{"id":55,"date":"2009-08-27T11:45:14","date_gmt":"2009-08-27T16:45:14","guid":{"rendered":"http:\/\/blogs.wp.stage.cpanel.net\/2009\/08\/whm_plugins\/"},"modified":"2009-08-27T11:45:14","modified_gmt":"2009-08-27T16:45:14","slug":"whm_plugins","status":"publish","type":"post","link":"https:\/\/devel.www.cpanel.net\/blog\/products\/whm_plugins\/","title":{"rendered":"WHM Plugins"},"content":{"rendered":"
We really have no information available on how to write WHM Plugins.\u00a0 I have had 3 people ask me in the past 48 hours on how to write them, so I thought I might want to consolidate and post this knowledge.\u00a0 A WHM plugin is merely a simple CGI application that has a couple of special comments in it to handle how it is displayed.\u00a0 Any CGI language can be used here, however only perl will allow you access to some special functions that make permission handling much easier.<\/p>\n
All WHM plugins must be placed at \/usr\/local\/cpanel\/whostmgr\/docroot\/cgi<\/em> and must be prefixed with addon_ <\/em>and end with .cgi<\/em>.\u00a0 These must be owned by root:root<\/em> and be globally readable\/executable (755<\/em>), so don\u2019t store any access credentials in these scripts – have them load from other files that are root-readable only.<\/p>\n As I mentioned earlier, there are a couple of special comments that need to be placed inside of WHM Addons.\u00a0 The first one of these is the WHMADDON comment which sets how the plugin will be displayed in WHM: Where it says appname it should be replaced with the actual file name of the application excluding addon_ and .cgi, so if you have addon_test.cgi<\/em>, this would contain \u201ctest\u201d.\u00a0 Display Name refers to what well be displayed under the \u201cPlugins\u201d header of WHM.\u00a0 An example of how a #WHMADDON<\/em> should look for an application named \u201cSample Test App\u201d would be: ACLs<\/strong> Using the ACLS comment is pretty straight forward.\u00a0 You simply add #ACLS:<acl name>, this only controls which users will see the plugin in the WHM Plugins<\/em> section.\u00a0 If this is not set it will be viewable by ALL resellers. With this ACL in place, only reseller accounts that have access to the list-accts ACL will be able to view this plugin.<\/p>\n The other type of ACL actually enforces permissions.\u00a0 When this is not set, any reseller can visit cgi\/addon_APPNAME.cgi and execute the application with root permissions, so this is a very critical step in WHM Plugin development.<\/p>\n Inside of our product, we provide a module for performing this type of check called Whostmgr::ACLS<\/em>.\u00a0 This module has various functions relating to how ACLs work, but the only function we are concerned with is the checkacl()<\/em> function.\u00a0 This operates by being passed an acl name and returning 1 or 0 depending on whether the user has access to this ACL or not.\u00a0 So if passed the \u201call\u201d ACL (which is indicative of \u201croot\u201d access) and a reseller without root access tried to access the addon script, it would return 0.\u00a0 This module requires some setup, since it is located outside of perl\u2019s normal include path, \/usr\/local\/cpanel<\/em> has to be added to the include path using \u201cuse lib\u201d.\u00a0 Also this module has a constructor called \u201cinit_acls()<\/em>\u201d that has to be called.\u00a0 As an example, here\u2019s a chunk of code that will check for the \u201call\u201d (root) acl and print \u2018access denied\u201d if the reseller accessing the script does not have permission to do so. use Whostmgr::ACLS ();<\/p>\n Whostmgr::ACLS::init_acls();<\/p>\n if ( !Whostmgr::ACLS::checkacl( ‘list-accts’ ) ) {<\/p>\n print “Access Denied”;<\/p>\n exit;<\/p>\n }<\/p>\n Of course, this will only work when this is run inside of a perl script.\u00a0 Inside of a PHP script \/var\/cpanel\/resellers will have to be parsed manually.\u00a0 If someone asks nicely, I may write this for you.<\/p>\n That should cover the basics of writing WHM plugins, there are of course other finer aspects of WHM plugins that can be gone into, however this covers the entire concept.<\/p>\n","protected":false},"excerpt":{"rendered":" We really have no information available on how to write WHM Plugins.\u00a0 I have had 3 people ask me in the past 48 hours on how to write them, so I thought I might want to consolidate and post this knowledge.\u00a0 A WHM plugin is merely a simple CGI application that has a couple of […]<\/p>\n","protected":false},"author":77,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[49],"tags":[337,201],"class_list":["post-55","post","type-post","status-publish","format-standard","hentry","category-products","tag-plugins","tag-whm"],"acf":[],"yoast_head":"\n
\n#WHMADDON:appname:Display Name<\/code><\/p>\n
\n#WHMADDON:test:Sample Test App<\/code><\/p>\n
\nThere are two parts to ACLs with WHM Plugins, that control who can display it and who can access it.\u00a0 The ACLS comment controls who will see the ACL in the Plugins section of WHM.\u00a0 Then there is actually enforcing the ACL which is done via the Whostmgr::ACLS <\/em>perl module.\u00a0 If you are not familiar with what ACLs mean in the context of WHM, these refer to the permissions that the reseller has to various aspects in WHM such as the ability to create accounts or edit DNS zones.\u00a0 These are indicated by a string like \u201clist-accts\u201d or \u201call\u201d, you can view a list of these ACLs in \/usr\/local\/cpanel\/Whostmgr\/ACLS.pm<\/em>.\u00a0 You can see what permissions a reseller has by looking at the \/var\/cpanel\/resellers file.<\/p>\n
\n#ACLS:list-accts<\/code><\/p>\n
\nuse lib '\/usr\/local\/cpanel\/';<\/code><\/p>\n