Disable root user and use sudo

bettinz

Member
Jun 17, 2011
19
0
51
Hello,

I think we have a big security problem with cPanel; in fact, we have user "root" enabled with web interface login.
It's too much for me: the best is, during installation, to create an unprivileged user, like "john", and if John want to use some command, need to use sudo or su.

But a form with user "root" enabled is not safe in my opinion. I use a key for ssh, we need to think a "key" system or "two steps authentication with email or mobile phone".

What do you think? I'm just paranoid or it's a real problem?
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
Yeah it's not ideal. I believe common practise now is to create a new user (reseller) and grant that full root access and not login day to day to whm using root, this still isn't really the same as having sudo / su but it's better than nothing.

There is a feature request at Two-factor Authentication | cPanel Feature Requests discussing two factor auth, I'm unaware if google authenticator or yubikey have been rolled up into a third party plugin at this point though, I think the mechanisms to allow such are being put into the product however in terms of pluggable auth etc
 

bettinz

Member
Jun 17, 2011
19
0
51
Hello ThinIce,

thank you for the reply. I'm moving to have a reseller with full access, but the password problem still exist. If someone find the password, can delete all websites with this system.
The best thing is to create "root" with web management, enabled for 2 hours (for example) via ssh.
I really think that root user will be used ONLY for important thing, and not for day by day maintenance, and not available for direct access via ssh.
Plus, we can't change the username for root, so everyone start by knowing username. Cpanel need to create a new user, different by root, and use this.

For two factor, I hope to see something like this in the recent future. The big security problem with password and keylogger two months ago is still recent, and we need more security.




Yeah it's not ideal. I believe common practise now is to create a new user (reseller) and grant that full root access and not login day to day to whm using root, this still isn't really the same as having sudo / su but it's better than nothing.

There is a feature request at Two-factor Authentication | cPanel Feature Requests discussing two factor auth, I'm unaware if google authenticator or yubikey have been rolled up into a third party plugin at this point though, I think the mechanisms to allow such are being put into the product however in terms of pluggable auth etc