Changes to Privilege Escalation in 11.38

higherlogic

Member
Mar 5, 2009
14
0
51
The documentation makes no mention of any changes for this, as it still lists examples for 11.36:

Privilege Escalation with cPanel API Calls

My custom module makes calls to an admin script, but now I'm getting errors I've never seen before (I've renamed any instance of the module or admin script name to Foo or foo):

Code:
warn [Foo::get_domains] Encountered error in Foo::get_domains: Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS
Ok, so we have the module here (the call is made from cPanel to the get_domains function, which calls the DOMAINS command in the admin script):

Code:
/usr/local/cpanel/Cpanel/Foo.pm
And then admin script here:

Code:
/usr/local/cpanel/bin/fooadmin
Both worked fine in 11.36, as I updated the code to use YAML as suggested. These errors follow the one above:

Code:
cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
cpwrapd: adminbin config file: /usr/local/cpanel/bin/fooadmin.conf missing mode value: will use 'simple'.
No mention of what legacy mode is or anything about a configuration file for admin scripts in the documentation.

Then we get these two errors, which seem the most relevant:

Code:
warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[foo] function=[DOMAINS]: set error in context foo: statusmsg=[Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS] at /usr/local/cpanel/Cpanel/Wrap.pm line 128
Code:
Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'foo', 'function', 'DOMAINS', 'data', 'cpuser 1', 'action', 'fetch', 'env', HASH(0x43d0970)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214
Followed by these errors:

Code:
Cpanel::AdminBin::_adminfetch('module', 'foo', 'function', 'DOMAINS', 'format', '', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x2090c30)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139

Cpanel::AdminBin::adminfetchnocache('foo', '', 'DOMAINS', '', 'cpuser', 1) called at /usr/local/cpanel/Cpanel/Foo.pm line 261

Cpanel::Foo::Foo_get_domains('add_www', 1) called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110

eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110

Cpanel::Api2::Exec::api2_exec('Foo', 'get_domains', HASH(0x7faf176a86c0), HASH(0x210d550)) called at cpanel line 979

main::real_cpexectag('<?cp Foo::get_domains([option]%[/option], hostname) add_www=1 ?>') called at cpanel line 4138
To summarize, module and admin script worked fine in 11.36 and no longer work now. It's not just this function, but all functions (commands) in the admin script that fail.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Please use Cpanel::AdminBin::Serializer instead of Cpanel::YAML. We are in the process of generating additional documentation for these changes. In the mean time, [email protected] should be able to help out with the specifics.
 

higherlogic

Member
Mar 5, 2009
14
0
51
Ah, thank you for that CloudFlare example. I never would have gotten it without that. No more errors, only a notice that I'm using the legacy adminbin, which is perfect:

Code:
cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
Looking forward to the new docs as well. Thanks again!
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Ah, thank you for that CloudFlare example. I never would have gotten it without that. No more errors, only a notice that I'm using the legacy adminbin, which is perfect:

Code:
cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
Looking forward to the new docs as well. Thanks again!

Also if you have ULC/bin/foowrap, you should be able to delete it under 11.38.
 

tizoo

Well-Known Member
Jan 6, 2004
75
3
158
cPanel Access Level
DataCenter Provider
Hi Ruth,

We have a wrapper that was working with cPanel 11.36. We have rewritten it for cPanel 11.38. As we understant, it was a big simplification as we now just have 2 files :

Code:
/usr/local/cpanel/bin/admin/TZBM/tzbmadmin
/usr/local/cpanel/bin/admin/TZBM/tzbmadmin.conf
And we have removed the both files that was in */usr/local/cpanel/admin* before.

What is the right way to call it from PHP ?

If we do the same call as before :

Code:
$param['server'] = 'elara.tizoo.com';
$res = $this->cpanel->api2('TZBM', 'getserverparam', $param);
We got the following error in the logs :


Code:
[2013-10-21 19:17:31 +0200] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]: set error in context tzbm: statusmsg=[No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]] at /usr/local/cpanel/Cpanel/Wrap.pm line 128
	Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'tzbm', 'function', 'GETSERVERPARAM', 'data', 'elara.tizoo.com', 'action', 'fetch', 'env', HASH(0x2dd5e80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214
	Cpanel::AdminBin::_adminfetch('module', 'tzbm', 'function', 'GETSERVERPARAM', 'format', 'storable', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x209be80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139
	Cpanel::AdminBin::adminfetchnocache('tzbm', '', 'GETSERVERPARAM', 'storable', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/TZBM.pm line 7
	Cpanel::TZBM::api2_getserverparam('server', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
	eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
	Cpanel::Api2::Exec::api2_exec('TZBM', 'getserverparam', HASH(0x2dd49e0), HASH(0x2ddc450)) called at cpanel line 1302
	main::docpanelaction('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 4167
	main::dotag_finished_headers(0) called at cpanel line 3901
	main::cpanel_parseblock('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 5211
	main::run_standard_mode() called at cpanel line 767
[2013-10-21 19:17:31 +0200] warn [TZBM::getserverparam] Encountered error in TZBM::getserverparam: No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]

It seems that we are making our request in the *Cpanel* namespace instead of the *TZBM*.

Do you have some tips on what could be buggy in our call ?

Thanks a lot in adv
 

tizoo

Well-Known Member
Jan 6, 2004
75
3
158
cPanel Access Level
DataCenter Provider
Hi again,

We saw in the log that our call try to access the old module */usr/local/cpanel/Cpanel/TZBM.pm*. And we removed it but this just make more errors like :

Code:
[2013-10-21 20:20:41 +0200] warn [cpanel] Error loading module TZBM - Can't locate Cpanel/TZBM.pm in @INC ([...]
We also tried to call it this way :

Code:
$param['namespace'] = 'TZBM';
$param['module'] = 'tzbmadmin';
$param['function'] = 'getserverparam';
$param['data'] = 'elara.tizoo.com';
$res = $this->cpanel->api2('Wrap', 'send_cpwrapd_request', $param);
And the response is something like :

Code:
Could not find function 'send_cpwrapd_request' in module 'Wrap'
But nothing more is written in the log file.

Could you have some additionnal information or links where we can find how to use the wrap framework and call it from PHP ?

Thanks in avance for any tips.

Sincerely yours,

Philippe
 

tizoo

Well-Known Member
Jan 6, 2004
75
3
158
cPanel Access Level
DataCenter Provider
Hi all,

In fact it seems that it is not possible to make the same call with PHP as the documentation tell how to make it with Perl.

We finally stay with the old way that generate the following error for each call :

Code:
error_log:cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/tzbmadmin
Cheers,
Philippe