Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

appconfig user and Cpanel::Config::LoadConfig permission warnings

Discussion in 'cPanel Developers' started by rustyhex2, Dec 12, 2013.

  1. rustyhex2

    rustyhex2 Member

    Joined:
    Dec 12, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I created a plugin with acls=all and user=limitedUser.
    Everything works fine, but plugin generates lots of warnings in the error log:
    Code:
    [2013-12-12 18:48:34 +0400] warn [Cpanel::Config::LoadConfig] Unable to open /var/cpanel/cpanel.config: Permission denied at /usr/local/cpanel/Cpanel/Config/LoadConfig.pm line 210
            Cpanel::Config::LoadConfig::loadConfig('/var/cpanel/cpanel.config', HASH(0x1b16e948), undef, undef, undef, 1, HASH(0x1b16eb28)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160
            Cpanel::Config::LoadCpConf::loadcpconf(HASH(0x1a0b5708)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 51
            Cpanel::Config::LoadCpConf::_load_locked(HASH(0x1b16e3d8)) called at /usr/local/cpanel/Cpanel/Config/CpConfGuard.pm line 28
            Cpanel::Config::CpConfGuard::new('Cpanel::Config::CpConfGuard') called at /usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 253
            Cpanel::Config::ConfigObj::Driver::Attracta::_check(Cpanel::Config::ConfigObj::Driver::Attracta=HASH(0x1b16e498), 'cpanel_config_enabled') called at /usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 243
            Cpanel::Config::ConfigObj::Driver::Attracta::check(Cpanel::Config::ConfigObj::Driver::Attracta=HASH(0x1b16e498)) called at /usr/local/cpanel/Cpanel/LicenseComponent.pm line 410
            Cpanel::LicenseComponent::check_component(Cpanel::LicenseComponent=HASH(0x1af1b030), 'attracta') called at /usr/local/cpanel/Cpanel/LicenseComponent.pm line 150
            Cpanel::LicenseComponent::get_component_configured_status(Cpanel::LicenseComponent=HASH(0x1af1b030), 'attracta') called at /usr/local/cpanel/Whostmgr/ACLS.pm line 219
            Whostmgr::ACLS::get_dynamic_acl_lists() called at /usr/local/cpanel/Whostmgr/ACLS.pm line 243
            Whostmgr::ACLS::dynamic_acl_update() called at /usr/local/cpanel/Whostmgr/ACLS.pm line 150
            Whostmgr::ACLS::init_acls() called at /usr/local/cpanel/whostmgr/docroot/myPlugin/index.cgi line 17
    
    index.cgi, line 17:
    Code:
    Whostmgr::ACLS::init_acls();
    if (!Whostmgr::ACLS::hasroot())
    {
       print 'Access denied';
       exit;
    } 
    
    As i understand, plugin is running under my limited user and has no rights to read cPanel config file and to check ACLS. Any hints how to fix this?
    Thanks.

    p.s. L've got a developer license.
     
  2. KostonConsulting

    KostonConsulting Well-Known Member

    Joined:
    Jun 17, 2010
    Messages:
    255
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    San Francisco, CA
    cPanel Access Level:
    Root Administrator
    /var/cpanel/cpanel.config is 644 so it should be able to be read by any user:

    Code:
    # ls -la /var/cpanel/cpanel.config
    -rw-r--r-- 1 root wheel 6131 Nov  7 13:35 /var/cpanel/cpanel.config
    
    The error points to /usr/local/cpanel/Cpanel/Config/LoadConfig.pm line 210.

    In that module, you'll see that the code is trying to open the file as either 'rw' or 'r' depending on whether or not $arg_ref->{'rw'} is set:

    Code:
    my $conflock = Cpanel::SafeFile::safeopen( $conf_fh, ( $arg_ref->{'rw'} ? '+<' : '<' ), $file ) or do {
        require Cpanel::Logger;
        Cpanel::Logger::cplog( "Unable to open $file: $!", 'warn', __PACK        AGE__ );
        return;
    };
    
    Unfortunately, we don't see the hash values passed to loadConfig in this error:

    Cpanel::Config::LoadConfig::loadConfig('/var/cpanel/cpanel.config', HASH(0x1b16e948), undef, undef, undef, 1, HASH(0x1b16eb28)) called at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160

    We do know that the last HASH is $arg_ref from the function's definition:

    Code:
    sub loadConfig {
         my ( $file, $conf_ref, $delimiter, $comment, $regexp_to_preprune, $allow_undef_values, $arg_ref ) = @_;
    

    So, we have to look at /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm line 160 which gives us:

    Code:
    my ( $ref, $fh, $conflock ) = Cpanel::Config::LoadConfig::loadConfig(
        $cpanel_config_file, \%defaults,
        undef, undef, undef, 1, { 'nocache' => 1, 'keep_locked_open' => 1, 'rw' => $load_opts_ref->{'rw'} },
    );
    
    In this case, whether or not to load the file 'rw' is controlled by $load_opts_ref->{'rw'}; $load_opts_ref is passed to loadcpconf():

    Code:
    sub loadcpconf {
        my ($load_opts_ref) = @_;
    
    Then going to the next call, we see it is for _load_locked() in vi /usr/local/cpanel/Cpanel/Config/LoadCpConf.pm.

    Code:
    sub _load_locked {
        my ($load_opts_ref) = @_;
    
        my %opts = $load_opts_ref ? %$load_opts_ref : ();
        $opts{'keep_locked_open'} = 1;
        $opts{'rw'}               = 1;
    
        my ( $fh, $lock_fh, $cpconf ) = loadcpconf( \%opts );
    

    So, in every case, _load_locked() is going to try to open the file 'rw' but only root has 'rw' permissions so this appears to be 2 bugs. First, $opts{'rw'} is not configurable in _load_locked() but resellers don't have 'rw' access to /var/cpanel/cpanel.config. Second, the plugin driver will need to be extended to pass options to CpConfGuard when creating the object:

    /usr/local/cpanel/Cpanel/Config/ConfigObj/Driver/Attracta.pm line 253:

    Code:
    my $cpconf = Cpanel::Config::CpConfGuard->new();
    
    Furthermore, it's unclear as to why your plugin would use the driver for Attracta.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. rustyhex2

    rustyhex2 Member

    Joined:
    Dec 12, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you very much for your detailed answer. It seems strange, but i never installed nor used Attracta and i even don't know how to use such driver in my code.
     
  4. KostonConsulting

    KostonConsulting Well-Known Member

    Joined:
    Jun 17, 2010
    Messages:
    255
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    San Francisco, CA
    cPanel Access Level:
    Root Administrator
    I'd imagine that cPanel wrote the first AppConfig driver for the Attracta integration and then it got hard-coded into the system before they decided to make it a public system for all 3rd party integrations. You may want to email the integration team about this and/or submit a ticket so they can get some cases opened about all these issues.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. rustyhex2

    rustyhex2 Member

    Joined:
    Dec 12, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ticket system registration is broken, so i dropped a letter to integration@. Let's see what they say.
     
    #5 rustyhex2, Dec 17, 2013
    Last edited by a moderator: Dec 17, 2013
  6. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    21
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    We are not currently aware of any problem with registering in the ticket system, but if there is a problem, we need to fix it. What error message did you get when you tried to register to submit a ticket?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. rustyhex2

    rustyhex2 Member

    Joined:
    Dec 12, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I reported every bug i found via email. Now it's working.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice