In Progress CPANEL-42578 - API or Doc bug with setacls (possible security repercussion)

[malex]

Hi,

I was developing something where I needed to use the setacls function and I came across a bug in the API or something that is not clear on the documentation, with possible security repercussion.

In my development process, I wasn't sure if the setacls function was resetting old permissions when settings new one.
So I had the idea to set the acl-all=0 to force disabling everything and then setting what I wanted.
That is how I discovered that when calling the API with acl-all=0 it was acting like acl-all=1. The value seems ignored, it's just the existence of acl-all that seems relevant.

Long story short, I think it's a problem. Either a bug in the API, or something that's not clear enough on the documentation, I wasn't expecting that.

Step to reproduce : Just create a reseller user and trying calling the API with something like this :

https://your.cpanel.server:2087/json-api/setacls?api.version=1&reseller=RESELLER_USER&acl-all=0&acl-acct-summary=1

You will see that it act as if acl-all=1

Another thing, please speed up to documentation website, it's slow most of the time, and it's a nightmare to work with it.
I keep referring to the old doc (which is also slow) but at least I find what I want quicker. I'm not a super fan of the new doc. A newcomer will be lost.

 

[cPRex]

Hey there! I'm not able to reproduce any slowness on the cPanel API site (cPanel & WHM Developer Portal) so I can't offer much for that issue on my end.

As far as the API call, I can confirm the command you provided gives the following output:

{"metadata":{"version":1,"result":1,"reason":"OK","command":"setacls"},"data":{"acl":["all","acct-summary"]}}

but when I check WHM >> Reseller Center and examine the permissions on that account, I don't see that additional permissions have been applied.

Since that is the case, it looks like this is just an issue with the output of that command. I went ahead and created CPANEL-42578 so our developers can look into this issue, and I'll be sure to post any updates I receive about that case here.

 

[malex]

Hi,

I tried again and I was able to reproduce it with the CLI version. Maybe my server is fucked (it's my dev server) but I did a clean install not a long time ago so it's unlikely.

I created a new user using the createacct and set it to reseller directly. It was done in PHP using something like this :

$acctResp = $whm
    ->setServer('cheeseburger.XXXXX.eu')
    ->setCredentials([
        'username' => 'root',
        'token' => 'XXXXXXXXX',
    ])
    ->call('createacct', [
        'username' => $username,
        'domain' => $techUrl,
        'plan' => 'xxxxxxxxx',
        'password' => $password,
        'max_defer_fail_percentage' => 10,
        'max_email_per_hour' => 180,
        'dkim' => 1,
        'spf' => 1,
        'contactemail' => '[email protected]',
        'hasshell' => 1,
        'language' => 'fr',
        'reseller' => 1,
        //'reseller_without_domain' => 1,
    ]);

Then I logged in to the account, take a screenshot of the WHM interface with the limited options.

Then I executed the following command :

[[email protected] ~]# whmapi1 --output=jsonpretty setacls reseller='t11d1db4a' acl-all=0 acl-acct-summary=1
{
   "data" : {
      "acl" : [
         "acct-summary",
         "all"
      ]
   },
   "metadata" : {
      "result" : 1,
      "version" : 1,
      "reason" : "OK",
      "command" : "setacls"
   }
}

Then logged-in again and I have all the feature to WHM.

EDIT: See the video file enclosed, It demonstrates the whole thing : cpanel-bug

 

[cPRex]

Thanks for that video - that isn't something I checked on my end and explains the issue more clearly. I've updated the case with these details.