Resolved Can subscription users run scheduled tasks as root?

[Bitpalast]

On https://docs.plesk.com/en-US/17.0/a...-guide-linux/enhancing-security.68755/#o68759 it is said, that "By default, Plesk allows utilities or scripts to be run on behalf of root in two cases: Scheduling tasks with the cron manager ...".

When we create a scheduled task from within a subscription, how can this be run under root? By default it is created to run as the subscription at least it looks like it. Is there a vulnerability we are unaware of, e.g. can a subscription user create a scheduled task that runs with root permissions?

 

[IgorG]

In general, the situation is following - Plesk uses a username - psaadm, and there is no prohibition to set psaadm synonymous of root - i.e. set up uid to 0.
Event handler tool - is mechanism for launch event handler occurring in the business logic for the extensions, i.e, an event "domain creation" occurs - the business logic runs handlers for extensions with this event. In fact additional sw-engine process runs under the user psaadm. It is possible that psaadm is synonymous of root - and for preventing the creation of such processes, you can create a file $PRODUCT_ROOT_D/var/root.event_handler.lock

Regarding $PRODUCT_ROOT_D/var/root.crontab.lock file - the point is that the admin user can create tasks for the root user.
In other words by default admin can do it, if you create this file - admin can't do it.

 

[daanse]

Hi @IgorG ,

I had same Question today, im not sure about this. Didn't understand fully....

So if I implement "$PRODUCT_ROOT_D/var/root.crontab.lock file" it will

1. block normal users and or stupid hackers to create Root task. (very good)
2. block me as root/ admin to create NEW Crons? (hm.....)
3. wont harm any existing cron jobs which was set up via root? and or wont disturb any Cronjobs from Plesk etc.?

Am I right?

 

[IgorG]

Am I right?

Yes, generally you are correct.
There are the following cases when Plesk admin can run arbitrary code with root privileges:

1. Scheduled Tasks with root system user (can be eliminate by /usr/local/psa/var/root.crontab.lock).
2. Event Handlers with root system user (can be eliminate by /usr/local/psa/var/root.event.handler.lock).
3. Upload Extension (cannot be eliminated at the moment, as I far as know).

There are some specific scenarios described in already existing report PPP-28512 which will be considered and resolved in the next Plesk version.

 

[daanse]

HI @IgorG ,

thank you, i am a little confused.
i created those files and can't see any of my .... 20-30 Cronjobs in PLesk GUI. Is this correct?
Is this right?
Should i undo my changes?
I ran

# touch /opt/psa/var/root.crontab.lock
# touch /opt/psa/var/root.event.handler.lock

 

[daanse]

Hi @IgorG ,

any advice? Was this behaviour normal?

 

[IgorG]

any advice? Was this behaviour normal?

First, let's clarify what you want to get? Why do you want to use these files? What is your goal?

 

[daanse]

Hi @IgorG ,

not to change any Cron or System relevant Settings, but enhancing Security.
I need these Cronjob.