The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

crontab in cpanel.

Discussion in 'General Discussion' started by naox, May 6, 2005.

  1. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    crontab in cpanel - potential security breach

    this issue is probably obvious, but I was not able to find almost any posts about this one on this forum, so I decided to post it

    crontab in cpanel for users is obviously a potential security breach.

    Using it anyone coud execute system command like 'cat /etc/passwd'. Or 'cat /home/other/user/security/file' Without a php safe mode user could gain acces to other users files etc etc.
    Besides that user could execute php script using his own php.ini file, by giving apropritate parameters to /usr/bin/php -c. I dont have to say its very very bad...

    using php safe mode is real pain in the ass, because users cant create files/dirs by php. Most ppl decide on open dir php tweak + disable system commands for php.

    Post your coments about security of cpanel cron jobs

    I think I will have to make my own cpanel option just allowing php scripts to execude on crontab basis.

    does anyone have idea how to view cpanel users crontabs already placed in system? and posibly delete it?


    by the way. did someone somehow managed to run phpsafemode while somehow allowing unresticted acces to users home dir without UID check just to owner of that home dir?
    placing in httpd.conf somehting like
    php_admin_value safe_mode_include_dir "/home/user/"
    just wont work
     
    #1 naox, May 6, 2005
    Last edited: May 6, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    We always disable the cron option and users have to ask us to create crontab entries for them. That said, if you allow perl CGI scripts, all the work you're looking at doing will be for nought.

    You can view users crontabs by looking at the files in /var/spool/cron/*, however you should not edit them directly, always use:

    crontab -e -u accountname
     
  3. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    ok. since last post I made my own crontab option, allowing only running php scripts, nothing more
     
  4. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    you may easy disallow users crontrab by creating /etc/cron.allow and /etc/cron.disallow files. in /etc/cron.allow you must indicate usernames which will allowed use cron and /etc/cron.disallow may live empty.
     
  5. __arjun__

    __arjun__ Guest

    I think the deny file is cron.deny, not cron.disallow :-/
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It entirely depends what version and which cron daemon you're running as to the filenames - I've seen both and others.
     
  7. killerid2k

    killerid2k Member

    Joined:
    Dec 3, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Ok can someone tell me the content of the allow and deny files as i want to disable cron job option completely for all users.
     
  8. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    deny file should be just empty, allow files should content user name(s)
     
Loading...

Share This Page