CRON Security

[paulius]

Hello everyone,

So I'm a pretty new cPanel user (as in, running a server with cPanel as the control panel) and I have a question about the way cPanel handles CRON jobs for the various user accounts on the machine.

Is there any way to limit which commands the users can execute on their CRON tasks?

We all know that 99% of the reasons why CRON is used in a web hosting environment is to execute a scripted page at a regular interval. There's no reason why someone should be able to execute anything else than 'wget' or even 'php' in a shared hosting environment.

By letting the users execute anything, they can run potential malware (more specifically, code that exploits unpatched security holes which can potentially allow the user to gain privilege) on the machine or even a new service of their own. I've seen forum threads which explain on how to use CRON tasks to run a game server from a shared hosting account! (This assumes that the machine has no firewall, but still)

I'd much appreciate any replies, comments, suggestions, and answers.

Thanks!

[Spiral]

Crontab is basically a timed shell execution that is actually a built in part of Linux and Cpanel itself which only connects to the build in system crontab.

Subsequently, anything that can be executed by SSH can be executed by crontab which is precisely the reason I generally do not recommend allowing users access any access to crontab from Cpanel.

If any user needs a cron process setup on our own networks, we require them to submit a support ticket and we will review the request and setup the crontab command for the user. We don't let them access it themselves.

I would strongly recommend you doing the same!

If security is your concern, I would not allow SSH or CRONTAB for users!

The only way to really limit commands would be to make the system commands root access only "root:root 0700" but you have to be careful
which commands you lockdown like that because you could break things
if you just arbitrarily go locking down command.

[paulius]

Hello Spiral,

I am a sysadmin so I am well aware of what a crontab is and my precise concern is that anything can be executed. This normally shouldn't be a problem because the crontab is ran as an unprivileged user, but zero-day kernel exploits do exist and the software might not always be patched fast on a machine.

I'm happy to know that there's a way to disable cron for users, I'll do that and instruct my users to open up a ticket if they want something added to the cron. And I'm obviously not allowing SSH for my users (neither php_exec, for that matter).

Securing certain binaries is still a good idea, I would believe. Binaries such as wget, scp, and ftp normally shouldn't be accessible by random users especially on a webserver.

Thanks for taking your time to reply, I really appreciate it!