The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel/WHM Root & Reseller passwords

Discussion in 'General Discussion' started by darren.nolan, Dec 5, 2007.

  1. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Howdy,

    I've tried to do some research in the documentation of cPanel/WHM but I can't find anything in regards to this, so if you can point me in the right direction that'd be awesome.

    To my understanding, when logging into cPanel I can put any username and the root password - and log in (as root of course, so phpmyadmin etc. is not available).

    A reseller may do the same thing, put in any of their account's username and their reseller password - and log in as a reseller.

    So the problem arises when a Reseller uses the same password as their accounts they own - they will always log in as the reseller, and not the user themselves. Most people on my server are web developers, so they tend to keep the same password for both their WHM account and cPanel accounts - which of course causes a problem when they try to use phpMyAdmin and the like - "You are logged in with the root or reseller password".

    Now this in itself is not much of a worry, but say someone where to have a 1 in 10billion chance of using the same password as the root account - they are told so when they log into cPanel?

    Am I getting this right thus far?

    While I don't believe anyone is going to pick my root password any time soon being 10+ characters and completely random, I do have a reseller that has a rather - plain - password. I don't normally get told what passwords my resellers are using, so I can't know them all - but isn't this a security risk?

    Is there a way of changing the default behaviour for logging in with the root/reseller password? And if so, what problems will then occur (or example when I log into some's cPanel via List Accounts).

    Cheers,
    Dazz
     
  2. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    You are right, it should read the account password before checking for the reseller password or root password.

    You should post a bugfix in bugzilla.
     
  3. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    #3 darren.nolan, Dec 5, 2007
    Last edited: Dec 5, 2007
  4. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    ttremain - Can I trouble you to take a look at this? I'm really stumped now, as I followed exactly what Ken did and I can't reproduce the same result now :| I had changed the password of the user-account so I had to first change the password back.

    http://bugzilla.cpanel.net/show_bug.cgi?id=6156

    It's not in my best interests to disable this feature for logging in with root/reseller passwords as it does remove the link from WHM to a user's cPanel account.

    Now I think I have gone mad and forgot the password for the user account, while thinking it was the same as the reseller account - in fact it was something completely different.

    I believe my reseller may have done the same thing........:eek:
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You might also try upgrading to the lastest build (18335) as the one you are running is quite a bit older than the one I tested with.
     
  6. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Thank Ken, I'm doing this now. If there is any other troubles I'll post here/reopen the bug.

    I hate updating cPanel... I dislike things breaking (namely my spamassassin setup and custom entries in httpd.conf).

    Edit: Updated to latest build - (18335). Only spamassasin sockets broke. YAY. Will let you know if anything happens re: passwords.
     
    #6 darren.nolan, Dec 5, 2007
    Last edited: Dec 5, 2007
  7. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    I had not tested it it when I saw your original post, but I did have a "feeling" I had seen this before. (Please note I never substantiated your claim :)

    I did just partly test this.

    I set a root password and an account password to be the same. Logged into cPanel for the account, and it did not come up logged in as root.

    As far as your going mad... There are tests for that too...
     
  8. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    URL me.

    One thing I will note out of all my tests last night;

    Root password = x
    User password = x
    Login into cPanel with User account, using password x
    Change password for user to y
    Cookie kept old info about password and THEN I saw "you are logged in either as root/reseller".

    Something like that however I believe to be very trivial.
     
Loading...

Share This Page