reseller_RESELLERSUSERS_root ?

dkg

Member
Aug 2, 2004
10
0
151
Each of my reseller accounts has this file (reseller_RESELLERSUSERS_root) located in ~/.cpanel/datastore. It seems to contain a list of all accounts on the server. Although it is a binary file it is easy to display with less and it is owned by the reseller and visible to the reseller. It seems to me this is somewhat of a security issue -- I don't think anyone but root should have access to a list of all accounts. Is there a reason this file should exist?

In addition to that file there is a file call reseller_RESELLERSUSERS_<reselleracct> that contains a list of accounts for that reseller. I don't have a problem with that since the reseller should already know about his sub-accounts.

Dave G.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
11
313
Houston, TX
cPanel Access Level
Root Administrator
Each of my reseller accounts has this file (reseller_RESELLERSUSERS_root) located in ~/.cpanel/datastore. It seems to contain a list of all accounts on the server. Although it is a binary file it is easy to display with less and it is owned by the reseller and visible to the reseller. It seems to me this is somewhat of a security issue -- I don't think anyone but root should have access to a list of all accounts. Is there a reason this file should exist?

In addition to that file there is a file call reseller_RESELLERSUSERS_<reselleracct> that contains a list of accounts for that reseller. I don't have a problem with that since the reseller should already know about his sub-accounts.

Dave G.
These files were being created by direct logins to cPanel using a combination of the reseller user name and the root password. We adjusted the product to no longer create these, nor update them if they exist. The /usr/local/cpanel/bin/purge_old_datastores utility can be used to remove existing files.

The updates are present in:

cPanel 11.25 ( EDGE ) builds 36736+
cPanel 11.24.4 builds 36737+

Thank you for bringing this matter to our attention.
 

dkg

Member
Aug 2, 2004
10
0
151
I'm using cPanel 11.24.4-R36167. The script you mentioned doesn't clear the files I am concerned about in the version of cPanel I am running.

Is it safe to just delete them directly? Or are there other things that might expect the file to exist.

Dave G.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
11
313
Houston, TX
cPanel Access Level
Root Administrator
I'm using cPanel 11.24.4-R36167. The script you mentioned doesn't clear the files I am concerned about in the version of cPanel I am running.

Is it safe to just delete them directly? Or are there other things that might expect the file to exist.

Dave G.
The script does not clear existing files. Feel welcome to delete these files manually, but until you are on one of the builds mentioned in my previous post, expect these files to become re-created.