You should not place the password in plain text in you LiveAPI plugin.
Because plugins are normally run as the cPanel user, the source must be readable by the user. The only way to avoid that is to have a standalone application that runs as a specific user, which is not possible using LiveAPI (but you could do it if you have a std PHP application and use AppConfig
which allows you to specify the system user to serve the application with as well as specify a custom php.ini).
The most direct path available to you that I can think of, if you wish to use LiveAPI, would be to have your database operations live in a separate codebase, and have your LiveAPI code request data or database actions via execution of a privilege escalation script
(whether it's from a direct system call or through a custom cPanel Perl module). However, this pattern is very important to perform correctly: if you have a script that will escalate to root, so that it can read a private file to get remote credentials and perform arbitrary actions, it's the same as just giving them the password. You have to have proper sanity checks in your escalation script!
As long as you have user-served code accessing a shared database (remote or local), you're going to have problems if you try to have all the logic in a LiveAPI script. You need to have a clean API for you application's logic and only use the cPanel LiveAPI as a frontend...it purpose should be making requests on the user's behalf to your secure codebase. These "API requests" should go through a privilege escalation script, which verifies that the calling user is only requesting operations against data they own, and then perform the operation and return the result
If you don't need access to cPanel's API1 or API2 functions, then you can just have a normal PHP app that lives in /usr/local/cpanel/base/3rdparty/* and use AppConfig
to server the application as a system user you create when you deploy your plugin. This allows you to set the password file to read-only for that system user. This is the most straight forward approach, but it means that you don't have local cPanel API1 and API2 access; you'd have to use the Remote API (pointing to the loopback IP) to trigger those API calls.