LinkBack URL
About LinkBacksI have in the past restricted the wheel group pretty tightly, but on a recent sign in found that all the users had been added to wheel. Is this a "feature" in cPanel now, or can I safely remove them?
Rick
Security question re wheel group
I have in the past restricted the wheel group pretty tightly, but on a recent sign in found that all the users had been added to wheel. Is this a "feature" in cPanel now, or can I safely remove them?
Rick
You should only have root and the user name you log in to shell as. All users would be bad I would think.
Well, that's my first reaction too. But the more important issue is at least implied by my question. How did the system go from having only three ids in the wheel group to having all the users in it?Originally Posted by StingRay2k01
Has cPanel changed something?
Is this suggestive of a hack?
Does anyone else have this problem?
Maybe a few people who are on the latest RELEASE level as I am could look see and report here on the state of their wheel group before I start making big changes.
Rick
It might be an obvious question but is the list you are looking at under "Add a user to the wheel group"? That list has all possible users.
Above that is the "Users currently in the wheel group".
That should only have root and maybe one other account that you use to login to shell with.
I run two servers with version 11.24.* And nothing has changed on the wheel groups in an update or anything like that.
Fair enough question, but I did read this page carefully. "Users currently in the wheel group" lists all the users except the "system" accounts such as apache, bin, cpanel, etc--which are in the add-a-user group. This was not so the last time I checked, and I certainly didn't add them. I don't even know a way to mass add all the users like that.
Rick
The spontaneous adding of all cPanel users to the wheel group is not a feature of cPanel and WHM. You may wish to have a security expert take a look at your server.
To isolate the issue some more, check the contents of /etc/group. If all users are listed in the wheel entry, then indeed all users were added. Then, as David G mentioned, you should have your system examined for potential compromise.
Kenneth
Product Manager
cPanel, Inc.
I certainly will do this. However, as a new note on this subject, I checked the wheel group and the users were indeed all there. So, I edited them out. Lo and behold, they all got added back in sometime in the last 12 hours. A new user did come on in that time, and I'm wondering if there could be an error in the new user script.
Rick
I am unable to reproduce this issue, even on the latest EDGE builds.
If your system has been compromised (rooted), this situation would best be handled by security experts.
Reply With Quote