Compiler Access Settings

marjwyatt

• July 09, 2020 13:37

An account hosted on my VPS was recently breached. I've resolved the account level issues and am keeping a close eye on it. It appears to have been caused by a back door created through a free WordPress theme that one of the site users installed without my knowledge. While I was thinking about server security and started poring over settings in WHM. Compiler Access has me a little stumped so I'm hoping someone here can help. I've disabled compilers for unprivileged users but this link suggested that I go through the file and manually remove previously authorized unprivileged users. Accounts (22): sarcasm bessmccarty bluedive catisms cbmark conundru deadlyda discount literalg marjwyat mildlymy mlmmillionaire p0intlesspursu1t sdvfwdonations sixbetz goteam sportsbe thelegen virtuall vmnet websitz2 westsideguild /etc/group contents: root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10: cdrom:x:11: mail:x:12: man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:30: video:x:39: ftp:x:50: lock:x:54: audio:x:63: nobody:x:99: users:x:100: utmp:x:22: utempter:x:35: ssh_keys:x:999: systemd-journal:x:190: dbus:x:81: saslauth:x:76: mailnull:x:47: smmsp:x:51: avahi:x:70: apache:x:48: rpc:x:32: slocate:x:21: sshd:x:74: named:x:25: nscd:x:28: screen:x:84: tcpdump:x:72: input:x:998: systemd-bus-proxy:x:997: systemd-network:x:996: mailtrap:x:995: dovecot:x:97: dovenull:x:994: mysql:x:993: cpanel:x:201:cpanel cpanelphpmyadmin:x:202:cpanelphpmyadmin cpanelphppgadmin:x:203:cpanelphppgadmin cpanelroundcube:x:204:cpanelroundcube cpanelrrdtool:x:205:cpanelrrdtool mailman:x:206:mailman compiler:x:992:cpanel cpanellogin:x:991: cpaneleximfilter:x:990: cpaneleximscanner:x:989: cpanelconnecttrack:x:988: cpses:x:987: mysyslog:x:986:cpses,smmsp,cpanel,mail,rpc,named,dbus,daemon,mailnull,dovecot,mysql,dovenull cpanelcabcache:x:985:cpanelcabcache cpaneldemo:x:1042: cpanelsuspended:x:1043: printadmin:x:984: cpanelanalytics:x:983:cpanelanalytics cgred:x:982: tss:x:59: linksafe:x:981:mailman Thank you, in advance, for your advice and attention.

• 

  marjwyatt

  • July 09, 2020 20:48

  Since making this change, I've received a email with several lines repeating the message: Use of uninitialized value $gid in chown at /usr/local/cpanel/Cpanel/Autodie/CORE/chown.pm line 34. Did I mess something up by removing compiler access for unprivileged users?

  0
• 

  marjwyatt

  • July 10, 2020 02:05

  It turned out that I read that help file too literally. I read the warning to mean that, after disabling compiler access for unprivileged users, I then needed to clean up the /etc/group file to remove them from that, too. Here's the language: "When you modify your system"s compiler access, make certain to review the list of users in the Manager Compiler Group interface. The system does not automatically update this list. " Maybe someone should update that article to explain that no users ought to be REMOVED from that file. I created all sorts of havoc by doing that today.

  0
• 

  cPanelLauren

  • July 13, 2020 19:22

  It turned out that I read that help file too literally. I read the warning to mean that, after disabling compiler access for unprivileged users, I then needed to clean up the /etc/group file to remove them from that, too. Here's the language: "When you modify your system"s compiler access, make certain to review the list of users in the Manager Compiler Group interface. The system does not automatically update this list. " Maybe someone should update that article to explain that no users ought to be REMOVED from that file. I created all sorts of havoc by doing that today.

  
  That's really not true though, the understanding here is that one understands which users *should* be present there. If you're unsure of a users purpose it should be investigated before modifying its privileges. Most system users are privileged, account users should not be present in that file which is why it is suggested to review it. In the event that a user exists without an account and was manually added or somehow a non-system user was added. You can remove any of those system users you like but do keep in mind the privileges you'll be removing from system users whose associated services may not be able to function properly when you do so.

  0

Please sign in to leave a comment.