appconfig user and Cpanel::Config::LoadConfig permission warnings

rustyhex2

Member
Dec 12, 2013
8
0
1
cPanel Access Level
Root Administrator
I created a plugin with acls=all and user=limitedUser.
Everything works fine, but plugin generates lots of warnings in the error log:
Code:
[2013-12-12 18:48:34 +0400] warn [Cpanel::Config::LoadConfig] Unable to open /var/cpanel/cpanel.config: Permission denied at /usr/local/cpanel/Cpanel/Config/LoadConfig.pm line 210
        Cpanel::Config::LoadConfig::loadConfig('/var/cpanel/cpanel.config', HASH(0x1b16e948), undef, undef, undef, 1, HASH(0x1b16eb28)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160
        Cpanel::Config::LoadCpConf::loadcpconf(HASH(0x1a0b5708)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 51
        Cpanel::Config::LoadCpConf::_load_locked(HASH(0x1b16e3d8)) called at /usr/local/cpanel/Cpanel/Config/CpConfGuard.pm line 28
        Cpanel::Config::CpConfGuard::new('Cpanel::Config::CpConfGuard') called at /usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 253
        Cpanel::Config::ConfigObj::Driver::Attracta::_check(Cpanel::Config::ConfigObj::Driver::Attracta=HASH(0x1b16e498), 'cpanel_config_enabled') called at /usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 243
        Cpanel::Config::ConfigObj::Driver::Attracta::check(Cpanel::Config::ConfigObj::Driver::Attracta=HASH(0x1b16e498)) called at /usr/local/cpanel/Cpanel/LicenseComponent.pm line 410
        Cpanel::LicenseComponent::check_component(Cpanel::LicenseComponent=HASH(0x1af1b030), 'attracta') called at /usr/local/cpanel/Cpanel/LicenseComponent.pm line 150
        Cpanel::LicenseComponent::get_component_configured_status(Cpanel::LicenseComponent=HASH(0x1af1b030), 'attracta') called at /usr/local/cpanel/Whostmgr/ACLS.pm line 219
        Whostmgr::ACLS::get_dynamic_acl_lists() called at /usr/local/cpanel/Whostmgr/ACLS.pm line 243
        Whostmgr::ACLS::dynamic_acl_update() called at /usr/local/cpanel/Whostmgr/ACLS.pm line 150
        Whostmgr::ACLS::init_acls() called at /usr/local/cpanel/whostmgr/docroot/myPlugin/index.cgi line 17
index.cgi, line 17:
Code:
Whostmgr::ACLS::init_acls();
if (!Whostmgr::ACLS::hasroot())
{
   print 'Access denied';
   exit;
}
As i understand, plugin is running under my limited user and has no rights to read cPanel config file and to check ACLS. Any hints how to fix this?
Thanks.

p.s. L've got a developer license.
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
/var/cpanel/cpanel.config is 644 so it should be able to be read by any user:

Code:
# ls -la /var/cpanel/cpanel.config
-rw-r--r-- 1 root wheel 6131 Nov  7 13:35 /var/cpanel/cpanel.config
The error points to /usr/local/cpanel/Cpanel/Config/LoadConfig.pm line 210.

In that module, you'll see that the code is trying to open the file as either 'rw' or 'r' depending on whether or not $arg_ref->{'rw'} is set:

Code:
my $conflock = Cpanel::SafeFile::safeopen( $conf_fh, ( $arg_ref->{'rw'} ? '+<' : '<' ), $file ) or do {
    require Cpanel::Logger;
    Cpanel::Logger::cplog( "Unable to open $file: $!", 'warn', __PACK        AGE__ );
    return;
};
Unfortunately, we don't see the hash values passed to loadConfig in this error:

Cpanel::Config::LoadConfig::loadConfig('/var/cpanel/cpanel.config', HASH(0x1b16e948), undef, undef, undef, 1, HASH(0x1b16eb28)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160

We do know that the last HASH is $arg_ref from the function's definition:

Code:
sub loadConfig {
     my ( $file, $conf_ref, $delimiter, $comment, $regexp_to_preprune, $allow_undef_values, $arg_ref ) = @_;

So, we have to look at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160 which gives us:

Code:
my ( $ref, $fh, $conflock ) = Cpanel::Config::LoadConfig::loadConfig(
    $cpanel_config_file, \%defaults,
    undef, undef, undef, 1, { 'nocache' => 1, 'keep_locked_open' => 1, 'rw' => $load_opts_ref->{'rw'} },
);
In this case, whether or not to load the file 'rw' is controlled by $load_opts_ref->{'rw'}; $load_opts_ref is passed to loadcpconf():

Code:
sub loadcpconf {
    my ($load_opts_ref) = @_;
Then going to the next call, we see it is for _load_locked() in vi /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm.

Code:
sub _load_locked {
    my ($load_opts_ref) = @_;

    my %opts = $load_opts_ref ? %$load_opts_ref : ();
    $opts{'keep_locked_open'} = 1;
    $opts{'rw'}               = 1;

    my ( $fh, $lock_fh, $cpconf ) = loadcpconf( \%opts );

So, in every case, _load_locked() is going to try to open the file 'rw' but only root has 'rw' permissions so this appears to be 2 bugs. First, $opts{'rw'} is not configurable in _load_locked() but resellers don't have 'rw' access to /var/cpanel/cpanel.config. Second, the plugin driver will need to be extended to pass options to CpConfGuard when creating the object:

/usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 253:

Code:
my $cpconf = Cpanel::Config::CpConfGuard->new();
Furthermore, it's unclear as to why your plugin would use the driver for Attracta.
 

rustyhex2

Member
Dec 12, 2013
8
0
1
cPanel Access Level
Root Administrator
Thank you very much for your detailed answer. It seems strange, but i never installed nor used Attracta and i even don't know how to use such driver in my code.
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
I'd imagine that cPanel wrote the first AppConfig driver for the Attracta integration and then it got hard-coded into the system before they decided to make it a public system for all 3rd party integrations. You may want to email the integration team about this and/or submit a ticket so they can get some cases opened about all these issues.
 

rustyhex2

Member
Dec 12, 2013
8
0
1
cPanel Access Level
Root Administrator
I'd imagine that cPanel wrote the first AppConfig driver for the Attracta integration and then it got hard-coded into the system before they decided to make it a public system for all 3rd party integrations. You may want to email the integration team about this and/or submit a ticket so they can get some cases opened about all these issues.
Ticket system registration is broken, so i dropped a letter to [email protected] Let's see what they say.
 
Last edited by a moderator: