Changing permissions on WHM addon modules

internetfab

Well-Known Member
PartnerNOC
Feb 20, 2003
337
1
168
Gothenburg, Sweden
cPanel Access Level
DataCenter Provider
Hi!

Tried changing permission on munin addon, so that reseller (managed server, where owner has reseller privs and we have root) may be able to see stats.

Code:
#!/usr/bin/perl
# cpanel - addon_munin.cgi                        Copyright(c) 2011 cPanel, Inc.
#                                                           All rights Reserved.
# [email protected]                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
#WHMADDON:munin:Munin Service Monitor

BEGIN { unshift @INC, '/usr/local/cpanel'; }

my $security_token = $ENV{'cp_security_token'} || '';

print "Location: $security_token/munin/index.html\r\n\r\n";
Shouldn't this work out of the box? What am I missing?

Getting "Sorry, only root may view munin stats." when visiting /munin/index.html as a reseller.
 

cPanelDavidN

Well-Known Member
Staff member
Dec 17, 2009
571
3
68
Houston, TX
cPanel Access Level
Root Administrator
Hi internetfab,

You're not missing anything. If you remove
Code:
#ACLS:all
the plugin link will appear in the left sidebar

and remove
Code:
if ( !Whostmgr::ACLS::hasroot() ) {
    print "Content-type: text/html\r\n\r\n";
    print "Access Denied: You do not have permission to view Munin stats.\n";
    exit;
}
the plugin cgi script will continue and load the munin/index.html

...However, after some research, it would appear that there is a hardcoded check for munin served pages in the binaries. A reseller must have the "all root" privilege in order to clear the check. I imagine the check is done simply, if not specifically, to stop information disclosure.

The only way around the issue would be (I presume) if you mutated the munin plugin files/dir such that all references to munin were removed from the file/dir names; ie `mv docroot/munin docroot/moonin` or something like that. I cannot recommend doing this, but if you HAD to, that would be the first thing to try.

Best Regards,
-DavidN