Guide to WHM Plugins - Access Control Lists

Introduction

Access Control Lists (ACLs) limit the features that WHM users can access. Each ACL represents permissions that the rootuser can grant to other WHM accounts (resellers).

  • Server administrators can define ACLs in WHM's  Edit Reseller Nameservers and Privileges  interface (Home >> Resellers >> Edit Reseller Nameservers and Privileges).
  • The system stores ACL information in the /var/cpanel/resellers file.

Warning:

WHM plugins must check the authenticated user's ACLs.

  • By default, WHM plugins execute as the root user. Without appropriate ACL checks, unsafe plugins present a serious security threat.
  • ACL checks are necessary regardless of whether the plugin displays in the WHM Home interface.

ACL checks

PERL

The following code uses the Whostmgr::ACLS module to parse ACL information:

use lib '/usr/local/cpanel/';
use Whostmgr::ACLS ();
Whostmgr::ACLS::init_acls();
if (!Whostmgr::ACLS::checkacl( 'all' ) ) {
        print 'Access Denied.';
        exit;
} 

  • Line 1 uses the lib pragma to add the contents of the /usr/local/cpanel directory and its subdirectories to @INC.
  • Line 2 instantiates the Whostmgr::ACLS object.
  • Line 3 loads the server's available ACLs.

Warning:

You must use the init_acls() function to load the server's ACLs in all code that uses the Whostmgr::ACLSmodule. 

  • Lines 4 through 7 check whether the authenticated user has the all ACL. 
    • The all ACL indicates that the user has root-level privileges on the server.
    • If the user does not have the all ACL, the system prints an error message and exits, which denies the user access to the plugin.

PHP

The following code checks the authenticated user's ACLs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
function checkacl ($acl) {
    $user $_ENV['REMOTE_USER'];
  
    if ($user == "root") {
        return 1;
    }
  
    $reseller file_get_contents("/var/cpanel/resellers");
    foreach ( split( "\n"$reseller as $line ) {
        if ( preg_match( "/^$user:/"$line) ) {
            $line = preg_replace( "/^$user:/"""$line);
            foreach ( split(","$line )  as $perm ) {
                if $perm == "all" || $perm == $acl ) {
                    return 1;
                }
            }
        }
    }
    return 0;
}
  • Lines 1 through 6 check whether the user is the root user. If the user is the root user, the system returns true and grants the user access to the plugin.
  • Line 8 loads the contents of the /var/cpanel/resellers file, which contains ACL list information for the server.
  • Lines 9 through 20 check whether the authenticated user has the all ACL. 
    • If the user has the all ACL, the system returns true and grants the user access to the plugin.
    • If the user does not have the all ACL, the system returns false and denies the user access to the plugin.

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

The cPanel Interface

For  cPanel  &  WHM  version  58 Overview The cPanel interface is...

User Preferences

For cPanel & WHM version 58 Overview This document outlines how to access your cPanel...

Manage External Authentications

For cPanel & WHM version 58 Overview Manage credentials Additional documentation...

What is cPanelID?

In This Article:  Overview ServicesHow to get a cPanelID cPanelID External...

Guide to cPanel Interface Customization - cPanel Style Development

Introduction You can develop custom styles that modify the appearance of the cPanel interface....