The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ALL (root-owned) DNS zones available to all resellers

Discussion in 'Security' started by flexin, Dec 2, 2012.

  1. flexin

    flexin Member

    Joined:
    Jan 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    This discussion is going on with cPanel since 2010.
    If someone at cPanel reads this: please refer to ticket 805674, opened August 3, 2010.

    In that ticket, it was confirmed by cPanel this is a bug that was supposed to be fixed in 11.28. At this time, it is still not fixed, and now cPanel says it won't fix it, as it is "expected behaviour". I strongly disagree, and hope that through the forums, we can get some support to get this ball rolling again.

    Let's move on and let me describe our setup.

    All our servers are put in a cluster for DNS publishing.
    We have resellers that also lease dedicated servers; for DNS redundancy, they like to be plugged into our DNS cluster so they can make use of it.

    So, consider the following setup.

    1. We add a reseller on SERVER A.
    2. We add server B to the cluster using the reseller access key on server A.

    This means that when server B communicates with server A, from server A's point of view, this is the reseller user (and NOT root).

    3. When you log in on server B, go to edit or delete DNS zones, we expect only DNS zones that the user known to the cluster (being the reseller) has access to should be shown. Unfortunately, the server has access to ALL DNS zones in the cluster.

    Without any doubt, this is a bug, as confirmed by cPanel in the above mentionned ticket, and for which a fix was introduced in 11.28. Much to our surprise, the fix was undone, and when we spoke to cPanel again after that, they now claim that it is "normal behaviour".

    How can it be normal that a user that is authenticated using a reseller key, has access to ALL the DNS zones, even when it's not owned by the reseller.

    Our issue is that we can not rollback, and we currently have a dedicated server customer that has access to ALL the DNS zones. Luckily, we have a good relation with him, and this is more like a friend to us, so we can rely on him not to alter any of these DNS zones, but this is obviously not how I believe this should work.

    I'm very disappointed in cPanel because they confirm they'll fix it, they actually fix it, some change made the fix undone, and they are now refusing to look into re-fixing this issue, so we can move on.

    We've been discussing this in lengthy tickets for over 2 years now, and I hate to make things like this public as it only increases the potential security risk, but we REALLY REALLY REALLY need this fixed again.

    I'm sure other people on this forum will have a similar setup: if you sell dedicated servers, you want the customer to have root on his server, and you want the ability for him to plugin to our redundant set of nameservers so he doesn't need to add a redundant array of servers himself.

    I very much hope some people on this forum will support this thread, and we can get the ball rolling again on this topic.


    thank you very much!
    David.
     
  2. texo

    texo Well-Known Member

    Joined:
    Mar 28, 2007
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    16
    I agree with you. It's ridiculous that this is considered "expected behaviour" and needs to be fixed.
     
  3. hgrg

    hgrg Well-Known Member

    Joined:
    Oct 4, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    This is clearly a security flaw and should be fixed asap. What is the reason why cpanel 'undid' this fix? Privilege separation is really important..
    [off]
    I'd also welcome additional options for multi-user levels but thats a totally different question.
    [/off]
     
  4. Joriz

    Joriz Active Member

    Joined:
    Aug 11, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    the Netherlands
    cPanel Access Level:
    DataCenter Provider
    @flexin: Did you reopen the ticket and receive any response from cPanel?
     
  5. bioanarchism

    bioanarchism Registered

    Joined:
    Nov 30, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Here is a tip - why not try setting up 2 sets of DNS cluster. One set belongs to your core customers, and the other set belongs to Dedicated Servers with root access. Ideally, people with root access can do a great deal of damage and if the DNS zones doesn't belong to them - they shouldn't be tampering with it at all.

    Assuming that they are curious, they could use the Synchronize DNS Records function to pull all available DNS records down to their own server. Do take great care in assigning customer servers into your DNS cluster. Bring up another DNS cluster and let them use that instead. It won't cost you much - just probably another 2 virtual containers to get this going.

    Don't wait for cPanel to fix it - try to fix it on your own.

    Have a nice day.
     
  6. monarobase

    monarobase Well-Known Member

    Joined:
    Jan 26, 2010
    Messages:
    503
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    France
    cPanel Access Level:
    Root Administrator
    My answer to this would be that your customers can't use the DNS cluster feature, you should set up DNS servers on their servers until cPanel provides a solution to prevent this problem.
     
  7. flexin

    flexin Member

    Joined:
    Jan 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    "until cpanel provides a solution"?
    That's such a strange phrase.

    They DID fix this in 11.28 following my earlier report.
    I confirmed this back then, and hoped that I was able to "trust" a company that takes a LOT of money from me on a monthly basis (we have over 100 cPanel licenses!)

    The thing is that they rolled back the fix, AFTER I enabled the feature for my customer.

    When I reopened the ticket, I was confronted with blocking behaviour from cPanel analysts that all of a sudden started claiming that this is "normal".

    I really don't think that I'm wrong here. When a user is authenticating using a RESELLER authentication key, he should be treated just like that: a RESELLER.

    A reseller that is authenticated in WHM doesn't have access to all zones either, does he? It's the exact same behaviour.
    I'm a bit disappointed that I also don't get any more updates from Eric either when I mail him (even though he instructed me to do so to inquire regarding updates...)

    I'm just very concerned because if this is how cpanel acts when they re-introduce such important security holes, I'm VERY concerned as to what they would do if a reseller all of a sudden has access to - let's say - all email accounts, or all MySQL database, or why just to escalate him to root?

    I'm sorry if I sound harsh, but I've been going forth and back, and if it was impossible to fix, I would probably be able to show some more understanding, but this WAS fixed, confirmed by my testing, and it was simply rolled back.

    This, combined with the everlasting wait on IPv6 support, and the growing waiting times when submitting tickets, really does concern me.

    Basically, we needed a fix or this 2 years back.
     

Share This Page