In Progress CPANEL-42578 - API or Doc bug with setacls (possible security repercussion)

cPanel & WHM Version
108

malex

Member
Mar 13, 2017
10
0
51
France
cPanel Access Level
Root Administrator
Hi,

I was developing something where I needed to use the setacls function and I came across a bug in the API or something that is not clear on the documentation, with possible security repercussion.

In my development process, I wasn't sure if the setacls function was resetting old permissions when settings new one.
So I had the idea to set the acl-all=0 to force disabling everything and then setting what I wanted.
That is how I discovered that when calling the API with acl-all=0 it was acting like acl-all=1. The value seems ignored, it's just the existence of acl-all that seems relevant.

Long story short, I think it's a problem. Either a bug in the API, or something that's not clear enough on the documentation, I wasn't expecting that.

Step to reproduce : Just create a reseller user and trying calling the API with something like this :

https://your.cpanel.server:2087/json-api/setacls?api.version=1&reseller=RESELLER_USER&acl-all=0&acl-acct-summary=1

You will see that it act as if acl-all=1

Another thing, please speed up to documentation website, it's slow most of the time, and it's a nightmare to work with it.
I keep referring to the old doc (which is also slow) but at least I find what I want quicker. I'm not a super fan of the new doc. A newcomer will be lost.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,588
2,614
363
cPanel Access Level
Root Administrator
Hey there! I'm not able to reproduce any slowness on the cPanel API site (cPanel & WHM Developer Portal) so I can't offer much for that issue on my end.

As far as the API call, I can confirm the command you provided gives the following output:

Code:
{"metadata":{"version":1,"result":1,"reason":"OK","command":"setacls"},"data":{"acl":["all","acct-summary"]}}
but when I check WHM >> Reseller Center and examine the permissions on that account, I don't see that additional permissions have been applied.

Since that is the case, it looks like this is just an issue with the output of that command. I went ahead and created CPANEL-42578 so our developers can look into this issue, and I'll be sure to post any updates I receive about that case here.
 

malex

Member
Mar 13, 2017
10
0
51
France
cPanel Access Level
Root Administrator
Hi,

I tried again and I was able to reproduce it with the CLI version. Maybe my server is fucked (it's my dev server) but I did a clean install not a long time ago so it's unlikely.

I created a new user using the createacct and set it to reseller directly. It was done in PHP using something like this :

Code:
$acctResp = $whm
    ->setServer('cheeseburger.XXXXX.eu')
    ->setCredentials([
        'username' => 'root',
        'token' => 'XXXXXXXXX',
    ])
    ->call('createacct', [
        'username' => $username,
        'domain' => $techUrl,
        'plan' => 'xxxxxxxxx',
        'password' => $password,
        'max_defer_fail_percentage' => 10,
        'max_email_per_hour' => 180,
        'dkim' => 1,
        'spf' => 1,
        'contactemail' => '[email protected]',
        'hasshell' => 1,
        'language' => 'fr',
        'reseller' => 1,
        //'reseller_without_domain' => 1,
    ]);
Then I logged in to the account, take a screenshot of the WHM interface with the limited options.

Then I executed the following command :

Code:
[root@cheeseburger ~]# whmapi1 --output=jsonpretty setacls reseller='t11d1db4a' acl-all=0 acl-acct-summary=1
{
   "data" : {
      "acl" : [
         "acct-summary",
         "all"
      ]
   },
   "metadata" : {
      "result" : 1,
      "version" : 1,
      "reason" : "OK",
      "command" : "setacls"
   }
}
Then logged-in again and I have all the feature to WHM.

EDIT: See the video file enclosed, It demonstrates the whole thing : cpanel-bug
 

Attachments

Last edited: