Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Minimal permissions for managing CSF through API token

Discussion in 'cPanel Developers' started by Miguel G, Mar 2, 2018.

Tags:
  1. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am setting up an API token for accessing CSF and run this command:

    https://server:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX

    If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.

    I have set up the following:

    [x] Third Party ServicesAdditional Software
    [x] ConfigServer Security & Firewall (Reseller UI) software-ConfigServer-csf

    But It doesn´t work. I have tried to enable/disable other permissions but no luck.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on how you are attempting to utilize the API token? Keep in mind that per our documentation, you can currently only use API tokens with the following features:
    • WHM API functions.
    • DNS Clusters.
    • Configuration Clusters.
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure I understand what you mean.

    I am trying to unblock an IP in CSF. As I said with full permissions I am able to do that.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    For instance, how are you authenticating with the API token? Are you using a web browser? What error message do you receive?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    If you are logging in as a reseller to access CSF, you must first authorize the reseller user via the following option as "root" in "WHM >> ConfigServer Security & Firewall":

    CSF >> cPanel Resellers >> Edit Reseller Privs

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    I´m not giving permissions to any reseller. I just create an API token in "Manage API tokens" and use with root as in PHP

    $api = curl_init();
    curl_setopt($api, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($api, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($api, CURLOPT_HEADER, 0);
    curl_setopt($api, CURLOPT_RETURNTRANSFER, 1);
    $auth[0] = "Authorization: WHM root:$token";
    curl_setopt($api, CURLOPT_HTTPHEADER, $auth);

    Thanks!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe this is a limitation of the CSF application itself. For instance, I was able to get it working by authorizing "root" via the following option in "WHM >> ConfigServer Security & Firewall":

    CSF >> cPanel Resellers >> Edit Reseller Privs

    EX:

    Code:
    root:1:USE,UNBLOCK


    I recommend reporting this to ConfigServer directly:

    Report Bugs (csf) - ConfigServer Community Forum

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks! I am going to report it as a bug, but I still I don´t get the same message reporting the IP has been unblocked. I get no message!
     
  10. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You could create a new cPanel user and make it a reseller. You'd then access WHM as the reseller user and browse to "WHM Home » Development » Manage API Tokens" to create a separate API token for the reseller. There's a feature request here you may also want to vote for:

    root to be able to manage all user's tokens with api_token functions

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for your reply! But if that account credentials are taken, new accounts could be created by the bad guys, couldn´t they?

    Is it possible to create a reseller account with minimum permissions?
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    I haven´t upgraded to version 70 yet, I´m at 68 right now. Can I still do this?
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, the same feature is available in cPanel version 68.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Miguel,

    Please keep in mind that we currently only support the use of API tokens with the following features:
    • WHM API functions.
    • DNS Clusters.
    • Configuration Clusters
    This is documented at:

    Manage API Tokens - Version 70 Documentation - cPanel Documentation

    The URL you are using in your custom script is not a cPanel or WHM API function. For instance, notice in the example script the URL is:

    Code:
    https://127.0.0.1:2087/json-api/listaccts?api.version=1
    In particular, note the use of "json-api/listaccts?api.version=1", as that's indicating the use of a WHM API 1 function. In your custom script, you use the following:

    Code:
    https://127.0.0.1:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX
    Notice how your link is just a direct link that you would use in a web browser as opposed to an actual WHM API 1 function. While this is technically possible with CGI scripts when the application is registered as a plugin with the AppConfig system, it's up to the third-party developer to verify their specific application supports usage in this manner. As I understand, CSF is only guaranteed to work via the normal access to Web Host Manager in a browser per their quote in that thread:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice