HEX
Server: LiteSpeed
System: Linux cpir1.prohostdns.com 4.18.0-553.123.2.lve.el8.x86_64 #1 SMP Thu May 7 23:17:13 UTC 2026 x86_64
User: pelakir (2976)
PHP: 8.2.31
Disabled: exec, shell_exec, system, passthru, proc_open, proc_close, proc_terminate, proc_get_status, popen, pclose, pcntl_exec
Upload Files
File: //opt/cloudlinux/venv/lib/python3.11/site-packages/clcagefslib/webisolation/crontab/utils.py
# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2025 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
"""Utility functions for crontab operations."""

import os
import pwd

from clcommon.cpapi import userdomains

from .constants import DOCUMENT_ROOT_ENV


def get_document_root() -> str | None:
    """
    Get the document root from environment variable.

    When PROXYEXEC_DOCUMENT_ROOT is set, validate that it is one of the
    calling user's real document roots — defence in depth against a user
    invoking the wrapper directly with a forged value.

    Returns:
        Optional[str]: The document root path if PROXYEXEC_DOCUMENT_ROOT is set,
                       None otherwise.

    Raises:
        ValueError: If PROXYEXEC_DOCUMENT_ROOT is set but does not appear in
                    the calling user's docroot list.
    """
    document_root = os.environ.get(DOCUMENT_ROOT_ENV)
    if document_root is None:
        return None
    
    # normally this logic is called under user
    uid = os.getuid()
    if uid == 0:
        return document_root

    username = pwd.getpwuid(uid).pw_name
    user_docroots = {docroot for _, docroot in userdomains(username)}

    if document_root not in user_docroots:
        raise ValueError(
            f"Document root path {document_root!r} is not found for user"
        )

    return document_root