The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Changes to Privilege Escalation in 11.38

Discussion in 'cPanel Developers' started by higherlogic, Jun 27, 2013.

  1. higherlogic

    higherlogic Member

    Joined:
    Mar 5, 2009
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    The documentation makes no mention of any changes for this, as it still lists examples for 11.36:

    Privilege Escalation with cPanel API Calls

    My custom module makes calls to an admin script, but now I'm getting errors I've never seen before (I've renamed any instance of the module or admin script name to Foo or foo):

    Code:
    warn [Foo::get_domains] Encountered error in Foo::get_domains: Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS
    Ok, so we have the module here (the call is made from cPanel to the get_domains function, which calls the DOMAINS command in the admin script):

    Code:
    /usr/local/cpanel/Cpanel/Foo.pm
    And then admin script here:

    Code:
    /usr/local/cpanel/bin/fooadmin
    Both worked fine in 11.36, as I updated the code to use YAML as suggested. These errors follow the one above:

    Code:
    cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
    cpwrapd: adminbin config file: /usr/local/cpanel/bin/fooadmin.conf missing mode value: will use 'simple'.
    No mention of what legacy mode is or anything about a configuration file for admin scripts in the documentation.

    Then we get these two errors, which seem the most relevant:

    Code:
    warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[foo] function=[DOMAINS]: set error in context foo: statusmsg=[Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS] at /usr/local/cpanel/Cpanel/Wrap.pm line 128
    Code:
    Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'foo', 'function', 'DOMAINS', 'data', 'cpuser 1', 'action', 'fetch', 'env', HASH(0x43d0970)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214
    Followed by these errors:

    Code:
    Cpanel::AdminBin::_adminfetch('module', 'foo', 'function', 'DOMAINS', 'format', '', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x2090c30)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139
    
    Cpanel::AdminBin::adminfetchnocache('foo', '', 'DOMAINS', '', 'cpuser', 1) called at /usr/local/cpanel/Cpanel/Foo.pm line 261
    
    Cpanel::Foo::Foo_get_domains('add_www', 1) called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
    
    eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
    
    Cpanel::Api2::Exec::api2_exec('Foo', 'get_domains', HASH(0x7faf176a86c0), HASH(0x210d550)) called at cpanel line 979
    
    main::real_cpexectag('<?cp Foo::get_domains([option]%[/option], hostname) add_www=1 ?>') called at cpanel line 4138
    To summarize, module and admin script worked fine in 11.36 and no longer work now. It's not just this function, but all functions (commands) in the admin script that fail.
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Please use Cpanel::AdminBin::Serializer instead of Cpanel::YAML. We are in the process of generating additional documentation for these changes. In the mean time, integrations@cpanel.net should be able to help out with the specifics.
     
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
  4. higherlogic

    higherlogic Member

    Joined:
    Mar 5, 2009
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Ah, thank you for that CloudFlare example. I never would have gotten it without that. No more errors, only a notice that I'm using the legacy adminbin, which is perfect:

    Code:
    cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
    Looking forward to the new docs as well. Thanks again!
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider

    Also if you have ULC/bin/foowrap, you should be able to delete it under 11.38.
     
  6. higherlogic

    higherlogic Member

    Joined:
    Mar 5, 2009
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Yup, removed it from the bin directory and everything works. Good to know, thanks again, Nick.
     
  7. cPanelRuth

    cPanelRuth Registered
    Staff Member

    Joined:
    Mar 21, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    The new docs on privilege escalation are now available! We've posted them at Privilege Escalation with cPanel API Calls.

    Do let us know if you have any questions or feedback on it!

    -Ruth Bavousett
    Integration Developer
    cPanel, Inc.
     
  8. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi Ruth,

    We have a wrapper that was working with cPanel 11.36. We have rewritten it for cPanel 11.38. As we understant, it was a big simplification as we now just have 2 files :

    Code:
    /usr/local/cpanel/bin/admin/TZBM/tzbmadmin
    /usr/local/cpanel/bin/admin/TZBM/tzbmadmin.conf
    And we have removed the both files that was in */usr/local/cpanel/admin* before.

    What is the right way to call it from PHP ?

    If we do the same call as before :

    Code:
    $param['server'] = 'elara.tizoo.com';
    $res = $this->cpanel->api2('TZBM', 'getserverparam', $param);
    We got the following error in the logs :


    Code:
    [2013-10-21 19:17:31 +0200] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]: set error in context tzbm: statusmsg=[No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]] at /usr/local/cpanel/Cpanel/Wrap.pm line 128
    	Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'tzbm', 'function', 'GETSERVERPARAM', 'data', 'elara.tizoo.com', 'action', 'fetch', 'env', HASH(0x2dd5e80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214
    	Cpanel::AdminBin::_adminfetch('module', 'tzbm', 'function', 'GETSERVERPARAM', 'format', 'storable', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x209be80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139
    	Cpanel::AdminBin::adminfetchnocache('tzbm', '', 'GETSERVERPARAM', 'storable', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/TZBM.pm line 7
    	Cpanel::TZBM::api2_getserverparam('server', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
    	eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
    	Cpanel::Api2::Exec::api2_exec('TZBM', 'getserverparam', HASH(0x2dd49e0), HASH(0x2ddc450)) called at cpanel line 1302
    	main::docpanelaction('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 4167
    	main::dotag_finished_headers(0) called at cpanel line 3901
    	main::cpanel_parseblock('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 5211
    	main::run_standard_mode() called at cpanel line 767
    [2013-10-21 19:17:31 +0200] warn [TZBM::getserverparam] Encountered error in TZBM::getserverparam: No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]

    It seems that we are making our request in the *Cpanel* namespace instead of the *TZBM*.

    Do you have some tips on what could be buggy in our call ?

    Thanks a lot in adv
     
  9. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi again,

    We saw in the log that our call try to access the old module */usr/local/cpanel/Cpanel/TZBM.pm*. And we removed it but this just make more errors like :

    Code:
    [2013-10-21 20:20:41 +0200] warn [cpanel] Error loading module TZBM - Can't locate Cpanel/TZBM.pm in @INC ([...]
    We also tried to call it this way :

    Code:
    $param['namespace'] = 'TZBM';
    $param['module'] = 'tzbmadmin';
    $param['function'] = 'getserverparam';
    $param['data'] = 'elara.tizoo.com';
    $res = $this->cpanel->api2('Wrap', 'send_cpwrapd_request', $param);
    And the response is something like :

    Code:
    Could not find function 'send_cpwrapd_request' in module 'Wrap'
    But nothing more is written in the log file.

    Could you have some additionnal information or links where we can find how to use the wrap framework and call it from PHP ?

    Thanks in avance for any tips.

    Sincerely yours,

    Philippe
     
  10. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,

    In fact it seems that it is not possible to make the same call with PHP as the documentation tell how to make it with Perl.

    We finally stay with the old way that generate the following error for each call :

    Code:
    error_log:cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/tzbmadmin
    Cheers,
    Philippe
     
Loading...

Share This Page