1#@!#!123s

: / opt / cloudlinux / venv / lib / python3.11 / site-packages / clcagefslib / webisolation / crontab /
Filename : utils.py
back
# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2025 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
"""Utility functions for crontab operations."""

import os
import pwd

from clcommon.cpapi import userdomains

from .constants import DOCUMENT_ROOT_ENV


def get_document_root() -> str | None:
    """
    Get the document root from environment variable.

    When PROXYEXEC_DOCUMENT_ROOT is set, validate that it is one of the
    calling user's real document roots — defence in depth against a user
    invoking the wrapper directly with a forged value.

    Returns:
        Optional[str]: The document root path if PROXYEXEC_DOCUMENT_ROOT is set,
                       None otherwise.

    Raises:
        ValueError: If PROXYEXEC_DOCUMENT_ROOT is set but does not appear in
                    the calling user's docroot list.
    """
    document_root = os.environ.get(DOCUMENT_ROOT_ENV)
    if document_root is None:
        return None
    
    # normally this logic is called under user
    uid = os.getuid()
    if uid == 0:
        return document_root

    username = pwd.getpwuid(uid).pw_name
    user_docroots = {docroot for _, docroot in userdomains(username)}

    if document_root not in user_docroots:
        raise ValueError(
            f"Document root path {document_root!r} is not found for user"
        )

    return document_root