• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved Can subscription users run scheduled tasks as root?

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
On https://docs.plesk.com/en-US/17.0/a...-guide-linux/enhancing-security.68755/#o68759 it is said, that "By default, Plesk allows utilities or scripts to be run on behalf of root in two cases: Scheduling tasks with the cron manager ...".

When we create a scheduled task from within a subscription, how can this be run under root? By default it is created to run as the subscription at least it looks like it. Is there a vulnerability we are unaware of, e.g. can a subscription user create a scheduled task that runs with root permissions?
 
In general, the situation is following - Plesk uses a username - psaadm, and there is no prohibition to set psaadm synonymous of root - i.e. set up uid to 0.
Event handler tool - is mechanism for launch event handler occurring in the business logic for the extensions, i.e, an event "domain creation" occurs - the business logic runs handlers for extensions with this event. In fact additional sw-engine process runs under the user psaadm. It is possible that psaadm is synonymous of root - and for preventing the creation of such processes, you can create a file $PRODUCT_ROOT_D/var/root.event_handler.lock

Regarding $PRODUCT_ROOT_D/var/root.crontab.lock file - the point is that the admin user can create tasks for the root user.
In other words by default admin can do it, if you create this file - admin can't do it.
 
Hi @IgorG ,

I had same Question today, im not sure about this. Didn't understand fully....

So if I implement "$PRODUCT_ROOT_D/var/root.crontab.lock file" it will

1. block normal users and or stupid hackers to create Root task. (very good)
2. block me as root/ admin to create NEW Crons? (hm.....)
3. wont harm any existing cron jobs which was set up via root? and or wont disturb any Cronjobs from Plesk etc.?

Am I right?
 
daanse said:
Am I right?
Click to expand...
Yes, generally you are correct.
There are the following cases when Plesk admin can run arbitrary code with root privileges:
  1. Scheduled Tasks with root system user (can be eliminate by /usr/local/psa/var/root.crontab.lock).
  2. Event Handlers with root system user (can be eliminate by /usr/local/psa/var/root.event.handler.lock).
  3. Upload Extension (cannot be eliminated at the moment, as I far as know).
There are some specific scenarios described in already existing report PPP-28512 which will be considered and resolved in the next Plesk version.
 
HI @IgorG ,

thank you, i am a little confused.
i created those files and can't see any of my .... 20-30 Cronjobs in PLesk GUI. Is this correct?
Is this right?
Should i undo my changes?
I ran
Code: 
# touch /opt/psa/var/root.crontab.lock
# touch /opt/psa/var/root.event.handler.lock
 
Last edited:
You must log in or register to reply here.

Similar threads

M
Question How to set Backup Manager to run at custom time frames
Replies
1
Views
699
Martin Dias
Martin Dias
S
Issue Can no longer execute php handler
Replies
1
Views
983
stefanb
S
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
1K
Raul A.
R
Z
Issue Scheduled Backup: Not working anymore and access rights issues since 18.0.66
Replies
14
Views
3K
zamkc
Z
X
Question Running wp-cli in a scheduled task (cron job)
Replies
1
Views
1K
Kaspar@Plesk
Kaspar@Plesk
Back
Top