One or more immutable files are preventing cPanel and WHM from updating on your serve

uacomm

Member
Apr 15, 2011
22
0
51
I am receiving following notification from server so can any one tell why is it? how to resolve it?


--------------------------------------------------------------------
The find-immutable-files script, run by the cPanel & WHM update process (/scripts/upcp), found 10 files distributed by cPanel marked as immutable on your server.

cPanel & WHM cannot update until you make these files mutable. The list of immutable files is located on your server at "/var/cpanel/immutable_files".

The files found are:

/usr/local/cpanel/cgi-sys/guestbook.cgi
/usr/local/cpanel/cgi-sys/mchat.cgi
/usr/local/cpanel/cgi-sys/cgiecho
/usr/local/cpanel/cgi-sys/cgiemail
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/Count.cgi

The find-immutable-files script was run, because one or more immutable files found on a previous run (Wed Jun 8 23:49:15 2011) still remained, and had not been made mutable.
 

uacomm

Member
Apr 15, 2011
22
0
51
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

I have found solution.
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

We just had the same issue on one of three of our servers. Cpanel has done a nice job on this one including explanations and step-by-step resolution details in their alert email - nicely done cpanel!

However, my question is this - what caused this to occur on this one server, and all of the others reporting the same? Our immutable files are identical to those shown above.

We have never taken any action to make them immutable.

Thanks.

Mike
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Hello Mike,

These files would not have been modified by cPanel but another script that was installed might have done it such as CSF or Fantastico. If you look at the timestamps for one of the files, you would be able to tell when they were last modified:

Code:
stat /usr/local/cpanel/cgi-sys/guestbook.cgi
We won't have any set way to know which script might have set the files to immutable.

Thanks!
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Actually, I do have a question on this -

The instructions that cpanel provided in the email alert explain how to exclude the files from update, but they don't address how to have cpanel proceed with its update and update these files as needed.

I have no knowledge of why these would be immutable, since they were not in our other servers and our configs are the same.

How would you suggest to proceed with the update?

Thanks.

Mike
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

The update itself will proceed, and only those files will not be updated. If you wish the files to be able to be updated, you'd have to make them mutable:

Code:
chattr -i /pathtofile
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Correct, simply re-run /scripts/upcp --force at that point.
 

audrey

Well-Known Member
Oct 18, 2006
114
5
168
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Hi Tristan

I value your opinion-you have always steered me in the right direction!

cpanel's email about the immutable files has a couple of extra steps

it says
For each immutable file, execute the following commands:

chattr -i /path/to/file
echo "/path/to/file" >> /etc/cpanelsync.exclude

3. Re-sync the files in your cPanel & WHM installation by executing the following command:

/usr/local/cpanel/scripts/upcp --sync

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Should I ignore
echo "/path/to/file" >> /etc/cpanelsync.exclude

and ignore
3. Re-sync the files in your cPanel & WHM installation by executing the following command:

/usr/local/cpanel/scripts/upcp --sync

and just go straight to
/scripts/upcp --force


Thanks again for all your help
Audrey
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

You don't have to exclude the files if you are going to make them mutable. You would only exclude them if you aren't going to make them mutable again.

As for /usr/local/cpanel/scripts/upcp --force, this is the same as /scripts/upcp --force since on 11.30 and higher the /scripts directory is symlinked to /usr/local/cpanel/scripts location.
 

audrey

Well-Known Member
Oct 18, 2006
114
5
168
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Hi Tristan

Thanks as always for your quick response

I don't want to exclude - cpanel can update the script-probably a good thing.

I make the cgi-sys/guestbook.cgi immutable
because
I don't want anyone to use this script.

Clients enable it on their sites and do not monitor it and it causes havoc when every porn star and spammer, etc
posts to it.

Is there any way to let cpanel update the script and still prevent it from being used?

Thanks again
Audrey
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Why not exclude the file from updates and remove it from existing entirely? Then there isn't an immutable flag on it and it doesn't need to get updated either.
 

audrey

Well-Known Member
Oct 18, 2006
114
5
168
Re: One or more immutable files are preventing cPanel and WHM from updating on your s

Hi Tristan

sounds like a good plan-but-
if I delete it entirely - perhaps a cpanel update down the road will not be happy that it cannot find the script.

I will see how it goes with the updates and if the script gets to be an issue again
I will follow your advice

Have a great night
Take Care
Audrey
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating

Just wanted to add that we really need a good way to get rid of the cgi-sys/guestbook.cgi per account at least as PCI scanning companies are failing scans if it is present at all despite the fact that the ancient exploits from 2003 are resolved:

Example from Security Metrics:

The location of domain.co.uk/cgi-sys/guestbook.cgi
I get a no username not given. I should be seeing a 404 not found.

The location is giving me a 200 ok I need the location of domain.co.uk/cgi-sys/guestbook.cgi to give a 404 not found.
This will resolve the issue and we can rescan.
That is after I provided them with the following:

The vulnerabilities listed regarding the guestbook.cgi provided by cPanel are very old and long ago resolved. The following links show that the 2 "vulnerabilities" in 2003 were resolved in versions of cPanel higher than 5 and servers currently run version 11.30+:

CVE - CVE-2003-1425 (under review)
CVE - CVE-2003-1426 (under review)
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating

Just want to add the following as a good solution provided to me by James Otting @cPanel:

Create /etc/httpd/conf/userdata/std/2/username/pci.conf containing:

<Files "guestbook.cgi">
Order allow,deny
Deny from all
</Files>

Then rebuild/restart Apache:

/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd

All fine now and requests are refused.
 

techdruid

Member
Jan 16, 2012
9
0
51
cPanel Access Level
Root Administrator
Re: One or more immutable files are preventing cPanel and WHM from updating

Create /etc/httpd/conf/userdata/std/2/username/pci.conf
If you have SSL enabled, as you may on a PCI scanned website, you'll want to also create the ssl file equivalent of the above.

Create /etc/httpd/conf/userdata/ssl/2/username/pci.conf
 

mwsfx

Registered
Feb 19, 2013
4
0
1
cPanel Access Level
Website Owner
Re: One or more immutable files are preventing cPanel and WHM from updating

Hi! on my cPanel Server 11.34.1 we only have the first part of the given path:
/etc/httpd/conf/

do I have to create the remaining path structure by myself? ...userdata/std/2/username/pci.conf
I already disabled the "guestbook & cgi scripts" in the "Servers Feature Manager" without success.

many thanks!
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
Yes you would need to create the rest of the directories such as:

mkdir -p /etc/httpd/conf/userdata/std/2/username/
(mkdir -p will automatically create the higher level directories if not already present)