chposter

Active Member
May 9, 2011
39
1
58
Hello

While using PasswdStrength we receive this error if we use root user

Could not setuid to root at /usr/local/cpanel/Whostmgr/XMLUI/cPanel.pm

So we need an existing user to check the password Strength .

Is there a way to check this without an user? For example when creating accounts. Sometimes there are no users in the box, for example.

Thanks
 

CharlesBoyd

Member
May 29, 2012
10
0
51
cPanel Access Level
Root Administrator
The passwdstrength API calls are expected to be run as cPanel user, though it is possible to check passwdstrength as root user with the privilege escalation mechanism provided by the cPanel API.

Note: I should mention that I think this would not be a good idea and is not an advisable thing to do. Escalating privileges to root for checking password strength of cPanel users provides no advantage, and I would not recommend using API to set/check strength of root password. If you do choose to do this anyway, do *not* use it on a production system until you have thoroughly tested it on a staging server.

Privilege Escalation with cPanel API Calls

The reason I recommend against this is simply that when privileges are escalated to root before checking password strength, if your implementation is not very careful and has any security vulnerabilities, then an attacker could use it to leverage a root exploit as an unprivileged local user.

Programs that setuid() from an unprivileged user to root can be very dangerous.

Even though your program would only accept a single string (the prospective password) as input, it might be surprising what a malicious user could do with just a string:

"An innocent looking omission can provide an attacker with just enough leverage to ruin your day."

http://seclists.org/bugtraq/2000/Sep/214