Skip to main content

What does /usr/local/bin/passwd actually control?

Comments

20 comments

  • andrew.n
    I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.
    0
  • martin MHC
    I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.

    I am familiar with updates but they usually effect an array of files. I am not used to seeing only this file being updated in isolation. Are you aware what this file is actually used for?
    0
  • cPRex Jurassic Moderator
    I checked a CentOS 7 system and that file is a link on that system: # ll /usr/local/bin/passwd lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
    It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.
    0
  • martin MHC
    I checked a CentOS 7 system and that file is a link on that system: # ll /usr/local/bin/passwd lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
    It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.

    Hi Rex, thanks for your clarification there. The filechange checker noted that the link changed rather than the source file ( /usr/local/cpanel/bin/jail_safe_passwd ) . I am assuming you mean the link file ( /usr/local/bin/passwd ) is not owned or updated by any package which is fair enough. I have read Would you be able to do me a favour and give me the MD5 checksum of /usr/local/cpanel/bin/jail_safe_passwd for WHM 92.0.7 just for me to be sure it's ok? I'm pretty sure everything's fine but would be nice to confirm. Or tell me where I can retrieve checksum values myself from CPanel? Many thanks
    0
  • cPRex Jurassic Moderator
    Here's what I get on my end: # md5sum /usr/local/bin/passwd f248a9097d65c697e5fdf3e1c11a64bf /usr/local/bin/passwd
    0
  • martin MHC
    Here's what I get on my end: # md5sum /usr/local/bin/passwd f248a9097d65c697e5fdf3e1c11a64bf /usr/local/bin/passwd

    Sadly this is not the same as mine: [r@basic ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
    As said; It's WHM 92.0.7 and CentOS 7.9 .... just incase either of those influence... In addition for reference: [r@basic ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
    Should I raise a ticket on this? I'm feeling I'm getting a bit out my depth and probably getting big conclusions from small symptoms....
    0
  • cPRex Jurassic Moderator
    You're always welcome to put in a ticket :D I see you did just recently comment on an thread here:
    0
  • martin MHC
    You're always welcome to put in a ticket :D I see you did just recently comment on an thread here:
    0
  • Spirogg
    @cPRex I also have the same as @martin MHC [root@server1 ~]# ll /usr/local/bin/passwd lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd [root@server1 ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd [root@server1 ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
    0
  • Spirogg
    @cPRex I also have the same as @martin MHC [root@server1 ~]# ll /usr/local/bin/passwd lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd [root@server1 ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd [root@server1 ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd

    - I also received the email for just the md5 check failed for just the /usr/local/bin/passwd
    0
  • cPRex Jurassic Moderator
    Okay, I did some additional digging on this and it looks like CSF hasn't updated their checksums for the 92.0.7 update. My initial check was actually 92.0.6 and apparently I had too many servers open - I can confirm I get the 1a36d09f2b08655075933414c80a976a on a 92.0.7 system when I double-checked just now. It's important to note that cPanel doesn't send our changes to CSF in advance, so there can be delays in updates from when we release them to when CSF has valid checksums to compare against.
    0
  • martin MHC
    @Spirogg good to see it's not just me, and good to see your checksum compares with mine, both of which makes me feel better that everything is (more probably) fine :)
    0
  • martin MHC
    @Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?
    0
  • Spirogg
    @Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?

    hello - I think the only update was cPanel update automatic I have not logged into who or server for a few days and today I saw the email jan 8th 2021 at 5:50am CST so there than this I am not sure what else might of updated. is there a way to check some logs to see ? I have been getting bombarded with emails from LFD with same ip range being blocked so I blocked the whole range 71.0.0.0/8 and also 75.0.0.0/8 other than that usually if CSF is updated I get an email with their log but that was not the case.. - just the MD5 check that failed for what we both have seen. - so It is pretty weird even though we have the same MD5 - I also am wondering what made this change unless my server did not self update till last night but cPanel would give us a log of the change from 9.2.0.6 to 9.2.0.7?
    0
  • Spirogg
    @Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?

    @martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?
    0
  • martin MHC
    @martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?

    I thought our server had no updates at that exact time, however there was the WHM 92.0.7 update which might have triggered this: Our records show this update finished at 2021-01-08 00:01:14 +0000 . You can find update logs at /var/cpanel/updatelogs/summary.log I still find it wyrd that even if the WHM update to 92.0.7 was the cause that this was the __only__ file that was noted by LFD as changed betweeen 92.0.6 and 92.0.7...
    0
  • Spirogg
    @cPanelLauren do you know anything about this ? Are we safe to say this was from a cPanel auto update from 92.0.6 to 92.0.7 and LFD just happened to only email us with this change ? Or anyone from @cpanel can answer this for us ? Thank you in advance
    0
  • din124
    I think it's okay. This is due to the fact that cPanel and because of this, the site structure, format and content are updated / changed.
    0
  • cPRex Jurassic Moderator
    @Spirogg - we've already determined this is normal activity and not any type of security issue, so there's no reason to be alarmed about this one.
    0
  • Ujins
    The two files are different, and serve different purpose via
    0

Please sign in to leave a comment.