Light suspend

[bole]

Hi all!

I need to create a way of "light" account suspend, meaning that users shouldn't be able to login to cPanel but their websites would be accessible. Based on /usr/local/cpanel/scripts/suspendacct I created another script where I commented out .htaccess creation and if called from cli it works. But, I need to be able to call it remotely via some API calls.

I created /usr/local/cpanel/Cpanel/TestModule.pm in which I call my new script by:
Cpanel::SafeRun::Simple::saferun('/usr/local/cpanel/scripts/lightsuspendacct', $user);

The only problem I have is that I'm unable to call my API2 function with root privileges. Whenever I call it with cpanel_xmlapi_user=root I get = PHP Fatal error: Uncaught exception 'Exception' with message 'curl_exec threw error "SSL read: errno -12273"

I'm using cPanel XMLAPI Client Class v1.0.13 and have no problems in calling XMLAPI calls (createacct, suspendacct, etc) or API2 calls (Park, AddonDomain, etc).

So, my question is how I can call my "lightsuspendacct" script from outside world with root privileges or maybe, there is a more suitable way of achieving the same thing? (*)

* - I could add my function in Accounting* files in Cpanel/ dir, but I don't see this as an appropriate way.

Thanks!

 

[KostonConsulting]

cpanel_xmlapi_user=root is not valid as far as I know as the API1/API2 APIs are executed under cPanel and root doesn't have a cPanel account.

You should use strace to see exactly what's causing the SSL read error though, just to confirm.



I'm not aware of a way to create custom XML/JSON API calls so you'll need to use privilege escalation to accomplish this if you want to do this via XML/JSON APIs:

Privilege Escalation with cPanel API Calls

Note: If this API can be called by a user, they could call an "unsuspend" API if you create that so you'll need some way to protect against them calling the unsuspend API.

However, I'm not sure that the above really makes sense. Why not execute the command remotely via SSH so you don't have to deal with privilege escalation?

Here's a sample PHP SSH command execution class:

class ExecuteRemote
{
    private static $host;
    private static $username;
    private static $password;
    private static $error;
    private static $output;

    public static function setup($host, $username=NULL, $password=NULL)
    {
        self::$host = $host;
        self::$username = $username;
        self::$password = $password;
    }

    public static function executeScriptSSH($script)
    {
        // Setup connection string
        $connectionString = self::$host;
        $connectionString = (empty(self::$username) ? $connectionString : self::$username.'@'.$connectionString);

        // Execute script
        $cmd = "ssh $connectionString $script 2>&1";
        self::$output['command'] = $cmd;
        exec($cmd, self::$output, self::$error);

        if (self::$error) {
            throw new Exception ("\nError sshing: ".print_r(self::$output, true));
        }

        return self::$output;
    }
}