Cron job will run via shell but not the user account

[Luke Jones]

Hi All hope you can help i have hit a bit of a confusing issue.

I have a cron job setup on a user that does not seem to run, if I apply shell access to the user then the cron will run fine however with jailed shell or no shell it will not run. The same cron is in place on other users without shell access and runs fine on another server.

Both servers run on the same ESXi platform with the same configuration of virtual hardware

I have checked file permissions to ensure they match, as well as server configuration for pretty much everything i can think of, both servers are on v76.0.6

If i manually edit the cd /var/spool/cron/USERNAME file and exchange the line:

SHELL="/usr/local/cpanel/bin/jailshell"

for:

SHELL="/bin/bash"

this allows the cron to run however as soon as this is updated via cPanel this line reverts and the cron ceases to work again

Any help would be greatly appreciated.

 

[cPanelLauren]

Hi @Luke Jones


Can you provide an idea of what the cron is doing? You could even add it here just remove anything account specific. Also would it be possible to provide some information on the system you're running (OS, cPanel version, PHP version etc.)?

Thanks!

 

[Luke Jones]

System information:

$ uname -a
Linux XXXXXXXXRedactedXXXXXXXX 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda2       843G  289G  520G  36% /
devtmpfs        7.8G     0  7.8G   0% /dev
tmpfs           7.8G  4.0K  7.8G   1% /dev/shm
tmpfs           7.8G  814M  7.0G  11% /run
tmpfs           7.8G     0  7.8G   0% /sys/fs/cgroup
tmpfs           1.6G     0  1.6G   0% /run/user/1317

The server has php 5.6, 7.0 and 7.2 installed however this user is using 7.0 (have tested this with 7.2 with the same issue)

The cron:

30 * * * * /usr/local/bin/php /home/USER/public_html/includes/cron/cron.php ecommerce.php

Contents of cron.php:

<?php
require_once(__DIR__.'/../classes/classes_core.php');
// Create Empty Databases Object
$Databases       = new stdClass();
// Pre-Load Website Data
$Website        = new Website();
$Website->URI   = 'CRON';
// Get Languages
if(!$_SESSION[$Website->DB]->Languages) {
   $Languages = new Language();
   $Languages->GetRecords();
   $_SESSION[$Website->DB]->Languages = array();
   foreach($Languages->Items as $Language) {
       $Key = reset(explode('_',$Language->Code));
       if($Language->IsDefault) {
           $_SESSION[$Website->DB]->DefaultLanguage = $Key;
       }
       $Language->GetPhrases();
       $_SESSION[$Website->DB]->Languages[$Key] = $Language;
   }
   unset($Languages);
}
// Process CRON
$Website->ProcessCRON($argv[1] ? $argv[1] : $_GET['File']);
// Unset Website & Database
unset($Website,$Databases);
?>

Contents of ecommerce.php:

<?php
global $argv;

ini_set('max_execution_time',0);
ini_set('memory_limit',-1);

$this->Language       = $_SESSION[$this->DB]->Languages[$_SESSION[$this->DB]->DefaultLanguage];
$this->Products       = new Product();

$Directory           = __DIR__.'/ecommerce/'.($argv[1] ? 'php' : 'curl').'/';
$Files               = scandir($Directory);

echo "\n".'Ecommerce CRON Started...'."\n\n";

foreach($Files as $File) {
 
   if(substr($File,-4) === '.php') {
    
       $ExecutionTimes = explode(',',$this->Products->Config->CRON->$File);

       if($ExecutionTimes && in_array(date('H'),$ExecutionTimes)) {
           require($Directory.$File);
           echo 'CRON Complete: "'.$File.'"'."\n";
       }
       elseif(!array_filter($ExecutionTimes)) {
           echo 'No Execution Time(s) Set For: "'.$File.'"'."\n";
       }
    
   }

}
?>

 

[cPanelLauren]

Hi @Luke Jones

Thank you so much for all the information! This is really helpful. Two things:

1. Can you tell me which PHP handler you're using?

2. Can you show me the output when you run the cron manually (as the user) with and without JailShell enabled?


Thanks!

 

[cPanelLauren]

Hi @Luke Jones

Another thing that just came to my attention. You noted the following:

If i manually edit the cd /var/spool/cron/USERNAME file and exchange the line

How are you editing? Can you confirm that /var/spool/cron/$user is owned by user:user?

Thanks!

 

[Luke Jones]

Hi cPanelLauren,

The php Handlers are all set to cgi however the system is configured using PHP-FPM which i believe is used instead?

When running the cron manually with full shell access it prints to the screen and it then pauses there for a while whilst the database is populated (i am dumping the table contents in between tests currently for testing purposes so can see all the new entries) before returning to the prompt. When running as the cron instead of manually via shell it sends the email to.

$ /usr/local/bin/php /home/USER/public_html/includes/cron/cron.php ecommerce.php

Ecommerce CRON Started...

$

When shell access is set to jailed shell it does nothing.

$ /usr/local/bin/php /home/USER/public_html/includes/cron/cron.php ecommerce.php
$

Nothing on the screen just straight to the prompt again and when running as the cron instead of manually via shell no email.

Regards

 

[Luke Jones]

All files in /var/spool/cron/ look to be owned by root:root

$ cd /var/spool/cron/
$ ls -al
-rw-------.  1 root root   215 Nov 15 16:41 USER

I did most of the editing via the user cPanel account. It was only after finding that it ran via shell with full access that I compared the file using VIM with the account set to full shell and then again set to jailed shell and disabled shell. I edited it to give it the full shell access after setting the user back to disabled shell to try and make the account as secure as I could whilst implementing the "/bin/bash" entry to allow the cron to run as a temporary work around

 

[cPanelLauren]

Is anything added to the php-fpm error logs? You can find them at

/opt/cpanel/ea-php70/usr/var/log/php-fpm/error.log