(Plesk for Linux) Scheduled Tasks Shell Setting
summary: You can give customers the ability to create scheduled tasks that run commands on the server. In Plesk for Linux, the shell being used determines which areas of the file system scheduled tasks have access to. By default, access is limited to the customer’s webspace. However, Plesk administrator has the ability to change that.
In this topic, you will learn how to set the default shell for scheduled tasks, how to set a custom shell for an individual subscription, and also how to allow a customer to set a custom shell for their subscription. You will also learn how to prevent customers from using the “Run a Command” scheduled tasks.
Note: If you are not familiar with the concept of Linux shells, we recommend learning more before changing the settings described in this topic.
What shell is used for running scheduled tasks?
The shell used for “Run a Command” scheduled tasks is tied to the subscription’s system user (that is, all scheduled tasks created under a subscription share the same shell). By default, it matches the default shell configured in server settings and used for all subscriptions on the server. However, there are two exceptions to this rule:
- The Plesk administrator can select any shell for any subscription on the server.
- The Plesk administrator can grant the owner of a subscription the permission to select a custom shell.
In both cases, “Run a Command” scheduled tasks created under the subscription will use the custom shell instead of the default one.
Why use a different shell?
By default, the “/bin/bash (chrooted)
” shell is configured as the
default shell for scheduled tasks. This makes it so that commands run by
scheduled tasks only have access to the files contained within the
webspace associated with the subscription. This is an important security
measure that ensures that customers cannot use scheduled tasks to
disrupt the operation of the server or access files belonging to the
Plesk administrator or to other customers.
Note: This setting affects all subscriptions on the server, including those
owned by the Plesk administrator. It does not affect the scheduled
tasks created by the Plesk administrator in Tools &
Settings > Scheduled Tasks (Cron jobs) (under “Tools & Resources”) that are configured to run under the
root
user.
The main reason you may want to change the default shell for scheduled tasks is to give everyone on the server the ability to run commands via scheduled tasks that have access to the whole file system of the server.
If you are not sharing the server with anyone, or if you trust the other
tenants, you can select a non-chrooted shell for
scheduled tasks. If you want to use a non-chrooted shell for scheduled
tasks but are unsure which one to choose, select “/bin/bash
”.
On a shared hosting server, we recommend leaving the default shell for
scheduled tasks set to “/bin/bash (chrooted)
”. If one of your
customers requires a non-chrooted shell for his or her scheduled tasks,
you can grant it on a subscription per
subscription basis.
Warning: Granting a customer access to any other shell than
“/bin/bash (chrooted)
” gives them the ability to execute binaries
and access files and data that do not belong to them. This is a
security risk and may lead to the server being compromised.
Set the default shell for scheduled tasks
To set the shell that will be used to run all “Run a Command” scheduled tasks by default, go to Tools & Settings > Scheduled Tasks (Cron jobs) (under “Tools & Resources”) > Settings and select the desired shell from the menu.
Alternatively, you can log in to the server via ssh and run the following command:
plesk bin server_pref -u -crontab-secure-shell "<shell>"
Where <shell>
is the desired shell. For example:
plesk bin server_pref -u -crontab-secure-shell "/bin/bash"
Prevent the use of “Run a Command” scheduled tasks
If you believe one of your customers has created a scheduled task performing malicious activity on the server (for example, sending out spam), you can disable all “Run a command” scheduled tasks while you investigate.
Log in to the Plesk server via ssh and run the following command
plesk bin server_pref -u -crontab-secure-shell "/bin/false"
to set the default shell for scheduled tasks to “/bin/false
”. This
will make all “Run a command” scheduled tasks created by customers to
fail.
Note: Customers that have the permission to select a different shell can override this for their subscriptions by selecting a different shell.
Set a custom shell for an individual subscription
To set a custom shell for an individual subscription, follow these steps:
- Go to Subscriptions, click the desired subscription, go to the “Hosting & DNS” tab, and then click Hosting.
- Select the desired shell from the “SSH Access” menu and click Save.
All “Run a Command” scheduled tasks for this subscription will use the selected shell.
Allow a customer to set a custom shell for their subscription
To allow a customer to set a custom shell for one of their subscriptions, follow these steps:
- Go to Subscriptions, click the desired subscription, and then click Customize.
- On the “Permissions” tab, select the “Hosting settings management” and “Setup of potentially insecure web scripting options that override provider’s policy” checkboxes, and then click Update & Lock.
This will give the customer the ability to select a different shell in Websites & Domains > “Hosting & DNS” tab > Hosting. If they do, all “Run a Command” scheduled tasks for their subscription will use the selected shell.
Find out what shell is used by a subscription
To find out what shell is used for the “Run a Command” scheduled tasks of a subscription, follow these steps:
- Look up the username of the subscription’s system user. Go to Subscriptions, click the desired subscription, go to the “Hosting & DNS” tab, click Hosting, and then look for the “Username” field.
- Log in to the Plesk server via ssh and run the following command:
crontab -u <system user name> -l | grep SHELL