uid 0 whitelist?

[kitsguru]

We recently migrated to cPanel. Our provider has a special uid 0 account that uses key authentication. I want to whitelist this account so that ucpc and hackcheck do not report it as a bad account.

I have read all the posts that state there should not be any accounts other than root with uid 0. However I believe that is not necessarily true. We have csf installed and have whitelisted the account there along with rkhunter.

If we know an account is legit and password authentication is disabled and only key authentication is permitted, there is no reason not to configure the server this way.

[cPanelTristan]

Isn't hackcheck a script report by LFD? If the service has been whitelisted in CSF, why would it be reporting in hackcheck still at that point? Can you please provide the email alert you are receiving to confirm it is LFD reporting this on the server?

[kitsguru]

/scripts/hackcheck
is copyrighted by cPanel so is not part of lfd.

It states that the account in question: xxxroot is a superuser with uid 0

upcp reports:

Running Sanity Checks & Notifications...Locking password for user xxxroot.
passwd: Success
uid 0 account (xxxroot) - BAD!
[hackcheck] xxxroot has a uid 0 account

Since password authentication is disabled and key authentication is in affect, they are not locked out, but the messages are annoying.

[cPanelTristan]

In /scripts/hackcheck, this line (line 154 in my copy of hackcheck on 11.29.1.5) handles checking the user for UID 0:

Code:

if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {

You could add the user to this line to have that user bypassed when the script runs.

[kitsguru]

yes I can alter the script (and I will) but what happens when cPanel does an upgrade?

Also what about upcp which continually resets the password and reports the problem?

[cPanelTristan]

You could add /scripts/hackcheck and /usr/local/cpanel/scripts/hackcheck to the cPanel exclusion file:

Code:

echo "/scripts/hackcheck" >> /etc/cpanelsync.exclude
echo "/usr/local/cpanel/scripts/hackcheck" >> /etc/cpanelsync.exclude

After I added that script to the exclusion file, then I ran "/scripts/upcp --force", the hackcheck script revision I made was no longer overwritten on a forced cPanel update (prior to adding to the exclude file, it was being overwritten on forced cPanel updates). Additionally, since upcp was calling hackcheck during the run which prompted that user to be changed, it was no longer detecting any issue with the user I had created with uid 0.

Here is the line change I made to /scripts/hackcheck to bypass the uid 0 user I had created:

Code:

if ( $uid == 0 && $user ne "root" && $user ne "toor" && $user ne "cpuser0" ) {

Prior to that change and adding hackcheck to the exclude file, cpuser0 was prompting the following when I ran "/scripts/upcp --force"

Code:

[20110503.111647]      [29794] Locking password for user cpuser0.
[20110503.111647]      [29794] passwd: Success
[20110503.111647]      [29794] uid 0 account (cpuser0) - BAD!
[20110503.111647]      [29794] [hackcheck] cpuser0 has a uid 0 account
[20110503.111648]      [29794] Notification => myemail@gmail.com via EMAIL [level => 1]

Of note, the reason why I've also excluded the /usr/local/cpanel/scripts/hackcheck file rather than only /scripts/hackcheck is that, in 11.29/11.30, the /scripts directory will be moved to /usr/local/cpanel/scripts location and /scripts symlinked to that location. If both are not excluded, then "/scripts/upcp --force" will not honor excluding only /scripts and will still replace hackcheck at /usr/local/cpanel/scripts location.

[cPanelJared]

The only user with UID 0 on a cPanel server should be root. cPanel is not coded with the concept of having an additional "admin" user with UID 0. Besides reporting the additional user with UID 0 as a security issue, it is also possible to not be able to log into the WebHost Manager at all in this situation. The only user with UID 0 on a cPanel server should be root, because cPanel is not designed with any "awareness" of any user other than root having that UID.

[kitsguru]

Jared - the original point is that the service provider account is via key authentication only and password login is disabled for all accounts so ssh is protected. Any brute force attempt to cPanel should be blocked. Also since toor is ignored as part of the cpanel hackcheck, that would seem to contradict your assertion.

So since it is possible to have more than one account with UID 0 and since it can be a valid reason (I know from reading the forums that other users have this issue). I would rather have a separate user than give root password for su to a bunch of third parties.

Having a whitelist mechanism is preferable to hacking your scripts. Something that warrants re-consideration on the part of cPanel.

[kitsguru]

Also once the password has been changed with the addition of !!, it would seem pointless to continue reporting it.

[cPanelJerrySmith]

Hello,

I am unsure as to how to help you with your issue.

However, I am curious. Is there a particular reason you chose to create a second UID 0 account rather than simply adding an SSH key to the root account?

[kitsguru]

Hello,

I am unsure as to how to help you with your issue.

However, I am curious. Is there a particular reason you chose to create a second UID 0 account rather than simply adding an SSH key to the root account?

Obviously you have not read the thread. The second UID 0 account is the service providers account with its own SSH key. All password authentication is disabled. All their servers - many thousands - share this key and all their support staff use it. It would require them distributing my SSH key to all their support staff located in several cities in Canada and the USA. This is impractical. I have my own SSH key for root, they have theirs for their account.

What I am asking is why not provide a whitelist option for known valid UID 0 accounts. With SSH key authentication enabled and password authentication disabled, this is a perfectly reasonable approach. Being able to track their activity separate from mine is very handy.