(Plesk for Linux) Scheduled Tasks Shell Setting

summary

You can give customers the ability to create scheduled tasks that run commands on the server. In Plesk for Linux, the shell being used determines which areas of the file system scheduled tasks have access to. By default, access is limited to the customer’s webspace. However, Plesk administrator has the ability to change that.

In this topic, you will learn how to set the default shell for scheduled tasks, how to set a custom shell for an individual subscription, and also how to allow a customer to set a custom shell for their subscription. You will also learn how to prevent customers from using the “Run a Command” scheduled tasks.

Note: If you are not familiar with the concept of Linux shells, we recommend learning more before changing the settings described in this topic.

What shell is used for running scheduled tasks?

The shell used for “Run a Command” scheduled tasks is tied to the subscription’s system user (that is, all scheduled tasks created under a subscription share the same shell). By default, it matches the default shell configured in server settings and used for all subscriptions on the server. However, there are two exceptions to this rule:

In both cases, “Run a Command” scheduled tasks created under the subscription will use the custom shell instead of the default one.

Why use a different shell?

By default, the “/bin/bash (chrooted)” shell is configured as the default shell for scheduled tasks. This makes it so that commands run by scheduled tasks only have access to the files contained within the webspace associated with the subscription. This is an important security measure that ensures that customers cannot use scheduled tasks to disrupt the operation of the server or access files belonging to the Plesk administrator or to other customers.

Note

This setting affects all subscriptions on the server, including those owned by the Plesk administrator. It does not affect the scheduled tasks created by the Plesk administrator in Tools & Settings > Scheduled Tasks (Cron jobs) (under “Tools & Resources”) that are configured to run under the root user.

The main reason you may want to change the default shell for scheduled tasks is to give everyone on the server the ability to run commands via scheduled tasks that have access to the whole file system of the server.

If you are not sharing the server with anyone, or if you trust the other tenants, you can select a non-chrooted shell for scheduled tasks. If you want to use a non-chrooted shell for scheduled tasks but are unsure which one to choose, select “/bin/bash”.

On a shared hosting server, we recommend leaving the default shell for scheduled tasks set to “/bin/bash (chrooted)”. If one of your customers requires a non-chrooted shell for his or her scheduled tasks, you can grant it on a subscription per subscription basis.

Warning

Granting a customer access to any other shell than “/bin/bash (chrooted)” gives them the ability to execute binaries and access files and data that do not belong to them. This is a security risk and may lead to the server being compromised.

Set the default shell for scheduled tasks

To set the shell that will be used to run all “Run a Command” scheduled tasks by default, go to Tools & Settings > Scheduled Tasks (Cron jobs) (under “Tools & Resources”) > Settings and select the desired shell from the menu.

image-select-shell

Alternatively, you can log in to the server via ssh and run the following command:

plesk bin server_pref -u -crontab-secure-shell "<shell>"

Where <shell> is the desired shell. For example:

plesk bin server_pref -u -crontab-secure-shell "/bin/bash"

Prevent the use of “Run a Command” scheduled tasks

If you believe one of your customers has created a scheduled task performing malicious activity on the server (for example, sending out spam), you can disable all “Run a command” scheduled tasks while you investigate.

Log in to the Plesk server via ssh and run the following command

plesk bin server_pref -u -crontab-secure-shell "/bin/false"

to set the default shell for scheduled tasks to “/bin/false”. This will make all “Run a command” scheduled tasks created by customers to fail.

Note

Customers that have the permission to select a different shell can override this for their subscriptions by selecting a different shell.

Set a custom shell for an individual subscription

To set a custom shell for an individual subscription, follow these steps:

  1. Go to Subscriptions, click the desired subscription, go to the “Hosting & DNS” tab, and then click Hosting.
  2. Select the desired shell from the “SSH Access” menu and click Save.

All “Run a Command” scheduled tasks for this subscription will use the selected shell.

Allow a customer to set a custom shell for their subscription

To allow a customer to set a custom shell for one of their subscriptions, follow these steps:

  1. Go to Subscriptions, click the desired subscription, and then click Customize.
  2. On the “Permissions” tab, select the “Hosting settings management” and “Setup of potentially insecure web scripting options that override provider’s policy” checkboxes, and then click Update & Lock.

This will give the customer the ability to select a different shell in Websites & Domains > “Hosting & DNS” tab > Hosting. If they do, all “Run a Command” scheduled tasks for their subscription will use the selected shell.

Find out what shell is used by a subscription

To find out what shell is used for the “Run a Command” scheduled tasks of a subscription, follow these steps:

  1. Look up the username of the subscription’s system user. Go to Subscriptions, click the desired subscription, go to the “Hosting & DNS” tab, click Hosting, and then look for the “Username” field.
  2. Log in to the Plesk server via ssh and run the following command:
crontab -u <system user name> -l | grep SHELL