The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

automatic backups security

Discussion in 'cPanel Developers' started by Potato, Mar 9, 2011.

  1. Potato

    Potato Active Member

    Joined:
    Dec 7, 2009
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    I am developing a script that will basically run through a cron job to run backups on my cpanel accounts. the only problem is how could i store the passwords in an encrypted method such as md5 in my database and having it post through to login and run the backup successfully?

    for example ill have in my database the password "21232f297a57a5a743894a0e4a801fc3" which is admin. that will then get sent over my php script to login to cpanel to run the backup without ever being displayed in plain text to be viewed by someone.
     
  2. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi Potato,

    Because API cPanel can't take credentials and run them through a "decrypt" operation, and if it could you'd still be a target of single point of failure (the database), I'll propose an alternate solution.

    I don't know your entire setup, but I'd probably just change the password schema. That is, I'd store part of the password in one place and the other half in another. The combined values, run through a hash algorithm (md5 should do it), would be the valid cPanel password. This will protect your cPanel password from being "lifted" from any one database that might get compromised. You could even setup a series of "accumulative knowledge" retrieval scripts which when queries only return their part of the password when passed a token ( which is generated based on a previous part and a salt). The only vunerability is the PHP script itself. It would not only show how to compute the password by probably the credentials/locates for the various password-parts.

    With that sort of schema, if you PHP script is secure and you communicate over SSL then you'll be quite a bit more secure from random acts of credential theft.

    Best Regards,
    -DavidN
     
  3. Potato

    Potato Active Member

    Joined:
    Dec 7, 2009
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    thanks, thats a good idea. i wouldnt have ever thought about that.

    another question i have is there a way to detect the date of the backup and if its old than x days remove it? perhaps a cron can do it but im just not sure exactly how to accomplish that. should i try to write something to read the backup name with the date and try to parse it from that?
     
  4. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi Potato,

    Are you talking about backups generated by cPanel under WHM >> Backup. Those backups can be set to a certain retention policy to help manage backup bloat. However, you're still looking to manually move those files: by default they're kept in /backup/cpbackup/[daily|weekly|monthly]/$cpuser.tar.gz. I'd do a stat, or whatever you're coding with, to get the ctime/mtime for the file. (ctime is created time, where as mtime is the last modified time; it may be more advantage to use one over the other, depending on you strategy). You can also look at the contents of /backup/cpbackup/[daily|weekly|monthly]/cpbackupstatus.cfg to get a last run for that particular frequency (it's epoch).

    As I recall backups generated from within the user's cPanel interface (and reside within the user's home directory) do have the time in the filename (again, epoch). That could make it easy.

    Otherwise, whatever the backup schema, you should be able to look at the files mtime and that will give you a good indication of the last time the file was modified ("modified" excludes things like the `mv`...moving a file will affect the ctime, not the mtime)

    Regards,
    -DavidN
     
Loading...

Share This Page