Security question ( API )

elmo · August 22, 2022, 9:12am

is it safe to enable api access for all users ? What are the repercussions for doing so?

jlguerrero · August 22, 2022, 9:26am

What happens if a user gets hacked? A hacker may use the API aswell.

The least permissions you give, the better.

eris · August 22, 2022, 9:32am

Yes it is save to enable the current settings for all users

The only have limited functions available.

github.com

hestiacp/hestiacp/blob/main/install/common/api/mail-accounts

ROLE='user'
COMMANDS='v-list-mail-domains,v-list-mail-domain,v-list-mail-account,v-list-mail-accounts,v-list-mail-account-autoreply,v-delete-mail-account,v-delete-mail-account-alias,v-delete-mail-account-autoreply,v-delete-mail-account-forward,v-delete-mail-account-fwd-only,v-add-mail-account,v-add-mail-account-alias,v-add-mail-account-autoreply,v-add-mail-account-forward,v-add-mail-account-fwd-only,v-change-mail-account-password,v-change-mail-account-quota,v-suspend-mail-account,v-suspend-mail-accounts,v-unsuspend-mail-account,v-unsuspend-mail-accounts'

and

github.com

hestiacp/hestiacp/blob/main/install/common/api/purge-nginx-cache

ROLE='user'
COMMANDS='v-purge-nginx-cache,v-list-web-domains,v-list-web-domain'

And only listed to their own account.

eris · August 22, 2022, 9:34am

API access the users get are extremely limited and almost “needed” for optimal run of fastcgi cache

Even if I give you my Access/Key combination for a user you can’t do a lot: For example:

purge-nginx-cache permissions only give you to list the users web domains and purge the cache

The old api only remains for admin user only or with the generated api key (root user only)

elmo · August 22, 2022, 9:48am

Thank you for clarifying. Keep up the good work

system · September 21, 2022, 9:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.