The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

privilege escalation in hook

Discussion in 'cPanel Developers' started by gnusys, Feb 13, 2016.

  1. gnusys

    gnusys Active Member

    Joined:
    Jan 18, 2013
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    I have a hook in the http domain log parse and I followed the same example used in the doc

    Guide to Standardized Hooks - Privilege Escalation - Software Development Kit - cPanel Documentation

    Exact command used to register the hook:

    /usr/local/cpanel/bin/manage_hooks add script /var/cpanel/myapp/do_extra.php --manual --category Stats --event RunUser --stage pre --exectype script --escalateprivs



    [~]# cat /usr/local/cpanel/3rdparty/bin/reload_nginx.sh
    #!/bin/bash
    /usr/sbin/nginx -s reload
    echo '1 nginX::reloaded'


    But on running runweblogs I get the following error


    info [cpanellogd] A script hook attempted to escalate privileges when escalation was not permitted in Stats::RunUser with the script /usr/local/cpanel/3rdparty/bin/reload_nginx.sh

    What am I doing wrong?
     
  2. gnusys

    gnusys Active Member

    Joined:
    Jan 18, 2013
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    Sorry exact command to register hook was:

    [~]# /usr/local/cpanel/bin/manage_hooks add script /usr/local/cpanel/3rdparty/bin/reload_nginx.sh --manual --category Stats --event RunUser --stage post --exectype script --escalateprivs
     
  3. gnusys

    gnusys Active Member

    Joined:
    Jan 18, 2013
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    I think the example you people have given in Guide to Standardized Hooks - Privilege Escalation - Software Development Kit - cPanel Documentation

    is itself wrong

    Examples
    HTTP domain logs are parsed as the cPanel account that owns the domain. In this example, the /var/cpanel/myapp/do_extra.pl script will run as the root user immediately before the HTTP domain logs parse

    Because in Guide to Standardized Hooks - Stats Functions - Software Development Kit - cPanel Documentation

    The Escalate Privileges Attribute:
    is set with a red X mark . Means privilege escalation wont work for RunUser

    Which the example contradicts.


    Please confirm
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Hello,

    I filed case DOC-6832 to get the documentation clarified.

    Thank you.
     
Loading...

Share This Page