In Progress [CPANEL-23597] Prevent resellers from unsuspending email accounts

[sparek-3]

This may be the intended function, but it appears to be ripe for abuse and would seem to need to be corrected.

If a server has a reseller user - reseller1 - that has an account - account1 - that is suspended by root, then reseller1 can log into account1's cPanel using their reseller1 password (reseller overwrite ... Tweak Setting -> account_login_access -> owner_root) and change the password to an email account therefore overwriting the email account's suspension.

That email account can then be checked for new mail, and used in SMTP authentication to send out mail. Mostly defeating the point of the account suspension.

Is this the intended behavior?

To duplicate this:

Insure that the tweak setting account_login_access is set to owner_root, which I believe is the default cPanel setting.

Create a new cPanel account on the server - reseller1.

Give that newly created cPanel account (reseller1) reseller privileges.

Log into the WHM using this newly created reseller account (reseller1).

Create a cPanel account on a server (cpuser1).

Log into that cPanel account and create a random test email account ([email protected]).

Note that you can log into that email account and use SMTP authentication with that email account's ([email protected]) username and password.

Log into root's WHM (root)

Suspend the cPanel account (cpuser1)

Note that the email account's username and password ([email protected]) no longer works for POP3/IMAP and SMTP authentication.

Note that the user's cPanel login (cpuser1) is rejected when using the cPanel's username and corresponding password.

Note that logging into the cPanel account (cpuser1) using the reseller's password (reseller1) of the server is successful.

While logged into the cPanel account using the reseller's password, navigate to Email Accounts, choose the random test email account and select Password and Authentication.

Change the password to the email account ([email protected]) to something new.

Note that you can now log into the email account ([email protected]) using POP3/IMAP and use the email account's username and password for SMTP Authentication to send out mail.


This behavior would seem to circumvent the ability of root (the server administrator) from suspending a reseller's resold account (cpuser1) with the intent of preventing that account from being able to send out mail through their email accounts ([email protected]). Perhaps this is the intended behavior - but it seems to be a bad design to me.

 

[cPanelMichael]

While logged into the cPanel account using the reseller's password, navigate to Email Accounts, choose the random test email account and select Password and Authentication.

Change the password to the email account ([email protected]) to something new.

Note that you can now log into the email account ([email protected]) using POP3/IMAP and use the email account's username and password for SMTP Authentication to send out mail.

Hello @sparek-3,

I've been unable to reproduce this behavior on a test system. The email account's entry in /home/$username/etc/$domain/shadow maintains the locked entry after the email account's password change (via the reseller login). EX:

test1:$1$Bb3bohnC$/13lwAkNDQ8BsN8YsFze31:17801::::::*LOCKED*

Can you let me know which version of cPanel & WHM is installed on the system you are reproducing this behavior on?

Thank you.

 

[sparek-3]

This is in cPanel 11.74.0.8

I just tried it again and it works for me... I don't know where we are missing a step.

I would encourage you to really investigate the /home/$username/etc/$domain/shadow file both BEFORE changing the password while in a suspended state and AFTER.

The code that you are showing:

test1:$1$Bb3bohnC$/13lwAkNDQ8BsN8YsFze31:17801::::::*LOCKED*

Seems to indicate that it's missing the *LOCKED* in the password hash part. I think you may just be seeing the *LOCKED* at the end of the line and thinking it's still locked.

When the email account is really suspended, it will show something like:

test1:*LOCKED*$1$Bb3bohnC$/13lwAkNDQ8BsN8YsFze31:17801::::::*LOCKED*

And then when you change the password while it is suspended, the first *LOCKED* (the one in the password hash) will be removed.

I think you will also notice that the password hash has changed from it's original. This may be a subtly change, but it is a change - at least what I am seeing.

At least that is the behavior that I am seeing.

 

[cPanelMichael]

Hello @sparek-3,

Thank you for the additional details. I tested via a Webmail login attempt (this does fail), whereas testing using POP3/IMAP/SMTP outside of Webmail does produce the results you reported.

I've opened internal case CPANEL-23233 to inquire about this behavior. I'll monitor this case and update this thread with more information as it becomes available.

Thank you.

 

[cPanelMichael]

Hello @sparek-3,

To update, the behavior is currently by design as the setting itself only refers to the cPanel account itself. However, it's a reasonable expectation that it should include individual email accounts associated with that cPanel user as well. I've opened internal case CPANEL-23597 to request an improvement to this feature so that email account suspensions are locked. I'll monitor this case and update this thread with more information as it becomes available.

Thank you.