Executing daemons via crontab in jailshell cause problems

[dev_ll]

Hello,

If user tries to execute long-term process (daemon for example) using jailshell'ed crontab - it launches, but user can't check or kill process because it is not visible to user.

For example, following loop.sh daemon is not visible to user after execution:

#!/bin/sh

while true; do
    sleep 60
done

As root, we can see three processes:

ps ax | grep loop.sh

22313 ? Ss 0:00 jailshell (user) [22320] ll -c /home/user/loop.sh
22320 ? S 0:00 jailshell (user) [init] ell -c /home/user/loop.sh
22321 ? S 0:00 /bin/sh /home/user/loop.sh

As user:

ps ax

1 ? S 0:00 -jailshell
40 ? R+ 0:00 ps ax


Therefore, If user runs daemons like ircd or icecast, it is not possible to use scripts which monitors failed daemon or kills hanged one.
Thank you in advance!

 

[cPanelMichael]

Hello

Does assigning normal shell access to the account allow the cron job to function as expected?

Thank you.

 

[dev_ll]

Hi Michael!

Yes it does. For that reason we can't switch account from normal shell to jailed.

Thank you!

 

[cPanelMichael]

Jailshell is a restricted environment by design. It's likely that full shell access is required for the account to run the specific type of application used by that account.

Thank you.

 

[dev_ll]

Michael, maybe you are right.

But, I think a process executed by a specific user context cron job should be accessible for the user. Moreover, the applications which we would like to run in jailed shell are very simple, they are no required to access resources beyond the home directory. And even simplest loop.sh (1st message) executed by cron job can't be accessed by user (check, kill ...).

If jailshell will support the described tasks, the overal system security will be higher, as there will not be requirements to enable normal shell.

Thank you!

 

[dev_ll]

If the problem could not be solved by changing software configuration, what steps should I take to solve it in the nearly future? (support ticket, feature request). The support subscription is active.

 

[cPanelMichael]

The following document might be of help if it was a file the account needed to access under a jailed shell environment:

How to Add Directories to Jailed Shell (VirtFS)

However, this seems different than what you are describing. Feel free to open a support ticket so we can take a closer look and determine if the behavior you are reporting is by design. Post the ticket number here and we can update this thread with the outcome.

Thank you.

 

[dev_ll]

Thank you, Michael. The support ticket number is 4915817.

 

[dev_ll]

Hello,

As it turns out the problem is due to Linux kernel limitations. Thanks for assistance!

 

[cPanelMichael]

I am happy to see you were able to determine the reason for the issue. Thank you for updating us with the outcome.