Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Child account with same password as root has root access

Discussion in 'Security' started by Direct Web Solutions, Dec 3, 2018.

  1. Direct Web Solutions

    Direct Web Solutions Member

    Joined:
    Apr 12, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Obviously it's unsafe to use the root password in other places but as this was a temporary account I was testing things on I didn't think anything of it. I created a new account under my root WHM (i have about 15 other accounts as well including a reseller). When i made the account my firefox autofilled the saved password into the password field so I though what the heck, and made the account. The only thing is now when I log into that account, which is NOT a reseller, and has no shell or other permissions, it says I'm logged in as root or reseller and shows me ALL of my other accounts (as it would being root).

    This leads me to the security question: if other users accidentally had (somehow) the same password as my root user, would cPanel grant them root access by default?

    If not, what the heck happened!
     
  2. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    1. the chances of this are astronomical (if you chose a strong password).
    2. that is not how it works you must still be logged in as root try closing your browsers
    (if the password for your user is really the same as roots it will not display that message)
    3. you can disable that functionality in Tweak settings " Accounts that can access a cPanel user account:"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Direct Web Solutions

    Direct Web Solutions Member

    Joined:
    Apr 12, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    1. True but it is possible albeit very rare.
    2. I am not logged in as anything anywhere else. I can do it on a brand new device.
    3. I am going to check this setting and report back to you,
     
  4. Direct Web Solutions

    Direct Web Solutions Member

    Joined:
    Apr 12, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    So i have checked everything, the account shares a password with root and that's it. Here's some pictures to show a new browser accessing it that has never seen it and it still shows.

    edit: Apparently i cant post images?

    i.ibb.co/RzPm8RV/img1.png
    i.ibb.co/3FqFz1g/img2.png
    i.ibb.co/WtfbbgY/img3.png
    i.ibb.co/S3FCd8Z/img4.png
    i.ibb.co/16g06hr/img5.png

    As soon as I change account password, the account loses root permissions. So this is unsecure in my opinion.
     
    #4 Direct Web Solutions, Dec 4, 2018
    Last edited by a moderator: Dec 4, 2018
  5. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    tested one of my own servers
    it does not behave that way for me

    set an account with the same password as root
    it just displays as I would normally log in as a cpanel user

    try opening a totally separate browser see if it still does it (caching)


    if it is truly doing that you might want to have cpanel support verify
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,918
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    This is the expected behavior if you have Accounts that can access a cPanel user account set to Root, Account Owner, and cPanel User. Set this value to cPanel User Only and the problem should go away.
     
    cPanelLauren and Infopro like this.
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @sparek-3 is correct this behavior is the expected behavior. It is by design that you can access all cPanel accounts with roots password. The only point which this is disabled is if you modify accounts that can access a cPanel user account.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice