What does /usr/local/bin/passwd actually control?
WHM: 92.0.7
OS: CentOS 7.9
Google searching the title "What does /usr/local/bin/passwd actually control?" doesn't give me any clear definitive answer.
I found this morning a notice from the Login Failure Daemon (LFD) an alert that:
this raises some points to me on a few fronts: 1) It is only this file that is marked as changed 2) At this time of day (midnight) no one outside of the company (ie no clients) should be changing any WHM specific passwords (cpanel passwords or WHM logins) So; two followup questions: a) what does this passwd file actually designate? b) Should I be unduly concerned when this file in isolation is updated at non-working times of day? For example; If it's simply refering to an email account password update that can make sense for a end user client to be updating their email passwords. I have downloaded and looked at the file (3.31Mb) but would like to learn some background before progressing further. Cheers P.s> I have read here
Time: Fri Jan 8 00:05:13 2021 +0000
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
/usr/local/bin/passwd: FAILED
this raises some points to me on a few fronts: 1) It is only this file that is marked as changed 2) At this time of day (midnight) no one outside of the company (ie no clients) should be changing any WHM specific passwords (cpanel passwords or WHM logins) So; two followup questions: a) what does this passwd file actually designate? b) Should I be unduly concerned when this file in isolation is updated at non-working times of day? For example; If it's simply refering to an email account password update that can make sense for a end user client to be updating their email passwords. I have downloaded and looked at the file (3.31Mb) but would like to learn some background before progressing further. Cheers P.s> I have read here
-
I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well. 0 -
I think this is all right. It can happen due to cPanel or one of the components being updated hence the file structure, format, content is being refreshed/changed. It is possible that some softwares relies on /usr/local/bin/passwd instead of /usr/bin/passwd as well.
I am familiar with updates but they usually effect an array of files. I am not used to seeing only this file being updated in isolation. Are you aware what this file is actually used for?0 -
I checked a CentOS 7 system and that file is a link on that system: # ll /usr/local/bin/passwd lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.0 -
I checked a CentOS 7 system and that file is a link on that system:
# ll /usr/local/bin/passwd lrwxrwxrwx 1 root root 38 Dec 15 17:44 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
It's normal for that tool to report on changes to files, but that file is not owned or updated by any package.
Hi Rex, thanks for your clarification there. The filechange checker noted that the link changed rather than the source file ( /usr/local/cpanel/bin/jail_safe_passwd ) . I am assuming you mean the link file ( /usr/local/bin/passwd ) is not owned or updated by any package which is fair enough. I have read Would you be able to do me a favour and give me the MD5 checksum of /usr/local/cpanel/bin/jail_safe_passwd for WHM 92.0.7 just for me to be sure it's ok? I'm pretty sure everything's fine but would be nice to confirm. Or tell me where I can retrieve checksum values myself from CPanel? Many thanks0 -
Here's what I get on my end: # md5sum /usr/local/bin/passwd f248a9097d65c697e5fdf3e1c11a64bf /usr/local/bin/passwd
0 -
Here's what I get on my end:
# md5sum /usr/local/bin/passwd f248a9097d65c697e5fdf3e1c11a64bf /usr/local/bin/passwd
Sadly this is not the same as mine:[r@basic ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd
As said; It's WHM 92.0.7 and CentOS 7.9 .... just incase either of those influence... In addition for reference:[r@basic ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
Should I raise a ticket on this? I'm feeling I'm getting a bit out my depth and probably getting big conclusions from small symptoms....0 -
@cPRex I also have the same as @martin MHC [root@server1 ~]# ll /usr/local/bin/passwd lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd [root@server1 ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd [root@server1 ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
0 -
@cPRex I also have the same as @martin MHC
[root@server1 ~]# ll /usr/local/bin/passwd lrwxrwxrwx. 1 root root 38 Nov 14 18:23 /usr/local/bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd [root@server1 ~]# md5sum /usr/local/bin/passwd 1a36d09f2b08655075933414c80a976a /usr/local/bin/passwd [root@server1 ~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 1a36d09f2b08655075933414c80a976a /usr/local/cpanel/bin/jail_safe_passwd
- I also received the email for just the md5 check failed for just the /usr/local/bin/passwd0 -
Okay, I did some additional digging on this and it looks like CSF hasn't updated their checksums for the 92.0.7 update. My initial check was actually 92.0.6 and apparently I had too many servers open - I can confirm I get the 1a36d09f2b08655075933414c80a976a on a 92.0.7 system when I double-checked just now. It's important to note that cPanel doesn't send our changes to CSF in advance, so there can be delays in updates from when we release them to when CSF has valid checksums to compare against. 0 -
@Spirogg good to see it's not just me, and good to see your checksum compares with mine, both of which makes me feel better that everything is (more probably) fine :) 0 -
@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change? 0 -
@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?
hello - I think the only update was cPanel update automatic I have not logged into who or server for a few days and today I saw the email jan 8th 2021 at 5:50am CST so there than this I am not sure what else might of updated. is there a way to check some logs to see ? I have been getting bombarded with emails from LFD with same ip range being blocked so I blocked the whole range 71.0.0.0/8 and also 75.0.0.0/8 other than that usually if CSF is updated I get an email with their log but that was not the case.. - just the MD5 check that failed for what we both have seen. - so It is pretty weird even though we have the same MD5 - I also am wondering what made this change unless my server did not self update till last night but cPanel would give us a log of the change from 9.2.0.6 to 9.2.0.7?0 -
@Spirogg did you have any recent server updates that might have caused the LFD to notice this single file link change?
@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?0 -
@martin MHC have you noticed any other updates on your end? that you think might of made this change ? or is it the same as me, just cPanel updated itself ?
I thought our server had no updates at that exact time, however there was the WHM 92.0.7 update which might have triggered this: Our records show this update finished at 2021-01-08 00:01:14 +0000 . You can find update logs at /var/cpanel/updatelogs/summary.log I still find it wyrd that even if the WHM update to 92.0.7 was the cause that this was the __only__ file that was noted by LFD as changed betweeen 92.0.6 and 92.0.7...0 -
@cPanelLauren do you know anything about this ? Are we safe to say this was from a cPanel auto update from 92.0.6 to 92.0.7 and LFD just happened to only email us with this change ? Or anyone from @cpanel can answer this for us ? Thank you in advance 0 -
@Spirogg - we've already determined this is normal activity and not any type of security issue, so there's no reason to be alarmed about this one. 0
Please sign in to leave a comment.
Comments
20 comments