In Progress [CPANEL-26332] API Tokens and WHM Function list-zones

bellwood

Active Member
PartnerNOC
Sep 25, 2012
32
5
8
New York
cPanel Access Level
DataCenter Provider
This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every zone on the server.

Seems horribly insecure to need a "god" token to simply get a list of zones.
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every domain on the server.
Hi @bellwood,

I've reproduced this behavior and opened case CPANEL-26332 to report the issue. I'll monitor this case and update this thread with more information as it becomes available. Note that an additional case (CPANEL-24676) is open to correct this behavior for the listaccts WHM API 1 function. That case is planned for publication with cPanel & WHM version 80.

Thank you.

Post Edit History:
1. Corrected the first case ID to reflect CPANEL-26332.
 
Last edited:

bellwood

Active Member
PartnerNOC
Sep 25, 2012
32
5
8
New York
cPanel Access Level
DataCenter Provider
@cPanelMichael I see CPANEL-24676 was remediated 03-21-2019 however as of v80.0.11 I'm still unable to see all zones on a server with just the list-zones token permission.

Interesting as well, the resolution for the case mentions listaccts, not listzones:

  • Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

Could you clarify?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @bellwood,

It looks like CPANEL-26332 was utilized in this thread's title, but incorrectly entered as "CPANEL-24676" in my previous response. Apologies for the confusion. I've edited my previous response to correct this. I'll continue to monitor CPANEL-26332 internally and report back here more information on it's status as it becomes available.

In summary, there are two cases associated with this thread, CPANEL-24676 and CPANEL-26332.

CPANEL-24676 is fixed in version 80: Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

CPANEL-26332 was opened on March 18th, 2019 to request that the listzones WHM API 1 call returns all DNS zones on the system instead of just the zones owned by the "root" user when the 'manage-dns-records' API token privilege is enabled.

Thank you.