The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 56408] On 11.30, eximstats@localhost has no password set

Discussion in 'Security' started by aww, Jan 7, 2012.

  1. aww

    aww Well-Known Member

    Joined:
    Feb 10, 2005
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    What is the best approach to harden this?

    ""eximstats@localhost has no password set"

    Obviously if I force a password I'd have to configure eximstats to be able to use that password.

    Where can this be done? Thank you.
     
  2. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Hi aww,

    Where are you seeing that message? Are you in fact able to run this command to access MySQL with no password?

    Code:
    # mysql -u eximstats
    When I try that on my server I am not allowed to connect (which is expected, as the eximstats mysql user should always have a password): (EDIT: my fault, since I didn't specify "-p" with no password, the password from ~/.my.cnf was attempted to be used. Thus, my test below is, of course, invalid).

    Code:
    [root@cpj ~]# mysql -u eximstats
    ERROR 1045 (28000): Access denied for user 'eximstats'@'localhost' (using password: YES)
    
    The password for eximstats can be found here:
    /var/cpanel/eximstatspass

    Do you see anything when you access MySQL as the root user and run this?

    Code:
    mysql> show grants for eximstats@localhost;
    (If you do, and if there is a password hash in the output, be sure not to post it here unsanitized).

    Finally, if it helps, this is how the grants for the eximstats mysql user looks on my box running 11.30.5.3 (with the password sanitized of course):

    Code:
    mysql> show grants for eximstats@localhost;
    +------------------------------------------------------------------------------------------------------------------+
    | Grants for eximstats@localhost                                                                                   |
    +------------------------------------------------------------------------------------------------------------------+
    | GRANT USAGE ON *.* TO 'eximstats'@'localhost' IDENTIFIED BY PASSWORD '*__PASSWORD_HASH_HERE__' |
    | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `eximstats`.* TO 'eximstats'@'localhost'                   |
    +------------------------------------------------------------------------------------------------------------------+
    2 rows in set (0.00 sec)
    
     
  3. aww

    aww Well-Known Member

    Joined:
    Feb 10, 2005
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Got the message from mysqltuner
    Never seen it before on any of my several cpanel installs. But it could be a false positive.
    Looking through the code now to see how it determines that.

    WHM 11.30.5 (build 3)
    CENTOS 6.2 x86_64 xenpv

    Code:
    ls /var/cpanel/eximstatspass   
    /bin/ls: cannot access /var/cpanel/eximstatspass: No such file or directory
    
    ls /var/cpanel/exim* 
    /var/cpanel/exim_service_auth_enable
    
    mysql -u eximstats
    ERROR 1045 (28000): Access denied for user 'eximstats'@'localhost' (using password: YES)
    
    mysql> show grants for eximstats@localhost;
    +------------------------------------------------------------------+
    | Grants for eximstats@localhost                                   |
    +------------------------------------------------------------------+
    | GRANT USAGE ON *.* TO 'eximstats'@'localhost'                    |
    | GRANT ALL PRIVILEGES ON `eximstats`.* TO 'eximstats'@'localhost' |
    
     
    #3 aww, Jan 8, 2012
    Last edited: Jan 8, 2012
  4. aww

    aww Well-Known Member

    Joined:
    Feb 10, 2005
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    It uses
    Code:
    mysql> SELECT CONCAT(user, '\@', host) FROM mysql.user WHERE password = '' OR password IS NULL; 
    +--------------------------+
    | CONCAT(user, '\@', host) |
    +--------------------------+
    | eximstats@localhost      |
    +--------------------------+
    
    Actually if I just hit enter on the password line - instant access:
    Code:
    mysql -u eximstats -p 
    Enter password: [enter]
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 31478
    Server version: 5.1.56-log MySQL Community Server (GPL)
    
    So I guess I could manually fix this by inserting a password into the table for eximstats and then writing the same password to /var/cpanel/eximstatspass ?
     
    #4 aww, Jan 8, 2012
    Last edited: Jan 8, 2012
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You should be able to fix it by doing those steps, since eximstats should require a password.

    Here's what happens on my machine if I enter a blank password at the prompt for that user:

    Code:
    root@host [/]# mysql -u eximstats -p
    Enter password: 
    ERROR 1045 (28000): Access denied for user 'eximstats'@'localhost' (using password: NO)
     
  6. Astral God

    Astral God Well-Known Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    I'm having the same problem here.

    Code:
    root@host [~]# mysql -u eximstats
    ERROR 1045 (28000): Access denied for user 'eximstats'@'localhost' (using password: YES)
    
    If i add the '-p'

    Code:
    root@host [/]# mysql -u eximstats -p
    Enter password: [Hit Enter]
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 31478
    Server version: 5.1.56-log MySQL Community Server (GPL)
    
    Showing grants:

    Code:
    mysql> show grants for eximstats@localhost;
    +------------------------------------------------------------------+
    | Grants for eximstats@localhost                                   |
    +------------------------------------------------------------------+
    | GRANT USAGE ON *.* TO 'eximstats'@'localhost'                    |
    | GRANT ALL PRIVILEGES ON `eximstats`.* TO 'eximstats'@'localhost' |
    +------------------------------------------------------------------+
    2 rows in set (0.00 sec)
    
    1 - How to correctly sert this password ?
    2 - Is it normal to have "GRANT ALL PRIVILEGES" ?

    Thanks.
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Run the following to generate a new password:

    Code:
    /usr/local/cpanel/bin/generate_eximstats_pass
    At that point, check if you now have /var/cpanel/eximstatspass file. You can check a password has been set as well using this command:

    Code:
    /usr/local/cpanel/bin/eximstatspass
    It will output the current eximstats password.
     
  8. Astral God

    Astral God Well-Known Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    When i try to run first command, i have this:

    Code:
    root@alpha [~]# /usr/local/cpanel/bin/generate_eximstats_pass
    -bash: /usr/local/cpanel/bin/generate_eximstats_pass: No such file or directory
    the second one:

    Code:
    root@alpha [~]# /usr/local/cpanel/bin/eximstatspass
    root@alpha [~]#
    
    :(
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Apparently that script is only used on our 11.31/11.32 branch for the initial one I noted. That's unfortunate as it would be a lot easier to use it to get a new password instead.

    Otherwise, you'll have to create the /var/cpanel/eximstatspass file with a password, then change the eximstats user's password in MySQL.
     
  10. Astral God

    Astral God Well-Known Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Ok thanks, and what about GRANTS to that user ?
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I show the same grants as you do for my eximstats user. I cannot say if that is or is not expected behavior, although I can say all machines I checked showed the GRANT ALL PRIVILEGES ON for that user. Here is the return on my machine:

    Code:
    mysql> show grants for eximstats@localhost;
    +--------------------------------------------------------------------------------+
    | Grants for eximstats@localhost                     
    +--------------------------------------------------------------------------------+
    | GRANT USAGE ON *.* TO 'eximstats'@'localhost' IDENTIFIED BY PASSWORD '*somepass'  
    | GRANT ALL PRIVILEGES ON `eximstats`.* TO 'eximstats'@'localhost'     
    +--------------------------------------------------------------------------------+
    2 rows in set (0.00 sec)
     
  12. aww

    aww Well-Known Member

    Joined:
    Feb 10, 2005
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Oh interesting. I doubt it but I wonder if this is related to the other grant errors I get during backups.
    Code:
    mysql> show grants for eximstats@localhost;
    ERROR 1141 (42000): There is no such grant defined for user 'eximstats' on host 'localhost'
    
    So how exactly is my eximstats working at all in the first place?

    I did manually set the password, worked fine.

    Waiting patiently for 11.31 to make it to current. Unless only the even number go to current, cannot remember anymore.
     
  13. bitpt

    bitpt Registered

    Joined:
    Sep 28, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    there something i don't understand.... are you talking about cpanel 11.30.... i don't think so....
    eximstats password is here:
    Code:
     /usr/local/cpanel/etc/eximstats.sql
    it's emtpy by default......

    insert your password

    PHP:
    REPLACE INTO user (hostuserpassword)
        
    VALUES (
            
    'localhost',
            
    'eximstats',
      -- 
    IMPORTANTChange this password!
            
    password('')
        );
    change password for whatever you want in line:
    PHP:
    REPLACE INTO user (hostuserpassword)
        
    VALUES (
            
    'localhost',
            
    'eximstats',
      -- 
    IMPORTANTChange this password!
            
    password('NEWPASSWORD')
        );
    Login to mysql

    PHP:
    mysql update mysql.user set password=password("NEWPASSWORD"where user="eximstats";
    mysql flush privileges;
    mysql quit
    check again... and eximstats work well
     
    #13 bitpt, Jan 11, 2012
    Last edited: Jan 11, 2012
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Actually, this issue on 11.30 is not intended behavior for there to be a blank password, and we were talking about 11.30 and 11.31/11.32 both here. There is a case about this occurring in 11.30 due to the fact that the very script I mentioned earlier was not included with 11.30 system (that /usr/local/cpanel/bin/generate_eximstats_pass binary). Because that doesn't exist, a blank password is improperly being set for eximstats on 11.30. We have case 56408 opened in regards to that issue where we do intend to have a password for that service. We do not generally run services without any password set as that could be a security issue.

    Until that is corrected and appears in the 11.30 changelog (Change Logs), the steps outlined earlier to create a password for eximstats could be followed.
     
Loading...

Share This Page