Operating System & Version
Centos 7.8
cPanel & WHM Version
11.88.0.12

marjwyatt

Well-Known Member
Jun 23, 2014
50
6
58
cPanel Access Level
Reseller Owner
An account hosted on my VPS was recently breached. I've resolved the account level issues and am keeping a close eye on it. It appears to have been caused by a back door created through a free WordPress theme that one of the site users installed without my knowledge.

While I was thinking about server security and started poring over settings in WHM. Compiler Access has me a little stumped so I'm hoping someone here can help.

I've disabled compilers for unprivileged users but this link suggested that I go through the file and manually remove previously authorized unprivileged users.
https://docs.cpanel.net/whm/security-center/compiler-access/

When I logged in using SFTP, I verified that permissions of /usr/bin/gcc had been altered correctly. I then moved onto the group file check. I found two files on the server. One is /etc/group and the other is /etc/group-. The first question is, do I need both of those files?

I edited /etc/group to remove unprivileged user accounts that I no longer want to have access to compilers. The link posted above states, "If the compiler group contains a user without a corresponding cPanel account, someone modified the /etc/group file to add that user. " What I'm unable to determine through investigating this file is what the defaults should be. I've scoured the internet for an example and I cannot find one. I could make some educated guesses on what belongs there but I do not want to make it impossible to update my server software either through the normal cPanel update process or via root.

I'll post a list of cPanel accounts and also the contents of the /etc/group file as it stands at this time.
Accounts (22):
sarcasm
bessmccarty
bluedive
catisms
cbmark
conundru
deadlyda
discount
literalg
marjwyat
mildlymy
mlmmillionaire
p0intlesspursu1t
sdvfwdonations
sixbetz
goteam
sportsbe
thelegen
virtuall
vmnet
websitz2
westsideguild

/etc/group contents:
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:30:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
ssh_keys:x:999:
systemd-journal:x:190:
dbus:x:81:
saslauth:x:76:
mailnull:x:47:
smmsp:x:51:
avahi:x:70:
apache:x:48:
rpc:x:32:
slocate:x:21:
sshd:x:74:
named:x:25:
nscd:x:28:
screen:x:84:
tcpdump:x:72:
input:x:998:
systemd-bus-proxy:x:997:
systemd-network:x:996:
mailtrap:x:995:
dovecot:x:97:
dovenull:x:994:
mysql:x:993:
cpanel:x:201:cpanel
cpanelphpmyadmin:x:202:cpanelphpmyadmin
cpanelphppgadmin:x:203:cpanelphppgadmin
cpanelroundcube:x:204:cpanelroundcube
cpanelrrdtool:x:205:cpanelrrdtool
mailman:x:206:mailman
compiler:x:992:cpanel
cpanellogin:x:991:
cpaneleximfilter:x:990:
cpaneleximscanner:x:989:
cpanelconnecttrack:x:988:
cpses:x:987:
mysyslog:x:986:cpses,smmsp,cpanel,mail,rpc,named,dbus,daemon,mailnull,dovecot,mysql,dovenull
cpanelcabcache:x:985:cpanelcabcache
cpaneldemo:x:1042:
cpanelsuspended:x:1043:
printadmin:x:984:
cpanelanalytics:x:983:cpanelanalytics
cgred:x:982:
tss:x:59:
linksafe:x:981:mailman


Thank you, in advance, for your advice and attention.
 

marjwyatt

Well-Known Member
Jun 23, 2014
50
6
58
cPanel Access Level
Reseller Owner
Since making this change, I've received a email with several lines repeating the message:
Use of uninitialized value $gid in chown at /usr/local/cpanel/Cpanel/Autodie/CORE/chown.pm line 34.

Did I mess something up by removing compiler access for unprivileged users?
 

marjwyatt

Well-Known Member
Jun 23, 2014
50
6
58
cPanel Access Level
Reseller Owner
It turned out that I read that help file too literally. I read the warning to mean that, after disabling compiler access for unprivileged users, I then needed to clean up the /etc/group file to remove them from that, too.

Here's the language:
"When you modify your system’s compiler access, make certain to review the list of users in the Manager Compiler Group interface. The system does not automatically update this list. "

Maybe someone should update that article to explain that no users ought to be REMOVED from that file. I created all sorts of havoc by doing that today.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
It turned out that I read that help file too literally. I read the warning to mean that, after disabling compiler access for unprivileged users, I then needed to clean up the /etc/group file to remove them from that, too.

Here's the language:
"When you modify your system’s compiler access, make certain to review the list of users in the Manager Compiler Group interface. The system does not automatically update this list. "

Maybe someone should update that article to explain that no users ought to be REMOVED from that file. I created all sorts of havoc by doing that today.
That's really not true though, the understanding here is that one understands which users *should* be present there. If you're unsure of a users purpose it should be investigated before modifying its privileges. Most system users are privileged, account users should not be present in that file which is why it is suggested to review it. In the event that a user exists without an account and was manually added or somehow a non-system user was added. You can remove any of those system users you like but do keep in mind the privileges you'll be removing from system users whose associated services may not be able to function properly when you do so.