What does /usr/local/bin/passwd actually control?

[martin MHC]

WHM: 92.0.7
OS: CentOS 7.9

Google searching the title "What does /usr/local/bin/passwd actually control?" doesn't give me any clear definitive answer.

I found this morning a notice from the Login Failure Daemon (LFD) an alert that:

Time:     Fri Jan  8 00:05:13 2021 +0000

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/local/bin/passwd: FAILED

this raises some points to me on a few fronts:

1) It is only this file that is marked as changed
2) At this time of day (midnight) no one outside of the company (ie no clients) should be changing any WHM specific passwords (cpanel passwords or WHM logins)

So; two followup questions:

a) what does this passwd file actually designate?
b) Should I be unduly concerned when this file in isolation is updated at non-working times of day?

For example; If it's simply refering to an email account password update that can make sense for a end user client to be updating their email passwords.

I have downloaded and looked at the file (3.31Mb) but would like to learn some background before progressing further.

Cheers

P.s> I have read here /etc/passwd vs /usr/bin/passwd that similarly named (but not identical) files are no longer used to store passwords so is this correct? My concern is that a password has been changed when no one should be in a position to change anything... ie non-zero risk of an outside breach.

 

[andrew.n]

I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.

 

[martin MHC]

I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.

I am familiar with updates but they usually effect an array of files. I am not used to seeing only this file being updated in isolation.

Are you aware what this file is actually used for?

 

[cPRex]

I checked a CentOS 7 system and that file is a link on that system:

# ll /usr/local/bin/passwd
lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd

It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.

 

[martin MHC]

I checked a CentOS 7 system and that file is a link on that system:

# ll /usr/local/bin/passwd
lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd

It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.

Hi Rex, thanks for your clarification there.

The filechange checker noted that the link changed rather than the source file ( /usr/local/cpanel/bin/jail_safe_passwd ) . I am assuming you mean the link file ( /usr/local/bin/passwd ) is not owned or updated by any package which is fair enough.

I have read File: /usr/local/cpanel/bin/jail_safe_passwd

Would you be able to do me a favour and give me the MD5 checksum of /usr/local/cpanel/bin/jail_safe_passwd for WHM 92.0.7 just for me to be sure it's ok? I'm pretty sure everything's fine but would be nice to confirm. Or tell me where I can retrieve checksum values myself from CPanel?

Many thanks

 

[cPRex]

Here's what I get on my end:

# md5sum /usr/local/bin/passwd
f248a9097d65c697e5fdf3e1c11a64bf  /usr/local/bin/passwd

 

[martin MHC]

Here's what I get on my end:

# md5sum /usr/local/bin/passwd
f248a9097d65c697e5fdf3e1c11a64bf  /usr/local/bin/passwd

Sadly this is not the same as mine:

[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a  /usr/local/bin/passwd

As said; It's WHM 92.0.7 and CentOS 7.9 .... just incase either of those influence...

In addition for reference:

[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a  /usr/local/cpanel/bin/jail_safe_passwd

Should I raise a ticket on this? I'm feeling I'm getting a bit out my depth and probably getting big conclusions from small symptoms....

 

[cPRex]

You're always welcome to put in a ticket :D

I see you did just recently comment on an thread here:

File: /usr/local/cpanel/bin/jail_safe_passwd

Hi, could someone please verify that this file is safe? Warning: The file properties have changed: File: /usr/local/cpanel/bin/jail_safe_passwd Current hash: fe51a88927eec1639019baa49bd4389cf833202f Stored hash : 83607040e4db499abe3564eaa28f3b2a258bb145...

forums.cpanel.net

and while the links are no longer valid the process is still the same.

I also checked on my end and confirmed there was no change to that file from 92.0.6 -> 92.0.7 as they both have the same hash for me.

 

[martin MHC]

You're always welcome to put in a ticket :D

I see you did just recently comment on an thread here:

File: /usr/local/cpanel/bin/jail_safe_passwd

Hi, could someone please verify that this file is safe? Warning: The file properties have changed: File: /usr/local/cpanel/bin/jail_safe_passwd Current hash: fe51a88927eec1639019baa49bd4389cf833202f Stored hash : 83607040e4db499abe3564eaa28f3b2a258bb145...

forums.cpanel.net

Yes, I had read that thread but the reference within it was to CPAddons of which there are none installed on our server; the found find /usr/local/cpanel -name '.cpanelsync.md5s' file is zero bytes.

 

[Spirogg]

@cPRex I also have the same as @martin MHC

[[email protected] ~]# ll /usr/local/bin/passwd
lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd


 

[Spirogg]

@cPRex I also have the same as @martin MHC

[[email protected] ~]# ll /usr/local/bin/passwd
lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd


- I also received the email for just the md5 check failed for just the /usr/local/bin/passwd

 

[cPRex]

Okay, I did some additional digging on this and it looks like CSF hasn't updated their checksums for the 92.0.7 update. My initial check was actually 92.0.6 and apparently I had too many servers open - I can confirm I get the 1a36d09f2b08655075933414c80a976a on a 92.0.7 system when I double-checked just now.

It's important to note that cPanel doesn't send our changes to CSF in advance, so there can be delays in updates from when we release them to when CSF has valid checksums to compare against.

 

[martin MHC]

@Spirogg good to see it's not just me, and good to see your checksum compares with mine, both of which makes me feel better that everything is (more probably) fine

 

[martin MHC]

@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?

 

[Spirogg]

@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?

hello - I think the only update was cPanel update automatic I have not logged into who or server for a few days and today I saw the email jan 8th 2021 at 5:50am CST

so there than this I am not sure what else might of updated.

is there a way to check some logs to see ? I have been getting bombarded with emails from LFD with same ip range being blocked so I blocked the whole range 71.0.0.0/8
and also 75.0.0.0/8

other than that usually if CSF is updated I get an email with their log but that was not the case..

- just the MD5 check that failed for what we both have seen.

- so It is pretty weird even though we have the same MD5 - I also am wondering what made this change unless my server did not self update till last night but cPanel would give us a log of the change from 9.2.0.6 to 9.2.0.7?

 

[Spirogg]

@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?

@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?

 

[martin MHC]

@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?

I thought our server had no updates at that exact time, however there was the WHM 92.0.7 update which might have triggered this: Our records show this update finished at 2021-01-08 00:01:14 +0000 .

You can find update logs at /var/cpanel/updatelogs/summary.log

I still find it wyrd that even if the WHM update to 92.0.7 was the cause that this was the __only__ file that was noted by LFD as changed betweeen 92.0.6 and 92.0.7...

 

[Spirogg]

@cPanelLauren do you know anything about this ? Are we safe to say this was from a cPanel auto update from 92.0.6 to 92.0.7 and LFD just happened to only email us with this change ? Or anyone from @cpanel can answer this for us ?
Thank you in advance

 

[din124]

I think it's okay. This is due to the fact that cPanel and because of this, the site structure, format and content are updated / changed.

 

[cPRex]

@Spirogg - we've already determined this is normal activity and not any type of security issue, so there's no reason to be alarmed about this one.