The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable root user and use sudo

Discussion in 'Security' started by bettinz, Apr 18, 2013.

  1. bettinz

    bettinz Member

    Joined:
    Jun 17, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I think we have a big security problem with cPanel; in fact, we have user "root" enabled with web interface login.
    It's too much for me: the best is, during installation, to create an unprivileged user, like "john", and if John want to use some command, need to use sudo or su.

    But a form with user "root" enabled is not safe in my opinion. I use a key for ssh, we need to think a "key" system or "two steps authentication with email or mobile phone".

    What do you think? I'm just paranoid or it's a real problem?
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Yeah it's not ideal. I believe common practise now is to create a new user (reseller) and grant that full root access and not login day to day to whm using root, this still isn't really the same as having sudo / su but it's better than nothing.

    There is a feature request at Two-factor Authentication | cPanel Feature Requests discussing two factor auth, I'm unaware if google authenticator or yubikey have been rolled up into a third party plugin at this point though, I think the mechanisms to allow such are being put into the product however in terms of pluggable auth etc
     
  3. bettinz

    bettinz Member

    Joined:
    Jun 17, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello ThinIce,

    thank you for the reply. I'm moving to have a reseller with full access, but the password problem still exist. If someone find the password, can delete all websites with this system.
    The best thing is to create "root" with web management, enabled for 2 hours (for example) via ssh.
    I really think that root user will be used ONLY for important thing, and not for day by day maintenance, and not available for direct access via ssh.
    Plus, we can't change the username for root, so everyone start by knowing username. Cpanel need to create a new user, different by root, and use this.

    For two factor, I hope to see something like this in the recent future. The big security problem with password and keylogger two months ago is still recent, and we need more security.




     
  4. bettinz

    bettinz Member

    Joined:
    Jun 17, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello, can someone of cPanel take a look on my request?m

    Thank you :)
     
Loading...

Share This Page