Minimal permissions for managing CSF through API token

Miguel G

Well-Known Member
Jun 4, 2015
86
0
6
Spain
cPanel Access Level
Root Administrator
Twitter
I am setting up an API token for accessing CSF and run this command:

https://server:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX

If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.

I have set up the following:

[x] Third Party ServicesAdditional Software
[x] ConfigServer Security & Firewall (Reseller UI) software-ConfigServer-csf

But It doesn´t work. I have tried to enable/disable other permissions but no luck.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.
Hello,

Could you elaborate on how you are attempting to utilize the API token? Keep in mind that per our documentation, you can currently only use API tokens with the following features:
  • WHM API functions.
  • DNS Clusters.
  • Configuration Clusters.
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

For instance, how are you authenticating with the API token? Are you using a web browser? What error message do you receive?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
You do not have access to ConfigServer Firewall.
If you are logging in as a reseller to access CSF, you must first authorize the reseller user via the following option as "root" in "WHM >> ConfigServer Security & Firewall":

CSF >> cPanel Resellers >> Edit Reseller Privs

Thank you.
 

Miguel G

Well-Known Member
Jun 4, 2015
86
0
6
Spain
cPanel Access Level
Root Administrator
Twitter
I´m not giving permissions to any reseller. I just create an API token in "Manage API tokens" and use with root as in PHP

$api = curl_init();
curl_setopt($api, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($api, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($api, CURLOPT_HEADER, 0);
curl_setopt($api, CURLOPT_RETURNTRANSFER, 1);
$auth[0] = "Authorization: WHM root:$token";
curl_setopt($api, CURLOPT_HTTPHEADER, $auth);

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

I believe this is a limitation of the CSF application itself. For instance, I was able to get it working by authorizing "root" via the following option in "WHM >> ConfigServer Security & Firewall":

CSF >> cPanel Resellers >> Edit Reseller Privs

EX:

Code:
root:1:USE,UNBLOCK


I recommend reporting this to ConfigServer directly:

Report Bugs (csf) - ConfigServer Community Forum

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs
You could create a new cPanel user and make it a reseller. You'd then access WHM as the reseller user and browse to "WHM Home » Development » Manage API Tokens" to create a separate API token for the reseller. There's a feature request here you may also want to vote for:

root to be able to manage all user's tokens with api_token functions

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Yes, the same feature is available in cPanel version 68.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello Miguel,

Please keep in mind that we currently only support the use of API tokens with the following features:
  • WHM API functions.
  • DNS Clusters.
  • Configuration Clusters
This is documented at:

Manage API Tokens - Version 70 Documentation - cPanel Documentation

The URL you are using in your custom script is not a cPanel or WHM API function. For instance, notice in the example script the URL is:

Code:
https://127.0.0.1:2087/json-api/listaccts?api.version=1
In particular, note the use of "json-api/listaccts?api.version=1", as that's indicating the use of a WHM API 1 function. In your custom script, you use the following:

Code:
https://127.0.0.1:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX
Notice how your link is just a direct link that you would use in a web browser as opposed to an actual WHM API 1 function. While this is technically possible with CGI scripts when the application is registered as a plugin with the AppConfig system, it's up to the third-party developer to verify their specific application supports usage in this manner. As I understand, CSF is only guaranteed to work via the normal access to Web Host Manager in a browser per their quote in that thread:

Using a method of access to the csf UI other that via the normal WHM login is at your own risk as it is only guaranteed to work via that normal WHM login method so far as the script is concerned.
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
So, as a WHM API function, is there any way to accomplish this?
Hello,

No, we don't provide any direct WHM API 1 functions to manage CSF because CSF is not a feature of cPanel & WHM. It's a third-party application and thus would require it's own separate API. Additionally, note the following quote from CSF on this forum post:

Using a method of access to the csf UI other that via the normal WHM login is at your own risk as it is only guaranteed to work via that normal WHM login method so far as the script is concerned.
Thank you.