpmversions_file \s* \z }xms) {
print_warn('cpanelsync exclude: ');
print_warning("$rpmversions_file found! This should NEVER be done!");
last;
}
}
close $file_fh;
}
}
sub check_for_rawopts {
return unless i_am('ea3') or ea3_downgrade_is_possible();
my $rawopts_dir = '/var/cpanel/easy/apache/rawopts';
return unless -d $rawopts_dir;
my @dir_contents;
opendir( my $dir_fh, $rawopts_dir );
@dir_contents = grep { !/^\.\.?$/ } readdir $dir_fh;
closedir $dir_fh;
if (@dir_contents) {
print_warn('EA3 Rawopts Detected: ');
print_warning('check /var/cpanel/easy/apache/rawopts !');
}
}
sub check_for_rawenv {
return unless i_am('ea3') or ea3_downgrade_is_possible();
my $rawenv_dir = '/var/cpanel/easy/apache/rawenv';
return unless -d $rawenv_dir;
my @dir_contents;
opendir( my $dir_fh, $rawenv_dir );
@dir_contents = grep { !/^\.\.?$/ } readdir $dir_fh;
closedir $dir_fh;
if (@dir_contents) {
print_warn('EA3 Rawenv detected: ');
print_warning('check /var/cpanel/easy/apache/rawenv !');
}
}
sub check_for_custom_opt_mods {
return unless i_am('ea3') or ea3_downgrade_is_possible();
my $custom_opt_mods;
my $dir = '/var/cpanel/easy/apache/custom_opt_mods';
return unless -d $dir;
my @custom_opt_mods; # items in /var/cpanel/easy/apache/custom_opt_mods/
find(
sub {
# ignore these, Attracta:
# /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/ModFastInclude.pm
# /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/ModFastInclude.pm.tar.gz
my $file = $File::Find::name;
if ( -f $file and $file !~ m{ /ModFastInclude\.pm(.*) }xms ) {
$file =~ s#/var/cpanel/easy/apache/custom_opt_mods/##;
push @custom_opt_mods, $file;
}
},
$dir
);
if ( scalar @custom_opt_mods > 10 ) {
print_warn("EA3 $dir: ");
print_warning('many custom opt mods exist, check manually');
}
elsif (@custom_opt_mods) {
for my $custom_opt_mod (@custom_opt_mods) {
$custom_opt_mods .= "$custom_opt_mod ";
}
print_warn("EA3 $dir: ");
print_warning($custom_opt_mods);
}
}
sub check_for_local_templates {
return unless i_am('cpanel');
my @templatedirs = qw(
/var/cpanel/templates/apache2_4
/var/cpanel/templates/apache2_2
/var/cpanel/templates/apache2_0
/var/cpanel/templates/apache2
/var/cpanel/templates/apache1_3
/var/cpanel/templates/apache1
/var/cpanel/templates/dovecot2.2
/var/cpanel/templates/dovecotSNI
); # Order is somewhat important above for cosmetic reasons, due to symlinks
my %templatedirs = ();
for my $templatedir (@templatedirs) { # Canonicalize symlinks so we only check a real path once, but store original name for printing.
next if !-d $templatedir;
$templatedirs{ abs_path($templatedir) } = $templatedir;
}
for my $templatedir ( sort( keys(%templatedirs) ) ) {
my @dir_contents = ();
if ( opendir( my $dir_fh, $templatedir ) ) {
@dir_contents = readdir $dir_fh;
closedir $dir_fh;
}
my $templates = undef;
for my $template (@dir_contents) {
if ( $template =~ m{ \.local \z }xms ) {
$templates .= " $template";
}
}
if ($templates) {
print_warn( 'Custom templates (' . $templatedirs{$templatedir} . '): ' );
print_warning($templates);
}
}
}
sub check_for_missing_account_suspensions_conf {
return unless i_am('cpanel');
my @templates;
if ( i_am('ea4') ) {
return unless -f '/etc/apache2/conf.d/includes/account_suspensions.conf';
@templates = qw (
/var/cpanel/templates/apache2_4/ea4_main.local
);
}
elsif ( i_am('ea3') ) {
return unless -f '/usr/local/apache/conf/includes/account_suspensions.conf';
@templates = qw(
/var/cpanel/templates/apache2_4/main.local
/var/cpanel/templates/apache2_2/main.local
/var/cpanel/templates/apache2_0/main.local
/var/cpanel/templates/apache2/main.local
/var/cpanel/templates/apache1_3/main.local
/var/cpanel/templates/apache1/main.local
); # Order is somewhat important above for cosmetic reasons, due to symlinks
}
else { return; }
my %templates = ();
for my $template (@templates) { # Canonicalize symlinks so we only check a real path once, but store original name for printing.
next unless -f $template;
$templates{ abs_path($template) }[0] = $template;
}
for my $template ( sort( keys(%templates) ) ) {
$templates{$template}[1] = 0;
if ( open my $template_fh, '<', $template ) {
while (<$template_fh>) {
if (m{ \A \s* Include .+ account_suspensions.conf }x) {
$templates{$template}[1] = 1;
}
}
close $template_fh;
}
}
for my $template ( keys(%templates) ) {
if ( !$templates{$template}[1] ) {
print_warn("Custom templates: ");
print_warning( $templates{$template}[0] . " is missing include for account_suspensions.conf!\n\t\\_ Use predefined \"WEBSERVER - Suspensions Template Update\"" );
}
}
}
sub check_for_custom_apache_includes {
return unless i_am('cpanel');
my $include_dir = i_am('ea4') ? '/etc/apache2/conf.d/includes' : '/usr/local/apache/conf/includes';
return if !-d $include_dir;
my @includes = qw(
post_virtualhost_1.conf
post_virtualhost_2.conf
post_virtualhost_global.conf
pre_main_1.conf
pre_main_2.conf
pre_main_global.conf
pre_virtualhost_1.conf
pre_virtualhost_2.conf
pre_virtualhost_global.conf
);
my $custom_includes;
for my $include (@includes) {
if ( -s "${include_dir}/${include}" ) {
if ( $include eq 'pre_virtualhost_global.conf' ) {
my $md5 = timed_run( 0, 'md5sum', $include_dir . 'pre_virtualhost_global.conf' );
next if ( $md5 && $md5 =~ m{ \A 1693b9075fa54ede224bfeb8ad42a182 \s }xms );
}
$custom_includes .= ' [' . $include . ']';
}
}
if ($custom_includes) {
print_warn( 'Apache Includes [' . $include_dir . ']:' );
print_warning($custom_includes);
}
}
sub check_for_tomcatoptions {
return unless i_am('cpanel');
my $tomcat_options = '/var/cpanel/tomcat.options';
if ( -f $tomcat_options and not -z $tomcat_options ) {
my $md5 = timed_run( 0, 'md5sum', '/var/cpanel/tomcat.options' );
return if ( $md5 && $md5 =~ m{ \A 0cb9b170cbb81795c2669f8ebf08d0dd \s }xms ); ## -Xss2m
print_warn('Tomcat options: ');
print_warning("$tomcat_options exists");
}
}
sub check_for_sneaky_htaccess {
return unless i_am('cpanel');
## this is lazy checking. ideally we'd check HOMEMATCH from wwwacct.conf and go from there.
## but then, nothing guarantees the current HOMEMATCH has always been the same, either.
my @dirs = qw( / /home/ /home2/ /home3/ /home4/ /home5/ /home6/ /home7/ /home8/ /home9/ );
my $htaccess;
for my $dir (@dirs) {
if ( -f $dir . '.htaccess' and not -z $dir . '.htaccess' ) {
$htaccess .= $dir . '.htaccess ';
}
}
if ($htaccess) {
print_warn('Sneaky .htaccess file(s) found: ');
print_warning($htaccess);
}
}
sub check_ea4_paths_conf {
return unless i_am('ea4');
my $paths_conf = '/etc/cpanel/ea4/paths.conf';
lstat($paths_conf); # Can now use _ for file tests.
if ( !-e _ ) {
print_warn('EA4: ');
print_warning('/etc/cpanel/ea4/paths.conf is missing!');
return;
}
if ( !-f _ ) {
print_warn('EA4: ');
print_warning('/etc/cpanel/ea4/paths.conf is not a normal file!');
return;
}
if ( -z _ ) {
print_warn('EA4: ');
print_warning('/etc/cpanel/ea4/paths.conf is empty!');
return;
}
if ( !-T _ ) {
print_warn('EA4: ');
print_warning('/etc/cpanel/ea4/paths.conf does not appear to be an ASCII text file!');
return;
}
my $unknown_count;
my %conf;
my %default_conf = ( # From ea-apache24-config-runtime-1.0-81.81.4.cpanel.noarch
'bin_apachectl' => '/usr/sbin/apachectl',
'bin_httpd' => '/usr/sbin/httpd',
'bin_suexec' => '/usr/sbin/suexec',
'dir_base' => '/etc/apache2',
'dir_conf' => '/etc/apache2/conf.d',
'dir_conf_includes' => '/etc/apache2/conf.d/includes',
'dir_conf_userdata' => '/etc/apache2/conf.d/userdata',
'dir_docroot' => '/var/www/html',
'dir_domlogs' => '/etc/apache2/logs/domlogs',
'dir_logs' => '/etc/apache2/logs',
'dir_modules' => '/etc/apache2/modules',
'dir_run' => '/run/apache2',
'file_access_log' => '/etc/apache2/logs/access_log',
'file_conf' => '/etc/apache2/conf/httpd.conf',
'file_conf_mime_types' => '/etc/apache2/conf/mime.types',
'file_conf_php_conf' => '/etc/apache2/conf.d/php.conf',
'file_conf_srm_conf' => '/etc/apache2/conf.d/srm.conf',
'file_error_log' => '/etc/apache2/logs/error_log',
);
if ( os_version_is(qw( < 7.0 )) or i_am('amazon') ) {
$default_conf{'dir_run'} = '/var/run/apache2';
}
if ( open my $conf_fh, '<', $paths_conf ) {
while (<$conf_fh>) {
next if /^(#|$)/;
if (m{ \A \s* ([^=]+?) \s* = \s* ([^\$]*?) \Z }x) { # Cpanel::Config::LoadConfig::loadConfig( $path, $conf, '\s*=\s*', undef, '^\s*' );
$conf{$1} = $2;
}
}
close $conf_fh;
if ( !scalar keys %conf ) {
print_warn('EA4: ');
print_warning('/etc/cpanel/ea4/paths.conf does not appear to contain any valid configuration!');
return;
}
foreach my $key ( sort keys %conf ) {
if ( !exists $default_conf{$key} ) { # EA4 appears to ignore any unknown options, but count them.
$unknown_count++;
next;
}
if ( $default_conf{$key} ne $conf{$key} ) {
print_warn('EA4: ');
print_warning( '/etc/cpanel/ea4/paths.conf non-default setting: [ ' . $key . '=' . $conf{$key} . ' ]' );
}
}
foreach my $key ( sort keys %default_conf ) {
next if exists $conf{$key};
print_warn('EA4: ');
print_warning( '/etc/cpanel/ea4/paths.conf missing default setting: [ ' . $key . ' ]' );
}
if ($unknown_count) {
print_warn('EA4: ');
print_warning( '/etc/cpanel/ea4/paths.conf contains ' . $unknown_count . ' unknown configuration setting(s)!' );
}
}
}
sub check_apache_modules {
return unless i_am('cpanel');
my $installed_modules = get_apache_modules_href();
return unless scalar keys %{$installed_modules};
my $apache_version = get_apache_version();
my ( $lsws_full_version, $lsws_numeric_version ) = @{ get_lsws_version_aref() };
# Example: 'foo_module' => { help => [ 'Some help text.' ], check_missing => 1 }
# or: push @{ $check{'foo_module'}{'help'} }, 'More help text.';
# Set check_missing => 1 to report missing instead of installed module
my %check = (
'evasive20_module' => { help => ['Can result in random 403s. Check /var/log/apache2/mod_evasive/ if relevant.'] },
'evasive24_module' => { help => ['Can result in random 403s. Check /var/log/apache2/mod_evasive/ if relevant.'] },
'headers_module' => { help => ['May cause proxy subdomains to redirect infinitely, see CPANEL-12707.'], check_missing => 1 },
'hive_module' => { help => ['Third-party - 1H Hive. Not supported.'] },
'lua_module' => { help => ['Experimental. Potential security issues in shared hosting environments.'] },
'rpaf_module' => { help => ['May prevent mod_http2 from working -- see 8772327. May prevent .htaccess from denying access -- see 4422297.'] },
'spdy_module' => { help => ['May break proxy subdomains. See 4973361.'] },
);
my $add = sub {
my ( $mod, $text, $check_missing ) = @_;
push @{ $check{$mod}{'help'} }, $text;
$check{$mod}{'check_missing'} = 1 if $check_missing;
};
$add->( 'http2_module', 'Causes segfaults in Apache 2.4.25, see EAL-3153.' ) if version_compare( $apache_version, qw ( == 2.4.25 ) );
$add->( 'userdir_module', 'Does not work with passenger_module.' ) if defined $installed_modules->{'passenger_module'};
$add->( 'userdir_module', 'Does not work with ruid2_module.' ) if defined $installed_modules->{'ruid2_module'};
$add->( 'userdir_module', 'Does not work with mpm_itk_module.' ) if defined $installed_modules->{'mpm_itk_module'};
$add->( 'ruid2_module', 'Can cause file permission problems when using LiteSpeed Web Server (see ticket 5154193)' ) if $lsws_full_version;
if ( i_am('ea4') ) {
$add->( 'fcgid_module', 'Has many caveats, see https://documentation.cpanel.net/display/EA4/Apache+Module%3A+FCGId' );
$add->( 'userdir_module', 'Will not execute PHP scripts via PHP-FPM.' );
my $ea4_php = get_installed_ea4_php_href();
if ( defined($ea4_php) && defined( $ea4_php->{default} ) && defined( $ea4_php->{ $ea4_php->{default} }->{handler} ) && $ea4_php->{ $ea4_php->{default} }->{handler} eq "cgi" ) {
$add->( 'userdir_module', 'Will not execute PHP scripts via CGI handler.' );
}
}
if ( defined $installed_modules->{'security_module'} or defined $installed_modules->{'security2_module'} ) {
$add->( 'mpm_itk_module', 'Incompatible with ModSecurity SecDataDir (collections) until EA-4093 is resolved.' );
$add->( 'ruid2_module', 'Incompatible with ModSecurity SecDataDir (collections) until EA-4093 is resolved.' );
}
if ( defined $CPCONF{'jailapache'} && $CPCONF{'jailapache'} == 1 ) {
$add->( 'ruid2_module', 'Enabled with Jail Apache Virtual Hosts tweak. This can break some Mailman URLs. See CPANEL-9501 and CPANEL-18127.' );
my $ea3_php = get_ea3_php_conf_href();
if ( defined $ea3_php and defined $ea3_php->{'php5handler'} and $ea3_php->{'php5handler'} eq 'suphp' ) {
$add->( 'ruid2_module', 'Enabled with Jail Apache Virtual Hosts tweak and suPHP handler, these are NOT COMPATIBLE, see FB-70561, FB-105901.' );
}
}
if ( i_am('cloudlinux') ) {
$add->( 'mpm_itk_module', 'CloudLinux LVE memory limits not imposed on Apache processes, and not compatible with PHP Selector - https://docs.cloudlinux.com/index.html?compatiblity_matrix.html' );
$add->( 'ruid2_module', 'CloudLinux LVE memory limits not imposed on Apache processes, and not compatible with PHP Selector - https://docs.cloudlinux.com/index.html?compatiblity_matrix.html' );
}
for my $module ( sort keys %check ) {
my $help_text = join( "\n" . ' ' x ( length($module) + 23 ) . '\_ - ', @{ $check{$module}{'help'} } );
if ( defined $check{$module}{'check_missing'} and not defined $installed_modules->{$module} ) {
print_warn('Apache: ');
print_warning( 'Missing ' . $module . ' - ' . $help_text );
}
if ( not defined $check{$module}{'check_missing'} and defined $installed_modules->{$module} ) {
print_warn('Apache: ');
print_warning( ' Loaded ' . $module . ' - ' . $help_text );
}
}
}
sub check_apache_niceness {
return unless my $httpd_bin = find_httpd_bin();
return unless my %procs = grep_process_cmd( qr{ $httpd_bin \s+ \-k }xms, 'root' );
my $apache_nice;
my $apache_ionice;
for my $pid ( sort keys %procs ) {
$apache_nice = $procs{$pid}->{'NICE'};
$apache_ionice = timed_run( 0, 'ionice', '-p', $pid );
chomp $apache_ionice;
last;
}
my $cp20037_nice = '18';
my $cp20037_bw_ionice = defined $CPCONF{'ionice_bandwidth_processing'} ? $CPCONF{'ionice_bandwidth_processing'} : '6';
my $cp20037_log_ionice = defined $CPCONF{'ionice_log_processing'} ? $CPCONF{'ionice_log_processing'} : '7';
my $cp20037_ionice_regex = '\A best-effort: \s prio \s (?:' . $cp20037_bw_ionice . '|' . $cp20037_log_ionice . ') \Z';
my $cp20037info = ' - See CPANEL-20037 for a possible cause.'; # Make the text conditional on build version after CPANEL-20037 is published
if ($apache_nice) { # Anything other than 0
print_warn('Apache: ');
print_warning( 'has unexpected nice value [ ' . $apache_nice . ' ] - May result in Apache performance issues' . ( $apache_nice eq $cp20037_nice ? $cp20037info : '' ) );
}
if ( $apache_ionice and not $apache_ionice =~ m{ \A (?:none|unknown): \s prio \s [04] \Z }xms ) { # "none: prio 0", "unknown: prio 0", "none: prio 4", "unknown: prio 4" all acceptable
print_warn('Apache: ');
print_warning( 'has unexpected ionice value [ ' . $apache_ionice . ' ] - May result in Apache performance issues' . ( $apache_ionice =~ m{ $cp20037_ionice_regex }xms ? $cp20037info : '' ) );
}
}
sub check_perl_sanity {
return unless i_am('cpanel');
my $usr_bin_perl = '/usr/bin/perl';
my $usr_local_bin_perl = '/usr/local/bin/perl';
if ( !-e $usr_bin_perl ) {
print_warn('perl: ');
print_warning("$usr_bin_perl does not exist!");
}
if ( -l $usr_bin_perl and -l $usr_local_bin_perl ) {
my $usr_bin_perl_link = readlink $usr_bin_perl;
my $usr_local_bin_perl_link = readlink $usr_local_bin_perl;
if ( -l $usr_bin_perl_link and -l $usr_local_bin_perl_link ) {
print_warn('perl: ');
print_warning("$usr_bin_perl and $usr_local_bin_perl are both symlinks!");
}
}
## a symlink will test true for both -x AND -l
if ( -x $usr_bin_perl and not -l $usr_bin_perl ) {
if ( -x $usr_local_bin_perl and not -l $usr_local_bin_perl ) {
print_warn('perl: ');
print_warning("$usr_bin_perl and $usr_local_bin_perl are both binaries!");
}
}
if ( -x $usr_bin_perl and not -l $usr_bin_perl ) {
my $mode = ( stat($usr_bin_perl) )[2] & oct(7777);
$mode = sprintf "%lo", $mode;
if ( $mode != 755 ) {
print_warn('Perl Permissions: ');
print_warning("$usr_bin_perl is $mode");
}
}
if ( -x $usr_local_bin_perl and not -l $usr_local_bin_perl ) {
my $mode = ( stat($usr_local_bin_perl) )[2] & oct(7777);
$mode = sprintf "%lo", $mode;
if ( $mode != 755 ) {
print_warn('Perl Permissions: ');
print_warning("$usr_local_bin_perl is $mode");
}
}
}
sub check_for_non_default_permissions {
my $timeout = $OPT_TIMEOUT ? $OPT_TIMEOUT : 10; # This only applies to the recursive loop.
my $hostinfo = get_hostinfo_href();
# Example: '/path' => { mode => ['0755','0555',...], user => 'root', group => 'root', perms_help => 'Additional info if mode/user/group incorrect', attr_check => [ 'IMMUTABLE' ], attr_recursive => 1, attr_help => 'Additional info if immutable/append-only/etc', symlink => '/path', symlink_no_absolute => 1, check_missing => 1 },
# Attributes are always checked, mode is only checked if specified.
# User is always checked if mode is specified, which defaults to 'root'.
# A '*' can be used to specify any user or group is allowed.
# Only symlink ownership can be verified, not its mode.
# attr_recursive only works on directories, default is 0 (do not recurse).
# attr_check is optional, default is to check all of IMMUTABLE, APPEND-ONLY, UNDELETABLE.
# symlink_no_absolute defines whether the absolute target path of a symlink will be computed before comparing. Default behavior is to resolve the absolute target path. Enabling this option allows you to compare a symlink at face-value.
# check_missing causes a missing object to be reported
# tidyoff
my %check = (
'/' => { mode => [ '0755', '0555' ], perms_help => '.ftpquota issues? see ticket 4429843', attr_help => 'This can break EA. See ticket 4929961' },
'/bin/bash' => { mode => ['0755'] },
'/bin/gtar' => { symlink => 'tar', symlink_no_absolute => 1, perms_help => 'May prevent creating backups via cPanel UI if users can not use this.' },
'/bin/gzip' => { mode => ['755'], perms_help => 'May prevent creating backups via cPanel UI if users can not use this.' },
'/bin/ln' => { mode => [ '0755', '0555' ] },
'/bin/rm' => { mode => [ '0755', '0555' ], perms_help => 'File Manager unable to delete files? This may be why.' },
'/bin/tar' => { mode => ['755'], perms_help => 'May prevent creating backups via cPanel UI if users can not use this.' },
'/dev' => { mode => ['0755'], perms_help => 'Breaks many things if non-root users can\'t access this.' },
'/dev/log' => { mode => ['0666'], perms_help => 'CSF RESTRICT_SYSLOG can change this. See ticket 4875833. Non-root users may not be able to log to syslog, including user cron jobs to /var/log/cron.' },
'/dev/null' => { mode => ['0666'], perms_help => 'Breaks many things if non-root users can\'t write to this.' },
'/dev/random' => { mode => [ '0666', '0664', '0644', '0444' ], perms_help => 'Breaks many things if non-root users can\'t read this.' },
'/dev/stderr' => { symlink => '/proc/self/fd/2', symlink_no_absolute => 1, check_missing => 1 },
'/dev/stdin' => { symlink => '/proc/self/fd/0', symlink_no_absolute => 1, check_missing => 1 },
'/dev/stdout' => { symlink => '/proc/self/fd/1', symlink_no_absolute => 1, check_missing => 1 },
'/dev/urandom' => { mode => [ '0666', '0664', '0644', '0444' ], perms_help => 'Breaks many things if non-root users can\'t read this.' },
'/etc' => { mode => ['0755'] },
'/etc/aliases' => { mode => ['0644'] },
'/etc/fstab' => { mode => ['0644'], check_missing => 1, perms_help => 'Missing fstab can break /scripts/fixquotas (CPANEL-6082), and bad perms can break cPanel UI (CPANEL-11201).' },
'/etc/group' => { mode => ['0644'] },
'/etc/hosts' => { mode => ['0644'] },
'/etc/localaliases' => { mode => ['0644'] },
'/etc/nsswitch.conf' => { mode => ['0644'] },
'/etc/passwd' => { mode => ['0644'] },
'/etc/shadow' => { mode => [ '0600', '0400', '0200', '0000' ] },
'/opt' => { mode => ['0755'] },
'/proc' => { mode => ['0555'], perms_help => 'If users cannot read /proc/mounts it can break cPanel quota reporting.' },
'/sbin/ifconfig' => { mode => [ '0755', '0555' ] },
'/tmp' => { mode => ['1777'] },
'/usr' => { mode => ['0755'] },
'/usr/bin' => { mode => [ '0755', '0711', '0555' ] },
'/usr/bin/crontab' => { mode => [ '6755', '4755', '4711', '4555', '4511' ] },
'/usr/bin/passwd' => { mode => [ '6755', '4755', '4711', '4555', '4511' ] },
'/usr/bin/screen' => { mode => ['2755'], group => 'screen', perms_help => 'Screen doesn\'t work? Run "rpm --setugids screen && rpm --setperms screen" to fix.' },
'/usr/local' => { mode => ['0755'] },
'/usr/local/bin' => { mode => [ '0755', '0711', '0555' ] },
'/usr/local/sbin' => { mode => [ '0755', '0711', '0555' ] },
'/usr/sbin' => { mode => [ '0755', '0711', '0555' ] },
'/usr/sbin/exim' => { mode => ['4755'] },
'/usr/share' => { mode => ['0755'] },
'/usr/share/zoneinfo' => { mode => ['0755'] },
'/var' => { mode => ['0755'] },
'/var/lib' => { mode => ['0755'] },
'/var/lib/mysql' => { mode => ['0751'], user => 'mysql', group => 'mysql' },
'/var/lib/mysql/mysql.sock' => { mode => ['0777'], user => 'mysql', group => 'mysql' },
'/var/log' => { mode => [ '0755', '0751', '0711' ], perms_help => 'If non-root users cannot write to log files it can cause service failure' },
);
if ( i_am_one_of( 'cpanel', 'dnsonly' ) ) {
%check = (
%check,
'/scripts' => { symlink => '/usr/local/cpanel/scripts', check_missing => 1 },
'/usr/local/cpanel' => { mode => ['0711'] },
$CPANEL_LICENSE_FILE => { mode => ['0644'] },
'/usr/local/cpanel/cpsanitycheck.so' => { mode => ['0754'] },
'/usr/local/cpanel/logs/cphulkd.log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/usr/local/cpanel/logs/cphulkd_errors.log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/usr/local/cpanel/logs/dnsadmin_log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/usr/local/cpanel/logs/error_log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/usr/local/cpanel/logs/queueprocd.log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/usr/local/cpanel/logs/tailwatchd_log' => { attr_check => [ 'IMMUTABLE', 'UNDELETABLE' ] },
'/var/cpanel/analytics/system_id' => { attr_check => [ 'APPEND-ONLY', 'UNDELETABLE' ] },
'/var/cpanel/config' => { mode => ['0755'] },
$CPANEL_CONFIG_FILE => { mode => ['0644'] },
'/var/cpanel/datastore' => { mode => ['0755'], perms_help => 'Users must be able to read some of the datastore contents for cPanel UI usage stats.' },
);
}
if ( i_am('cpanel') ) {
%check = (
%check,
'/bin/passwd' => { symlink => '/usr/local/cpanel/bin/jail_safe_passwd' },
'/etc/backupmxhosts' => { mode => ['0640'], group => 'mail' },
'/etc/cpbackup.conf' => { mode => ['0644'] },
'/etc/dbowners' => { mode => ['0640'], group => 'mail' },
'/etc/demodomains' => { mode => ['0640'], group => 'mail' },
'/etc/demouids' => { mode => ['0640'], group