Scheduled Tasks Shell Setting¶
Plesk for Linux gives customers the ability to create scheduled tasks that run commands on the server. The shell being used determines which areas of the file system scheduled tasks have access to. By default, access is limited to the customer’s webspace. However, Plesk administrator has the ability to change that.
Note
If you are not familiar with the concept of shells, we recommend learning more before changing the settings described in this topic.
What shell is used for running scheduled tasks?¶
The shell used for “Run a Command” scheduled tasks is tied to the subscription’s system user (that is, all scheduled tasks created under a subscription share the same shell). By default, it matches the default shell configured in server settings and used for all subscriptions on the server. However, there are two exceptions to this rule:
- The Plesk administrator can select any shell for any subscription on the server.
- The Plesk administrator can grant the owner of a subscription the permission to select a custom shell.
In both cases, “Run a Command” scheduled tasks created under the subscription will use the custom shell instead of the default one.
Why use a different shell?¶
By default, the “/bin/bash (chrooted)
” shell is configured as the
default shell for scheduled tasks. This makes it so that commands run by
scheduled tasks only have access to the files contained within the
webspace associated with the subscription. This is an important security
measure that ensures that customers cannot use scheduled tasks to
disrupt the operation of the server or access files belonging to the
Plesk administrator or to other customers.
Note
This setting affects all subscriptions on the server, including those
owned by the Plesk administrator. It does not affect the scheduled
tasks created by the Plesk administrator in Tools &
Settings > Scheduled Tasks that are configured to run under the
root
user.
The main reason you may want to change the default shell for scheduled tasks is to give everyone on the server the ability to run commands via scheduled tasks that have access to the whole file system of the server.
If you are not sharing the server with anyone, or if you trust the other
tenants, you can select a non-chrooted shell for
scheduled tasks. If you want to use a non-chrooted shell for scheduled
tasks but are unsure which one to choose, select “/bin/bash
”.
On a shared hosting server, we recommend leaving the default shell for
scheduled tasks set to “/bin/bash (chrooted)
”. If one of your
customers requires a non-chrooted shell for his or her scheduled tasks,
you can grant it on a subscription per
subscription basis.
Warning
Granting a customer access to any other shell than
“/bin/bash (chrooted)
” gives them the ability to execute binaries
and access files and data that do not belong to them. This is a
security risk and may lead to the server being compromised.
Set the default shell for scheduled tasks¶
To set the shell that will be used to run all “Run a Command” scheduled tasks by default, go to Tools & Settings > Scheduled Tasks > Settings and select the desired shell from the menu.
Alternatively, you can log in to the server via ssh and run the following command:
plesk bin server_pref -u -crontab-secure-shell "<shell>"
Where <shell>
is the desired shell. For example:
plesk bin server_pref -u -crontab-secure-shell "/bin/bash"
Prevent the use of “Run a Command” scheduled tasks¶
If you believe one of your customers has created a scheduled task performing malicious activity on the server (for example, sending out spam), you can disable all “Run a command” scheduled tasks while you investigate.
Log in to the Plesk server via ssh and run the following command
plesk bin server_pref -u -crontab-secure-shell "/bin/false"
to set the default shell for scheduled tasks to “/bin/false
”. This
will make all “Run a command” scheduled tasks created by customers to
fail.
Note
Customers that have the permission to select a different shell can override this for their subscriptions by selecting a different shell in Websites & Domains > Web Hosting Access.
Set a custom shell for an individual subscription¶
To set a custom shell for an individual subscription, follow these steps:
- Go to Subscriptions, click the desired subscription, and then click Web Hosting Access.
- Select the desired shell from the “Access to the server over SSH” menu and click Ok.
All “Run a Command” scheduled tasks for this subscription will use the selected shell.
Allow a customer to set a custom shell for their subscription¶
To allow a customer to set a custom shell for one of their subscriptions, follow these steps:
- Go to Subscriptions, click the desired subscription, and then click Customize.
- On the “Permissions” tab, check the “Hosting settings management” and “Setup of potentially insecure web scripting options that override provider’s policy” checkboxes, and then click Ok.
This will give the customer the ability to select a different shell in Websites & Domains > Web Hosting Access. If they do, all “Run a Command” scheduled tasks for their subscription will use the selected shell.
Find out what shell is used by a subscription¶
To find out what shell is used for the “Run a Command” scheduled tasks of a subscription, follow these steps:
- Look up the username of the subscription’s system user. Go to Subscriptions, click the desired subscription, click Web Hosting Access, and then look for the “Username” field.
- Log in to the Plesk server via ssh and run the following command:
crontab -u <system user name> -l | grep SHELL