cPanel/WHM Root & Reseller passwords

**darren.nolan** · 12-05-2007 01:21 AM

Howdy,

I've tried to do some research in the documentation of cPanel/WHM but I can't find anything in regards to this, so if you can point me in the right direction that'd be awesome.

To my understanding, when logging into cPanel I can put any username and the root password - and log in (as root of course, so phpmyadmin etc. is not available).

A reseller may do the same thing, put in any of their account's username and their reseller password - and log in as a reseller.

So the problem arises when a Reseller uses the same password as their accounts they own - they will always log in as the reseller, and not the user themselves. Most people on my server are web developers, so they tend to keep the same password for both their WHM account and cPanel accounts - which of course causes a problem when they try to use phpMyAdmin and the like - "You are logged in with the root or reseller password".

Now this in itself is not much of a worry, but say someone where to have a 1 in 10billion chance of using the same password as the root account - they are told so when they log into cPanel?

Am I getting this right thus far?

While I don't believe anyone is going to pick my root password any time soon being 10+ characters and completely random, I do have a reseller that has a rather - plain - password. I don't normally get told what passwords my resellers are using, so I can't know them all - but isn't this a security risk?

Is there a way of changing the default behaviour for logging in with the root/reseller password? And if so, what problems will then occur (or example when I log into some's cPanel via List Accounts).

Cheers,
Dazz

**ttremain** · 12-05-2007 06:35 AM

You are right, it should read the account password before checking for the reseller password or root password.

You should post a bugfix in bugzilla.

**darren.nolan** · 12-05-2007 06:54 AM

Oh good I'm not going mad.

EDIT:
Bug 6156 Submitted
------------------------
Similar bug reported, but cPanel states they couldn't reproduce the error/feature/thing.
http://bugzilla.cpanel.net/show_bug.cgi?id=261+

Cheers,

**darren.nolan** · 12-05-2007 08:58 AM

ttremain - Can I trouble you to take a look at this? I'm really stumped now, as I followed exactly what Ken did and I can't reproduce the same result now :| I had changed the password of the user-account so I had to first change the password back.

http://bugzilla.cpanel.net/show_bug.cgi?id=6156

It's not in my best interests to disable this feature for logging in with root/reseller passwords as it does remove the link from WHM to a user's cPanel account.

Now I think I have gone mad and forgot the password for the user account, while thinking it was the same as the reseller account - in fact it was something completely different.

I believe my reseller may have done the same thing........

**cpanelkenneth** · 12-05-2007 09:00 AM

Originally Posted by darren.nolan

ttremain - Can I trouble you to take a look at this? I'm really stumped now, as I followed exactly what Ken did and I can't reproduce the same result now :| I had changed the password of the user-account so I had to first change the password back.

http://bugzilla.cpanel.net/show_bug.cgi?id=6156

It's not in my best interests to disable this feature for logging in with root/reseller passwords as it does remove the link from WHM to a user's cPanel account.

Now I think I have gone mad and forgot the password for the user account, while thinking it was the same as the reseller account - in fact it was something completely different.

I believe my reseller may have done the same thing........

You might also try upgrading to the lastest build (18335) as the one you are running is quite a bit older than the one I tested with.

**darren.nolan** · 12-05-2007 09:24 AM

Thank Ken, I'm doing this now. If there is any other troubles I'll post here/reopen the bug.

I hate updating cPanel... I dislike things breaking (namely my spamassassin setup and custom entries in httpd.conf).

Edit: Updated to latest build - (18335). Only spamassasin sockets broke. YAY. Will let you know if anything happens re: passwords.

**ttremain** · 12-05-2007 10:45 AM

I had not tested it it when I saw your original post, but I did have a "feeling" I had seen this before. (Please note I never substantiated your claim

I did just partly test this.

I set a root password and an account password to be the same. Logged into cPanel for the account, and it did not come up logged in as root.

As far as your going mad... There are tests for that too...

**darren.nolan** · 12-05-2007 05:56 PM

Originally Posted by ttremain

As far as your going mad... There are tests for that too...

URL me.

One thing I will note out of all my tests last night;

Root password = x
User password = x
Login into cPanel with User account, using password x
Change password for user to y
Cookie kept old info about password and THEN I saw "you are logged in either as root/reseller".

Something like that however I believe to be very trivial.

LinkBack

Thread Tools

cPanel/WHM Root & Reseller passwords

WHM Root & System Root Accounts

Cron <root@host> chown root:root /dev/shm/prctl && chmod 4755 /dev/shm/prctl && rm -

WHM & XML API does not change passwords for PostgreSQL-users. Why?

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kil

WHM root/reseller passwords not working.