In Progress [CPANEL-26332] API Tokens and WHM Function list-zones

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello @bellwood,

listzones is controlled with the Manage DNS Records privilege. It's found under the "Initial Privileges" section in WHM >> Manage API Tokens.

Thank you.
 
  • Like
Reactions: bellwood

bellwood

Well-Known Member
PartnerNOC
Sep 25, 2012
46
9
133
New York
cPanel Access Level
DataCenter Provider
This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every zone on the server.

Seems horribly insecure to need a "god" token to simply get a list of zones.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every domain on the server.
Hi @bellwood,

I've reproduced this behavior and opened case CPANEL-26332 to report the issue. I'll monitor this case and update this thread with more information as it becomes available. Note that an additional case (CPANEL-24676) is open to correct this behavior for the listaccts WHM API 1 function. That case is planned for publication with cPanel & WHM version 80.

Thank you.

Post Edit History:
1. Corrected the first case ID to reflect CPANEL-26332.
 
Last edited:

bellwood

Well-Known Member
PartnerNOC
Sep 25, 2012
46
9
133
New York
cPanel Access Level
DataCenter Provider
@cPanelMichael I see CPANEL-24676 was remediated 03-21-2019 however as of v80.0.11 I'm still unable to see all zones on a server with just the list-zones token permission.

Interesting as well, the resolution for the case mentions listaccts, not listzones:

  • Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

Could you clarify?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello @bellwood,

It looks like CPANEL-26332 was utilized in this thread's title, but incorrectly entered as "CPANEL-24676" in my previous response. Apologies for the confusion. I've edited my previous response to correct this. I'll continue to monitor CPANEL-26332 internally and report back here more information on it's status as it becomes available.

In summary, there are two cases associated with this thread, CPANEL-24676 and CPANEL-26332.

CPANEL-24676 is fixed in version 80: Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

CPANEL-26332 was opened on March 18th, 2019 to request that the listzones WHM API 1 call returns all DNS zones on the system instead of just the zones owned by the "root" user when the 'manage-dns-records' API token privilege is enabled.

Thank you.
 

philb

Well-Known Member
Jan 28, 2004
118
4
168
Having just tried to switch from using the root credential to API keys (so that password changes don't clobber our script) I have discovered that this appears to still be broken in 11.84; if you authenticate using the root password, you get all zones.

If on the other hand you use an API key issued by root with "Manage DNS Zones" privilege, you only get zones owned by root.

Seems particularly odd that the behaviour differs between the two.