# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2025 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
"""Library functions for executing commands inside CageFS for a site."""
import os
import pwd
import subprocess
from pathlib import Path
from typing import List
from clcommon import cpapi
from .jail_utils import get_website_id, get_user_var_cagefs_path
def enter_site(site: str, command: List[str]) -> int:
"""
Execute a command inside CageFS for a site (document root or domain).
User only! Inside cagefs only!
:site:
Document root or domain name
:command:
Command and arguments to execute
Returns:
int: Exit code from the executed command
Raises:
ValueError: If site cannot be resolved or isolation is not configured
"""
# Resolve site to document root
document_root = site
if not document_root.startswith("/"):
try:
document_root = cpapi.docroot(site)[0]
except cpapi.cpapiexceptions.NoDomain:
raise ValueError(f"Domain {site} not found")
if not os.path.exists(document_root):
raise ValueError(f"Document root {document_root} does not exist")
docroot_md5 = get_website_id(document_root)
inside_cagefs_path = Path("/var/.cagefs/")
if inside_cagefs_path.exists():
# we are inside cagefs -> call proxyexec wrapper
website_token_path = inside_cagefs_path / f"website/{docroot_md5}/.cagefs.token"
if not website_token_path.exists():
raise ValueError(f"Website {site} not found or isolation is not enabled")
return subprocess.call(
["/bin/cagefs_enter.proxied", *command],
env={**os.environ, "WEBSITE_TOKEN_PATH": website_token_path},
)
else:
# we are outside cagefs -> a bit different path to token
jail_path = Path(get_user_var_cagefs_path(pwd.getpwuid(os.getuid()).pw_name))
website_token_path = jail_path / f".cagefs/website/{docroot_md5}/.cagefs.token"
return subprocess.call(
["/bin/cagefs_enter", *command],
env={**os.environ, "WEBSITE_TOKEN_PATH": website_token_path},
)
|