The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security question re wheel group

Discussion in 'Security' started by rsutc, Apr 25, 2009.

  1. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I have in the past restricted the wheel group pretty tightly, but on a recent sign in found that all the users had been added to wheel. Is this a "feature" in cPanel now, or can I safely remove them?

    Rick
     
  2. StingRay2k01

    StingRay2k01 Active Member

    Joined:
    Jun 15, 2003
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    You should only have root and the user name you log in to shell as. All users would be bad I would think.
     
  3. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Well, that's my first reaction too. But the more important issue is at least implied by my question. How did the system go from having only three ids in the wheel group to having all the users in it?

    Has cPanel changed something?
    Is this suggestive of a hack?
    Does anyone else have this problem?

    Maybe a few people who are on the latest RELEASE level as I am could look see and report here on the state of their wheel group before I start making big changes.

    Rick
     
  4. StingRay2k01

    StingRay2k01 Active Member

    Joined:
    Jun 15, 2003
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    It might be an obvious question but is the list you are looking at under "Add a user to the wheel group"? That list has all possible users.

    Above that is the "Users currently in the wheel group".

    That should only have root and maybe one other account that you use to login to shell with.

    I run two servers with version 11.24.* And nothing has changed on the wheel groups in an update or anything like that.
     
  5. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Fair enough question, but I did read this page carefully. "Users currently in the wheel group" lists all the users except the "system" accounts such as apache, bin, cpanel, etc--which are in the add-a-user group. This was not so the last time I checked, and I certainly didn't add them. I don't even know a way to mass add all the users like that.

    Rick
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The spontaneous adding of all cPanel users to the wheel group is not a feature of cPanel and WHM. You may wish to have a security expert take a look at your server.
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    To isolate the issue some more, check the contents of /etc/group. If all users are listed in the wheel entry, then indeed all users were added. Then, as David G mentioned, you should have your system examined for potential compromise.
     
  8. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I certainly will do this. However, as a new note on this subject, I checked the wheel group and the users were indeed all there. So, I edited them out. Lo and behold, they all got added back in sometime in the last 12 hours. A new user did come on in that time, and I'm wondering if there could be an error in the new user script.

    Rick
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I am unable to reproduce this issue, even on the latest EDGE builds.

    If your system has been compromised (rooted), this situation would best be handled by security experts.
     
Loading...

Share This Page