Skip to main content

Minimal permissions for managing CSF through API token

Comments

18 comments

  • cPanelMichael
    If I give full permissions it works fine, but If I try to edit permissions and use minimal permissions just to access CSF and not other commands I get an error.

    Hello, Could you elaborate on how you are attempting to utilize the API token? Keep in mind that per our
    1
  • Miguel G
    Not sure I understand what you mean. I am trying to unblock an IP in CSF. As I said with full permissions I am able to do that.
    0
  • cPanelMichael
    Hello, For instance, how are you authenticating with the API token? Are you using a web browser? What error message do you receive? Thank you.
    0
  • Miguel G
    I have already explained above how I access, through URL:
    0
  • cPanelMichael
    You do not have access to ConfigServer Firewall.

    If you are logging in as a reseller to access CSF, you must first authorize the reseller user via the following option as "root" in "WHM >> ConfigServer Security & Firewall": CSF >> cPanel Resellers >> Edit Reseller Privs Thank you.
    0
  • Miguel G
    I"m not giving permissions to any reseller. I just create an API token in "Manage API tokens" and use with root as in PHP $api = curl_init(); curl_setopt($api, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($api, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($api, CURLOPT_HEADER, 0); curl_setopt($api, CURLOPT_RETURNTRANSFER, 1); $auth[0] = "Authorization: WHM root:$token"; curl_setopt($api, CURLOPT_HTTPHEADER, $auth); Thanks!
    0
  • cPanelMichael
    Hello, I believe this is a limitation of the CSF application itself. For instance, I was able to get it working by authorizing "root" via the following option in "WHM >> ConfigServer Security & Firewall": CSF >> cPanel Resellers >> Edit Reseller Privs EX: root:1:USE,UNBLOCK
    I recommend reporting this to ConfigServer directly: Report Bugs (csf) - ConfigServer Community Forum Thank you.
    0
  • Miguel G
    Thanks! I am going to report it as a bug, but I still I don"t get the same message reporting the IP has been unblocked. I get no message!
    0
  • Miguel G
    Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs
    0
  • cPanelMichael
    Is there any way to create an API token for a simple account? I am thinking of creating a separate user for unblocking IPs

    You could create a new cPanel user and make it a reseller. You'd then access WHM as the reseller user and browse to "WHM Home " Development " Manage API Tokens" to create a separate API token for the reseller. There's a feature request here you may also want to vote for: root to be able to manage all user's tokens with api_token functions Thank you.
    0
  • Miguel G
    Thanks for your reply! But if that account credentials are taken, new accounts could be created by the bad guys, couldn"t they? Is it possible to create a reseller account with minimum permissions?
    0
  • cPanelMichael
    Is it possible to create a reseller account with minimum permissions?

    Yes, you can limit access to what the reseller can do at: Edit Reseller Nameservers and Privileges - Version 70 Documentation - cPanel Documentation Thank you.
    0
  • Miguel G
    I haven"t upgraded to version 70 yet, I"m at 68 right now. Can I still do this?
    0
  • cPanelMichael
    Hello, Yes, the same feature is available in cPanel version 68. Thank you.
    0
  • Miguel G
    The CSF support has answered here: Can"t create CSF only permissions for API token used by root - ConfigServer Community Forum They blame the API, maybe you want to look into it or answer them. I have successfully created a reseller account with only CSF permissions
    0
  • cPanelMichael
    Hello Miguel, Please keep in mind that we currently only support the use of API tokens with the following features:
    • WHM API functions.
    • DNS Clusters.
    • Configuration Clusters
    This is documented at: Manage API Tokens - Version 70 Documentation - cPanel Documentation The URL you are using in your custom script is not a cPanel or WHM API function. For instance, notice in the example script the URL is: https://127.0.0.1:2087/json-api/listaccts?api.version=1
    In particular, note the use of "json-api/listaccts?api.version=1", as that's indicating the use of a WHM API 1 function. In your custom script, you use the following: https://127.0.0.1:2087/cgi/configserver/csf.cgi?action=kill&ip=XXX.XXX.XXX.XXX
    Notice how your link is just a direct link that you would use in a web browser as opposed to an actual WHM API 1 function. While this is technically possible with CGI scripts when the application is registered as a plugin with the
    0
  • Miguel G
    So, as a WHM API function, is there any way to accomplish this?
    0
  • cPanelMichael
    So, as a WHM API function, is there any way to accomplish this?

    Hello, No, we don't provide any direct WHM API 1 functions to manage CSF because CSF is not a feature of cPanel & WHM. It's a third-party application and thus would require it's own separate API. Additionally, note the following quote from CSF on
    0

Please sign in to leave a comment.