The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restorepkg on perl api?

Discussion in 'cPanel Developers' started by horyfilipe, Jul 2, 2007.

  1. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Is there any restorepkg-like available on perl api? I am trying to make addon for resellers so that they can restore their migrate backup files.. using /scripts/restorepkg wont work because somehow it will only allow root to proceed
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
  3. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Oh nice, i will check.. Thanks!
     
  4. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Still no luck.. can't find a way to use restorepkg using WHM/perl - any idea from anyone?
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You could write a setuid script if you know how to manage the security. Be careful with this because unless done carefully it can be a major security liability.

    Another alternative is to write something that simulates a browser submitting to WHM, ie acts like you are inside WHM and sends the correct passwords etc. This is something a lot of us have done.
     
  6. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    You know I had tried the setuid and i dont know why but it didnt work.. thats why i opened this thread :/
     
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Never restore a package file from an untrusted source.. period.
     
  8. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I appreciate your input, but i was wondering if you could tell me why is this so risky?

    If cpanel itself checks for existing domain/user, why should avoid resellers on restoring backups?
     
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Since it contains all the information on the account and all its privileges, you could easily modify the backup and give a restored account access to anything.
     
  10. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Sorry but let me try to get this straight..

    You are saying that a cpanel backup file can be modified and give the account certain priviledges..

    But suppose you have a hosting company and you sell reseller plans.. then you get a new reseller and he wants to restore 100 backups.. he sends to his FTP and you go and restore it.. isnt it the same? Or are we supposed to check each file? And look for what?
     
  11. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Its exactly the same. If you don't trust the reseller you should check every file in the backup before restoring it. Same wisdom goes for running any commands on the server, or opening attachments in email. You can minimize the risk by not restoring reseller privs as this is a easiest way someone could modify a backup.
     
  12. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    So, some backup can be restored as reseller and even get root privileges? I didnt know that would be possible

    But anyway, if what i just said above is true, it wouldnt be much problem if, after each backup restore, the script removes all reseller privileges, if any.. then i think it would be ok right?
     
  13. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider


    You can't restore full backups as a reseller, only root can restore full backups. When restoring the backup you have the option of not restoring the reseller privs.

    Under NO circumstances should ever restore backups from someone you cannot reasonably trust.
     
  14. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Yes, but i mean.. suppose i get a new reseller with 100 backups to restore.. and suppose i get many reseller per day (lets say i invest a lot in ads).. i will have to check for reseller/root privileges on each account restored, right? every single time i need to restore, i will have to check this.. seems strange
     
  15. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    If you don't restore the reseller privs, you should be pretty safe, but they could still sneak a log file or extra database in there and overwrite someone elses data.
     
  16. horyfilipe

    horyfilipe Active Member

    Joined:
    Oct 24, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I think the risk is the same, specialy for those companies who gets many new clients per day. They are supposed to check each backup but none does it. Many use /scripts/restorepkg and as far as I know there is no option to "not restore" reseller privileges using this script. I could only think in making an addon to /scripts/restorepkg to remove any reseller privilege after restoring some account.

    I was wondering if is there any way to use /scripts/restorepkg from non-root account. I tried to setuid but for some reason it doesnt work..

    About file or database overwrite risk, i also think its still the same, even restored by root, they can do it an we will only notice when someone claim, thats why i don't really get the point.. I made some tests.. signed up with some companies and sent the backup with root privileges and woot.. fortunately looks like nobody attempted to it yet.. maybe some will after reading this thread.. unfortunately :/

    My suggestion is that cPanel make some fix and improve /scripts/restorepkg to really ask for reseller-privileges-restore or even auto-remove any after restoring any backup.. then it should be added manualy if needed
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Setuid would work, but you have to know how to drive it. If you don't know how to drive it already you are probably creating a serious security liability for yourself! Catch22 I know, but there's life.

    I don't think this is going to happen because of the security implications.

    Perhaps another business model might serve you well? Just a thought, hope you don't mind me suggesting it.
     
Loading...

Share This Page