What does /usr/local/bin/passwd actually control?

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
WHM: 92.0.7
OS: CentOS 7.9

Google searching the title "What does /usr/local/bin/passwd actually control?" doesn't give me any clear definitive answer.

I found this morning a notice from the Login Failure Daemon (LFD) an alert that:

Code:
Time:     Fri Jan  8 00:05:13 2021 +0000

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/local/bin/passwd: FAILED
this raises some points to me on a few fronts:

1) It is only this file that is marked as changed
2) At this time of day (midnight) no one outside of the company (ie no clients) should be changing any WHM specific passwords (cpanel passwords or WHM logins)

So; two followup questions:

a) what does this passwd file actually designate?
b) Should I be unduly concerned when this file in isolation is updated at non-working times of day?

For example; If it's simply refering to an email account password update that can make sense for a end user client to be updating their email passwords.

I have downloaded and looked at the file (3.31Mb) but would like to learn some background before progressing further.

Cheers

P.s> I have read here /etc/passwd vs /usr/bin/passwd that similarly named (but not identical) files are no longer used to store passwords so is this correct? My concern is that a password has been changed when no one should be in a position to change anything... ie non-zero risk of an outside breach.
 
Last edited:

andrew.n

Well-Known Member
Jun 9, 2020
611
175
43
EU
cPanel Access Level
Root Administrator
I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.
I am familiar with updates but they usually effect an array of files. I am not used to seeing only this file being updated in isolation.

Are you aware what this file is actually used for?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,913
910
313
cPanel Access Level
Root Administrator
I checked a CentOS 7 system and that file is a link on that system:

Code:
# ll /usr/local/bin/passwd
lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.
 
  • Like
Reactions: martin MHC

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
I checked a CentOS 7 system and that file is a link on that system:

Code:
# ll /usr/local/bin/passwd
lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.

Hi Rex, thanks for your clarification there.

The filechange checker noted that the link changed rather than the source file ( /usr/local/cpanel/bin/jail_safe_passwd ) . I am assuming you mean the link file ( /usr/local/bin/passwd ) is not owned or updated by any package which is fair enough.

I have read File: /usr/local/cpanel/bin/jail_safe_passwd

Would you be able to do me a favour and give me the MD5 checksum of /usr/local/cpanel/bin/jail_safe_passwd for WHM 92.0.7 just for me to be sure it's ok? I'm pretty sure everything's fine but would be nice to confirm. Or tell me where I can retrieve checksum values myself from CPanel?

Many thanks
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
Here's what I get on my end:

Code:
# md5sum /usr/local/bin/passwd
f248a9097d65c697e5fdf3e1c11a64bf  /usr/local/bin/passwd
Sadly this is not the same as mine:

Code:
[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a  /usr/local/bin/passwd
As said; It's WHM 92.0.7 and CentOS 7.9 .... just incase either of those influence...

In addition for reference:

Code:
[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a  /usr/local/cpanel/bin/jail_safe_passwd
Should I raise a ticket on this? I'm feeling I'm getting a bit out my depth and probably getting big conclusions from small symptoms....
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,913
910
313
cPanel Access Level
Root Administrator
You're always welcome to put in a ticket :D

I see you did just recently comment on an thread here:


and while the links are no longer valid the process is still the same.

I also checked on my end and confirmed there was no change to that file from 92.0.6 -> 92.0.7 as they both have the same hash for me.
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
You're always welcome to put in a ticket :D

I see you did just recently comment on an thread here:

Yes, I had read that thread but the reference within it was to CPAddons of which there are none installed on our server; the found find /usr/local/cpanel -name '.cpanelsync.md5s' file is zero bytes.
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
@cPRex I also have the same as @martin MHC

[[email protected] ~]# ll /usr/local/bin/passwd
lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
@cPRex I also have the same as @martin MHC

[[email protected] ~]# ll /usr/local/bin/passwd
lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
[[email protected] ~]# md5sum /usr/local/bin/passwd
1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
[[email protected] ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
- I also received the email for just the md5 check failed for just the /usr/local/bin/passwd
 
  • Like
Reactions: martin MHC

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,913
910
313
cPanel Access Level
Root Administrator
Okay, I did some additional digging on this and it looks like CSF hasn't updated their checksums for the 92.0.7 update. My initial check was actually 92.0.6 and apparently I had too many servers open - I can confirm I get the 1a36d09f2b08655075933414c80a976a on a 92.0.7 system when I double-checked just now.

It's important to note that cPanel doesn't send our changes to CSF in advance, so there can be delays in updates from when we release them to when CSF has valid checksums to compare against.
 
  • Like
Reactions: martin MHC

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?
hello - I think the only update was cPanel update automatic I have not logged into who or server for a few days and today I saw the email jan 8th 2021 at 5:50am CST

so there than this I am not sure what else might of updated.

is there a way to check some logs to see ? I have been getting bombarded with emails from LFD with same ip range being blocked so I blocked the whole range 71.0.0.0/8
and also 75.0.0.0/8

other than that usually if CSF is updated I get an email with their log but that was not the case..

- just the MD5 check that failed for what we both have seen.

- so It is pretty weird even though we have the same MD5 - I also am wondering what made this change unless my server did not self update till last night but cPanel would give us a log of the change from 9.2.0.6 to 9.2.0.7?
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?
@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?
I thought our server had no updates at that exact time, however there was the WHM 92.0.7 update which might have triggered this: Our records show this update finished at 2021-01-08 00:01:14 +0000 .

You can find update logs at /var/cpanel/updatelogs/summary.log

I still find it wyrd that even if the WHM update to 92.0.7 was the cause that this was the __only__ file that was noted by LFD as changed betweeen 92.0.6 and 92.0.7...
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
@cPanelLauren do you know anything about this ? Are we safe to say this was from a cPanel auto update from 92.0.6 to 92.0.7 and LFD just happened to only email us with this change ? Or anyone from @cpanel can answer this for us ?
Thank you in advance
 

din124

Registered
Jan 18, 2021
1
1
3
Canada
cPanel Access Level
Website Owner
I think it's okay. This is due to the fact that cPanel and because of this, the site structure, format and content are updated / changed. ;)
 
Last edited:
  • Like
Reactions: Spirogg