unsecure Plugin LiveApi PHP Script shows source and PASSWORD

[Mrg]

i wrote a plugin to connect to a remote mysql host and read some data.

/usr/local/cpanel/base/frontend/x3/remtool/remtool.live.php

works create, but f.e. all user with php or all cronjobs can read this file and SEE THE PASSWORT of the mysql connection
the file must be readable to world, otherwise cpanel frontend display "access denied"

how can i solve this?
i want to run a php plugin which source is not readable from other cpanel users.

thanks
hope i explained enough

 

[cPanelDavidN]

You should not place the password in plain text in you LiveAPI plugin.

Because plugins are normally run as the cPanel user, the source must be readable by the user. The only way to avoid that is to have a standalone application that runs as a specific user, which is not possible using LiveAPI (but you could do it if you have a std PHP application and use AppConfig which allows you to specify the system user to serve the application with as well as specify a custom php.ini).

The most direct path available to you that I can think of, if you wish to use LiveAPI, would be to have your database operations live in a separate codebase, and have your LiveAPI code request data or database actions via execution of a privilege escalation script (whether it's from a direct system call or through a custom cPanel Perl module). However, this pattern is very important to perform correctly: if you have a script that will escalate to root, so that it can read a private file to get remote credentials and perform arbitrary actions, it's the same as just giving them the password. You have to have proper sanity checks in your escalation script!

As long as you have user-served code accessing a shared database (remote or local), you're going to have problems if you try to have all the logic in a LiveAPI script. You need to have a clean API for you application's logic and only use the cPanel LiveAPI as a frontend...it purpose should be making requests on the user's behalf to your secure codebase. These "API requests" should go through a privilege escalation script, which verifies that the calling user is only requesting operations against data they own, and then perform the operation and return the result

If you don't need access to cPanel's API1 or API2 functions, then you can just have a normal PHP app that lives in /usr/local/cpanel/base/3rdparty/* and use AppConfig to server the application as a system user you create when you deploy your plugin. This allows you to set the password file to read-only for that system user. This is the most straight forward approach, but it means that you don't have local cPanel API1 and API2 access; you'd have to use the Remote API (pointing to the loopback IP) to trigger those API calls.

Regards,
-DavidN

 

[Mrg]

thanks a lot
helps much

privilege escalation script is nice, now we run special phpscripts with rootprivs
of cause we safe the wrapper (only exec phpscripts of a special directory, escaping args and so on)

regards