Child account with same password as root has root access

Apr 12, 2018
8
1
3
Canada
cPanel Access Level
Root Administrator
Obviously it's unsafe to use the root password in other places but as this was a temporary account I was testing things on I didn't think anything of it. I created a new account under my root WHM (i have about 15 other accounts as well including a reseller). When i made the account my firefox autofilled the saved password into the password field so I though what the heck, and made the account. The only thing is now when I log into that account, which is NOT a reseller, and has no shell or other permissions, it says I'm logged in as root or reseller and shows me ALL of my other accounts (as it would being root).

This leads me to the security question: if other users accidentally had (somehow) the same password as my root user, would cPanel grant them root access by default?

If not, what the heck happened!
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,918
131
368
SLC
cPanel Access Level
DataCenter Provider
This leads me to the security question: if other users accidentally had (somehow) the same password as my root user, would cPanel grant them root access by default?

If not, what the heck happened!
1. the chances of this are astronomical (if you chose a strong password).
2. that is not how it works you must still be logged in as root try closing your browsers
(if the password for your user is really the same as roots it will not display that message)
3. you can disable that functionality in Tweak settings " Accounts that can access a cPanel user account:"
 
Apr 12, 2018
8
1
3
Canada
cPanel Access Level
Root Administrator
1. the chances of this are astronomical (if you chose a strong password).
2. that is not how it works you must still be logged in as root try closing your browsers
(if the password for your user is really the same as roots it will not display that message)
3. you can disable that functionality in Tweak settings " Accounts that can access a cPanel user account:"
1. True but it is possible albeit very rare.
2. I am not logged in as anything anywhere else. I can do it on a brand new device.
3. I am going to check this setting and report back to you,
 
Apr 12, 2018
8
1
3
Canada
cPanel Access Level
Root Administrator
So i have checked everything, the account shares a password with root and that's it. Here's some pictures to show a new browser accessing it that has never seen it and it still shows.

edit: Apparently i cant post images?

i.ibb.co/RzPm8RV/img1.png
i.ibb.co/3FqFz1g/img2.png
i.ibb.co/WtfbbgY/img3.png
i.ibb.co/S3FCd8Z/img4.png
i.ibb.co/16g06hr/img5.png

As soon as I change account password, the account loses root permissions. So this is unsecure in my opinion.
 
Last edited by a moderator:

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,918
131
368
SLC
cPanel Access Level
DataCenter Provider
tested one of my own servers
it does not behave that way for me

set an account with the same password as root
it just displays as I would normally log in as a cpanel user

try opening a totally separate browser see if it still does it (caching)


if it is truly doing that you might want to have cpanel support verify
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
So i have checked everything, the account shares a password with root and that's it. Here's some pictures to show a new browser accessing it that has never seen it and it still shows.
This is the expected behavior if you have Accounts that can access a cPanel user account set to Root, Account Owner, and cPanel User. Set this value to cPanel User Only and the problem should go away.