Disabling webmail per email account, contribution

elbruj0

Registered
Feb 9, 2009
2
0
51
I finished the modifications to cPanel to allow the cpanel user to disable/enable access to webmail to specific email accounts.
You get a new option "Webmail Permissions" under "Email accounts".

All you need is to have curl and ssl enabled for the internal PHP, this is a requriment of xmlapi-php.
Files are attached: - file removed- .
 
Last edited by a moderator:

cPanelDavidN

Well-Known Member
Staff member
Dec 17, 2009
571
3
68
Houston, TX
cPanel Access Level
Root Administrator
elbruj0,

Interesting...but I think there's some things that you should consider.

1) you're using the environment variable REMOTE_DBOWNER as the reference to the cPanel username (who would have the nvdata access list). While this will be equal to the cPanel username in almost every instance, there's no technical guarantee that it is the same...I would suspect that until cPanel makes further refinements to the DBOWNER paradigm, you should be able to use it safely...again, no guarantees

2) Your proxying the cPanel API call as root. This is not a problem in itself, only the fact that many extra precautions need to be taken; there's likely a better solution (generally speaking). So, you're authenticating your call based on a remote access hash. If you hardcode the access hash (as seems to be implied by check_webmail.php), then anyone with shell access on the system will be able to read it from the file...and thus are capable of making any API call they wish...a fatally dangerous situation. Alternative, if you were to add a call to read the file contents of root's access hash, that too would not work. The file read would fail because webmail applications are served as an under-privileged user (either cPanel user or a special system user like cpanelroundcube) and won't have adequate permissions to read the root owned file.

3) Anytime cPanel updates Horde, Roundcube, etc, your custom files (index.php and friends) will likely be removed. You'd need to hook into the `upcp` process (in the post stage of a script hook or a standardized hook) so that you files always overwrite (or apply a patch to) any updated files after maintenance has occurred.


A better, although more sophisticated, approach to getting/storing this info might be something like the following:

1) Custom cPanel Module that allows cPanel users to write to a datastore
- this would provide a custom cPanel API call that you could use for managing the data from within the cPanel UI
- the write operation would actually be a call to a privilege escalation binary

2) Private, central datastore
- have it only accessible by root
- use a privilege escalation binary for accessing it

3) Privilege escalation for access to datastore
- the special system webmail users would only be able to get a yes/no reply based on a email; the webmail apps can make a proc_open() or other system() type of call [not ideal, but doable if you're very very cautious]
- the CRUD calls necessary to manage the datastore would enforce that the requesting user only operates on domains they own.

Something like that still has some caveats but at least would be secure. It *might* be a little faster too than the network call involved with xmlapi-php, but I think that's really of little concern when compared to the secure implication.

Regards,
-DavidN
 

elbruj0

Registered
Feb 9, 2009
2
0
51
Thank you for your answer David, some thougths:

1 ) The other option i can think of, besides REMOTE_DBOWNER, is to get the account name using the email and calling an API function but i couldnt find one, any pointers?

2) Nobody has shell access to the server that im using but im sure its not true for everybody, a security scalation process would be perfect for this but too much work for only this feature. If in the future i have another request that involves something like this i will for sure write one.

3) The changes to cPanles files are really simple, with a patch every update should do it, thanks for the pointers on the hooks to upcp!

To fix the security issues how about :
A) Using the Data Store given by NVData
B) Write a daemon that runs under root, authentificates by the unix user ID that connects
C) Answers directly from files under /home/user_connecting/.cpanel/nvdata ?

If i understand correctly, the internal PHP changes his user ID to the account of the person loging in to the services.

On second thougth why write a deamon at all and not just read the variables directly from /home/user_connecting/.cpanel/nvdata from the webmail PHP ?
 
Last edited:

cPanelDavidN

Well-Known Member
Staff member
Dec 17, 2009
571
3
68
Houston, TX
cPanel Access Level
Root Administrator
Both Horde and Roundcube are served under special users, cpanelhorde and cpanelroundcube respectively

you can test with something like the following at the top of horde or round cube index.php:
PHP:
var_dump(posix_getpwuid(posix_getuid()));

As for getting a definitive cPanel username account, it won't be possible without a custom escalation binary that cpanelhorde or cpanelroundcube can use. This is because the webmail runtime process/environment was designed for the email user, not the cPanel user.

REMOTE_DBOWNER will likely work in most situations; I was merely pointing it out because when you do hit that edge-case there will be no 'work-around' other than the aforementioned escalation binary.

cPanel provides the C code for an escalation binary here (as well, a variant is shipped with cPanel)

As for your last thought, this might actually work given the following:
a) the webmail runtime process has $_ENV["HOME"] which points to the cPanel user's home directory
b) you use your own file and not .cpanel/nvdata/*…something that is readable by cpanelhorde and cpanelroundcube…depending on how you accomplish this, I'm not sure if it's a good idea…that's to say if you simply made your data file world readable, it would expose email/domain info of the users if a vector to the file system becomes available...but it probably could be done such that's not the case.

You mentioned that no one has ssh access, so that helps…but there can be other vectors too. A good mantra is to never but anything of value ( or that could be leveraged in other ways) in a world readable file.
 
Last edited: