Child account with same password as root has root access
Obviously it's unsafe to use the root password in other places but as this was a temporary account I was testing things on I didn't think anything of it. I created a new account under my root WHM (i have about 15 other accounts as well including a reseller). When i made the account my firefox autofilled the saved password into the password field so I though what the heck, and made the account. The only thing is now when I log into that account, which is NOT a reseller, and has no shell or other permissions, it says I'm logged in as root or reseller and shows me ALL of my other accounts (as it would being root).
This leads me to the security question: if other users accidentally had (somehow) the same password as my root user, would cPanel grant them root access by default?
If not, what the heck happened!
-
This leads me to the security question: if other users accidentally had (somehow) the same password as my root user, would cPanel grant them root access by default? If not, what the heck happened!
1. the chances of this are astronomical (if you chose a strong password). 2. that is not how it works you must still be logged in as root try closing your browsers (if the password for your user is really the same as roots it will not display that message) 3. you can disable that functionality in Tweak settings " Accounts that can access a cPanel user account:"0 -
. the chances of this are astronomical (if you chose a strong password). 2. that is not how it works you must still be logged in as root try closing your browsers (if the password for your user is really the same as roots it will not display that message) 3. you can disable that functionality in Tweak settings " Accounts that can access a cPanel user account:"
1. True but it is possible albeit very rare. 2. I am not logged in as anything anywhere else. I can do it on a brand new device. 3. I am going to check this setting and report back to you,0 -
So i have checked everything, the account shares a password with root and that's it. Here's some pictures to show a new browser accessing it that has never seen it and it still shows. edit: Apparently i cant post images? i.ibb.co/RzPm8RV/img1.png i.ibb.co/3FqFz1g/img2.png i.ibb.co/WtfbbgY/img3.png i.ibb.co/S3FCd8Z/img4.png i.ibb.co/16g06hr/img5.png As soon as I change account password, the account loses root permissions. So this is unsecure in my opinion. 0 -
tested one of my own servers it does not behave that way for me set an account with the same password as root it just displays as I would normally log in as a cpanel user try opening a totally separate browser see if it still does it (caching) if it is truly doing that you might want to have cpanel support verify 0 -
So i have checked everything, the account shares a password with root and that's it. Here's some pictures to show a new browser accessing it that has never seen it and it still shows.
This is the expected behavior if you have Accounts that can access a cPanel user account set to Root, Account Owner, and cPanel User. Set this value to cPanel User Only and the problem should go away.0 -
@sparek-3 is correct this behavior is the expected behavior. It is by design that you can access all cPanel accounts with roots password. The only point which this is disabled is if you modify accounts that can access a cPanel user account. Thanks! 0
Please sign in to leave a comment.
Comments
6 comments