Backing up your cPanel accounts, without compromising security
I was a bit upset to discover that the hosting provider for which I am a reseller, StableHost, don't provide me with an easy means to systematically backup a full set of client cPanel accounts from my server. The WHM interface was missing the relevant backup options, as I think you have to be logged in as root. I could traverse my client accounts' cPanel interfaces, backing them up manually one by one, but that wasn't good enough, especially since I wanted the backup to be offsite.
Help was at hand using the cPanel xml-based api; using it, and a script I found on the cPanel forum, I was able to remotely log in to the server using my reseller credentials, get a list of all client accounts, and then back them up one by one. the script needed to be modified, as it assumed the user logging was root, but that wasn't a real problem.
The remote backup aspect was awkward, however, as having a user with SCP access to my box seemed to provide a fairly gaping security hole, especially when, in order to initiate an SCP transfer of a backup, the username and password of that user had to be sent to cPanel as plain text. Enter jailkit, a set of tools for *nix to limit the rights of a subset of users to just the commands you choose. I had to build the jailkit tools, which does not have a handy-dandy package file for Debian / Ubuntu, but that wasn't too much grief. I then followed this useful guide to set up an inbound backup user, jail them and then use a bind mount to allow the user access to the correct dir on my RAID volume, without them leaving their jail home directory.
I was able to test it initially by doing some remote backups from within cPanel. I also manually tweaked the cPanel backup exclusions to keep the backups to a manageable size.
All up it works very nicely, run periodically from a crontab.