The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"You are logged in as root or reseller" note

Discussion in 'General Discussion' started by djmerlyn, Mar 25, 2006.

  1. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    I'm just curious...

    Lets say a root or reseller user has a totally random password...and a customer just happens to generate the same totally random password?

    Typically they wouldn't know the difference, but when it tells them "you are logged in as root or reseller" isn't it sort-of an invite?

    I'm just curious how do you go about protecting that? Is it possable to force CPanel not to allow anyone to create the same password that another user already has? I suppose even then its still not a solution since what will it tell the user...sorry that password is taken :lol:

    Anyways, just curious what others thing about or have done about this~ Perhaps it is possable to disable this all-together and I just haven't found it?

    Is that what this is supposed to do?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's not practical to check for the same passwords since the server doesn't know what the other passwords are because of one-way encryption. The risk is no greater than a hacker guessing your root password and logging into WHM anyway. All the more reason to ensure that you generate good long root passwords where the probability of a match are miniscule (e.g. 12+ random characters and non-alphanumerics).
     
  3. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    Well, let me explain why I ask here...

    I have 2 cpanel accounts under root that are mine... They have always been seperate from any type of reseller.

    When I log in under 1 of these, it says "you are logged in using the root or reseller password". Which is strange because the password set has nothing to do with anything else in the world. Never used it with anything...

    I'm not able to do anything...but I can see a list of all the other accounts on the server from the drop down, then I can move into them without issue.

    I had a reseller say that a user mentioned the same thing to him on a totally different server.

    I go in to WHM and use the "password change" to change the password to the same thing that its been set to...and everything seems to "re-sync".

    The thing is that its totally random.

    The password is NOT the same as the root password. So what could be going on in here?

    And how can I disable login as root to Cpanel permanently so that in the event that Cpanel does slip up like this, it won't give up the server to some un-knowing user.

    Appreciate your help~
     
  4. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    It sounds like something is seriously wrong there. Is it possible that the root password got saved somehow and you actually are using it to login? Maybe try another browser and see if you get the same problem.

    It is my understanding, based on a test that I did that if the account and reseller/root password are the same, when you login to cPanel it will not show that message. The logic is something like this...
    Code:
    if (in_password == user_password){
       logged_in = true;
       reseller = false;
    }
    else if (in_password == reseller_password){
       logged_in = true;
       reseller = true;
    }
    else if (in_password == root_password){
       logged_in = true;
       reseller = true;
    }
    
    If you need to, you can disable the logging in with a reseller/root password in WHM > Server Configuration > Tweak settings > System > Disable login with root or reseller password...
     
  5. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    I tell ya...something is deffinitly wrong there. I'm not sure where things are going funky on the cpanel side...its deffinitly a problem in Cpanel.

    I'm logging in with a password (to cpanel) that is totally un-related to anything else on the server...and it shows me as "root or reseller".

    I can't log in as root with the password (because its not the root password), and I don't have any reseller accounts on the server at all.

    I can still fix it by simply resetting the same password in WHM as root.

    What steps is that password changer taking? Perhaps I can walk the process backwards and see whats going on...

    But the last part... I'm curious does it actually work to physically remove the "you are logged in as root or reseller" and the drop down account changer in Cpanel? It seems like that would be a "patch", another smart move would probably be to disable the change password form in Cpanel as that function seems to be the root source of the issue...

    Still, it seems like something should be done to prevent an account from being created with the root or reseller password to prevent the unwitting or even smart user from "guessing" (I mean, it checks against dictionary words...seems like a small favor to ask ;) )...just a thought. Right now there is nothing to prevent a user from guessing all they want if the "change password" option is enabled...am I wrong?

    I know I know...they could be there forever guessing, and its likely logged... But damage control should start before the damage is done right? :D
     
    #5 djmerlyn, Mar 28, 2006
    Last edited: Mar 28, 2006
  6. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    Maybe you misunderstand the point of that feature:
    My root password is rootpass123. I have a client account name user1234, but I don't know his password.
    He wants me to fix something in his account.
    I don't ask for his password - I just login to cpanel at https://server.com:2083 with username user1234, password rootpass123. I see the notice that I am logged in with the root/reseller password.
    If his password happened to be rootpass123 as well, then I would NOT see that message.

    Are you sure you logged in with the username and password of the account directly into cPanel 2082/2083, and NOT through WHM?

    I told you how to remove the login as root feature it in my last post. It's an option in tweak settings.

    And disabling change password all together? Really want to force your users to keep their same passwords for years? Doesn't make sense to me,

    By changing their password there is no way they could be notified if it matched the root/reseller password. A check against matching the root/reseller password would be WORSE! As we have it now, the person would never have any indication that their password was the same as root's. If you have a message: "sorry, you cannot use this password because it is the root password" then the user knows it and could login as root. I know the message would not be this obvious, but it would still be a step in the right direction for a malicious user.
     
    #6 elleryjh, Mar 28, 2006
    Last edited: Mar 28, 2006
  7. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Well elleryjh I don't want to be rude to you but what you say is simply next to impossible. Everyone who is know to InterNet world will not have root pass that simple as you stated.

    This should happen once in millions and ONLY to someone who does not know how to secure their servers. There are many other ways to get in a server rather than trying to match a root password.

    As I said I dont want to be rude.. but just think about it.:)
     
  8. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    I completely agree with you, Murtaza_t.

    I don't think djmerlyn understands the purpose of that feature, so I was trying to explain the use of that feature using simple usernames and passwords. Obviously nobody has the root password rootpass123 - it was an example to explain how I would use the feature which djmerlyn is worried about.

    I am on the same page with you about "matching a root password" as well. I was trying to explain to djmerlyn that there should NOT be a check against matching the root password, and that it is not a real threat.
     
  9. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Oh.. well I thought it was you who started this thread. My mistake. ;)
     
  10. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    Yes, in Cpanel I am given "you are logged in as reseller or root" when the username and password ARE NOT root related or reseller related WHAT SO EVER! I've tried to make that very clear here...

    I didn't take a back-seat to your reply bro~

    I want to physically remove that stuff to prevent any possable mis-alignment in Cpanel/WHM...But for example, the X theme will bring it all back at the next upgrade...

    See, thats where we're crossing paths here... That function is what is giving the end user "you are logged in as reseller or root". Something in the change password fucntion is somehow giving end users, with passwords that DO NOT match any reseller or root password access as a reseller or root (on the cpanel side, not WHM).

    I would agree on that note, thats why I'm thinking to disable the change pass function and do it manually at customer request, as that seems to be the only way a password can be changed without the possability of this issue cropping up again (ie; via WHM).

    I've come to the conclusion that its time to hand the keys over to the folks at Cpanel so they can see for themselves what in the hell is going on. The issue only cropped up in the last 2 release versions somewhere... Hopefully they can atleast see what flag is being set that is giving end users access to other folks sites via Cpanel...(I disabled the "login as root" but I can still log in as root, I just can't "jump" to Cpanel from the WHM account list is all that changed)
     
    #10 djmerlyn, Mar 28, 2006
    Last edited: Mar 28, 2006
  11. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Can you please open a ticket at our support desk so one of our techs can take a look at your server?

    Thank you!
     
  12. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Pleaes do. Make sure to reference this thread so the technician can read up on the issue.
     
Loading...

Share This Page