Danger behind cPanel account restore – Shared hosts..be careful!
Today I have been playing with my test cPanel server. I thought to have some look into the reseller settings today and I found a serious anomaly while my works. On now..what it is…
I know very rarely we need the “All Features (warning: total and complete access)” privilege granted for a reseller. Because that privilege will give root level access to the reseller on the server, which is not allowed. So generally no-one with a root level WHM access is not able to create a reseller with all privileges. So it is obvious that anyone with root privilege ( like VPS owners ) can create “all privilege” reseller. Now what happened when we restore such a reseller to a server? What changes does it make compared to a normal user or a reseller without any privilege? So far I couldn’t find any. I couldn’t find any specific messages or difference in restore process for a normal user, reseller without “all” privilege” or with “all” privilege. I could find the following common message only with any of them ( in fact the admins I found don’t worry about the restore messages until they find any specific error while restoration )
Setting up Proxy Subdomains……Done
Sending Account Information……Done
System has 1 free ip.
Running post creation scripts (/usr/local/cpanel/scripts/legacypostwwwacct, /usr/local/cpanel/scripts/postwwwacct, /usr/local/cpanel/scripts/postwwwacctuser)……Done
wwwacct creation finished
Setting up Domain Pointers……Done
Setting Reseller Privs……Done
Account Creation Complete!!!…Account Creation Ok…Done
Locking password for user internal.passwd: Success
DoneRestoring cpanel user config fileDoneRestoring reseller packages and features (if any)Restoring reseller privs (if any)Restoring Locale SettingRestoring frontpage (if installed)…DoneRestoring access logs….DoneRestoring domain keys….DoneRestoring DB MAP File….DoneRestoring MySQL databases….Database “cptmpdb_internal__CcbDDmQKqAUhrWT” dropped
DoneDoneDoneRestoring MySQL privsSkipping grants for these MySQL databases: internal_%. These databases don’t exist in the archive.DoneReloading MySQLDoneRestoring PostgreSQL databases….PostgreSQL is not installed. Skipping.Restoring Mailman listsDoneRestoring Mailman ArchivesDoneRestoring shell Changing /usr/local/cpanel
Now what???Yes, any user can create a reseller with “all” privileges, ask a shared / reseller host to restore their account to their servers. Unless it is carefully watched what they are giving is the root level access over their servers to the unauthorized users. I am not sure if this is already addressed or I missed any messages while restoring. Anyway it is not a good practice to inherit “all” privileges for a reseller while restoration. This is a serious security issue and must be addressed by cPanel.
So shared / reseller hosts, be careful while new account restoration. Make sure that no unnecessary privileges are migrated to your server. Cross check everything and protect all the others on your server.
As an administrator I wrote a script as a patch to this and you can apply the patch to the cPanel server using the following commands;
cd /usr/local/src/ wget http://nixtree.com/download/nix-cPanelPatch.tgz tar -xzvf nix-cPanelPatch.tgz cd nix-cPanelPatch sh install.sh