Minimal permissions for managing CSF through API token

[Miguel G]

I am setting up an API token for accessing CSF and run this command:

https://server:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX

If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.

I have set up the following:

[x] Third Party ServicesAdditional Software
[x] ConfigServer Security & Firewall (Reseller UI) software-ConfigServer-csf

But It doesn´t work. I have tried to enable/disable other permissions but no luck.

 

[cPanelMichael]

If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.

Hello,

Could you elaborate on how you are attempting to utilize the API token? Keep in mind that per our documentation, you can currently only use API tokens with the following features:

• WHM API functions.
• DNS Clusters.
• Configuration Clusters.

Thank you.

 

[Miguel G]

Not sure I understand what you mean.

I am trying to unblock an IP in CSF. As I said with full permissions I am able to do that.

 

[cPanelMichael]

Hello,

For instance, how are you authenticating with the API token? Are you using a web browser? What error message do you receive?

Thank you.

 

[Miguel G]

I have already explained above how I access, through URL:

https://server:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX

I get:

You do not have access to ConfigServer Firewall.

 

[cPanelMichael]

You do not have access to ConfigServer Firewall.

If you are logging in as a reseller to access CSF, you must first authorize the reseller user via the following option as "root" in "WHM >> ConfigServer Security & Firewall":

CSF >> cPanel Resellers >> Edit Reseller Privs

Thank you.

 

[Miguel G]

I´m not giving permissions to any reseller. I just create an API token in "Manage API tokens" and use with root as in PHP

$api = curl_init();
curl_setopt($api, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($api, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($api, CURLOPT_HEADER, 0);
curl_setopt($api, CURLOPT_RETURNTRANSFER, 1);
$auth[0] = "Authorization: WHM root:$token";
curl_setopt($api, CURLOPT_HTTPHEADER, $auth);

Thanks!

 

[cPanelMichael]

Hello,

I believe this is a limitation of the CSF application itself. For instance, I was able to get it working by authorizing "root" via the following option in "WHM >> ConfigServer Security & Firewall":

CSF >> cPanel Resellers >> Edit Reseller Privs

EX:

root:1:USE,UNBLOCK

I recommend reporting this to ConfigServer directly:

Report Bugs (csf) - ConfigServer Community Forum

Thank you.

 

[Miguel G]

Thanks! I am going to report it as a bug, but I still I don´t get the same message reporting the IP has been unblocked. I get no message!

 

[Miguel G]

Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs

 

[cPanelMichael]

Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs

You could create a new cPanel user and make it a reseller. You'd then access WHM as the reseller user and browse to "WHM Home » Development » Manage API Tokens" to create a separate API token for the reseller. There's a feature request here you may also want to vote for:

root to be able to manage all user's tokens with api_token functions

Thank you.

 

[Miguel G]

Thanks for your reply! But if that account credentials are taken, new accounts could be created by the bad guys, couldn´t they?

Is it possible to create a reseller account with minimum permissions?

 

[cPanelMichael]

Is it possible to create a reseller account with minimum permissions?

Yes, you can limit access to what the reseller can do at:

Edit Reseller Nameservers and Privileges - Version 70 Documentation - cPanel Documentation

Thank you.

 

[Miguel G]

I haven´t upgraded to version 70 yet, I´m at 68 right now. Can I still do this?

 

[cPanelMichael]

Hello,

Yes, the same feature is available in cPanel version 68.

Thank you.

 

[Miguel G]

The CSF support has answered here:

Can´t create CSF only permissions for API token used by root - ConfigServer Community Forum

They blame the API, maybe you want to look into it or answer them.

I have successfully created a reseller account with only CSF permissions

 

[cPanelMichael]

Hello Miguel,

Please keep in mind that we currently only support the use of API tokens with the following features:

• WHM API functions.
• DNS Clusters.
• Configuration Clusters

This is documented at:

Manage API Tokens - Version 70 Documentation - cPanel Documentation

The URL you are using in your custom script is not a cPanel or WHM API function. For instance, notice in the example script the URL is:

https://127.0.0.1:2087/json-api/listaccts?api.version=1

In particular, note the use of "json-api/listaccts?api.version=1", as that's indicating the use of a WHM API 1 function. In your custom script, you use the following:

https://127.0.0.1:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX

Notice how your link is just a direct link that you would use in a web browser as opposed to an actual WHM API 1 function. While this is technically possible with CGI scripts when the application is registered as a plugin with the AppConfig system, it's up to the third-party developer to verify their specific application supports usage in this manner. As I understand, CSF is only guaranteed to work via the normal access to Web Host Manager in a browser per their quote in that thread:

Using a method of access to the csf UI other that via the normal WHM login is at your own risk as it is only guaranteed to work via that normal WHM login method so far as the script is concerned.

Thank you.

 

[Miguel G]

So, as a WHM API function, is there any way to accomplish this?

 

[cPanelMichael]

So, as a WHM API function, is there any way to accomplish this?

Hello,

No, we don't provide any direct WHM API 1 functions to manage CSF because CSF is not a feature of cPanel & WHM. It's a third-party application and thus would require it's own separate API. Additionally, note the following quote from CSF on this forum post:

Using a method of access to the csf UI other that via the normal WHM login is at your own risk as it is only guaranteed to work via that normal WHM login method so far as the script is concerned.

Thank you.