The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Executing daemons via crontab in jailshell cause problems

Discussion in 'Security' started by dev_ll, May 5, 2014.

  1. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    If user tries to execute long-term process (daemon for example) using jailshell'ed crontab - it launches, but user can't check or kill process because it is not visible to user.

    For example, following loop.sh daemon is not visible to user after execution:

    Code:
    #!/bin/sh
    
    while true; do
        sleep 60
    done
    As root, we can see three processes:

    ps ax | grep loop.sh

    22313 ? Ss 0:00 jailshell (user) [22320] ll -c /home/user/loop.sh
    22320 ? S 0:00 jailshell (user) [init] ell -c /home/user/loop.sh
    22321 ? S 0:00 /bin/sh /home/user/loop.sh

    As user:

    ps ax

    1 ? S 0:00 -jailshell
    40 ? R+ 0:00 ps ax


    Therefore, If user runs daemons like ircd or icecast, it is not possible to use scripts which monitors failed daemon or kills hanged one.
    Thank you in advance!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hi Michael!

    Yes it does. For that reason we can't switch account from normal shell to jailed. :(

    Thank you!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Jailshell is a restricted environment by design. It's likely that full shell access is required for the account to run the specific type of application used by that account.

    Thank you.
     
  5. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Michael, maybe you are right.

    But, I think a process executed by a specific user context cron job should be accessible for the user. Moreover, the applications which we would like to run in jailed shell are very simple, they are no required to access resources beyond the home directory. And even simplest loop.sh (1st message) executed by cron job can't be accessed by user (check, kill ...).

    If jailshell will support the described tasks, the overal system security will be higher, as there will not be requirements to enable normal shell.

    Thank you!
     
  6. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    If the problem could not be solved by changing software configuration, what steps should I take to solve it in the nearly future? (support ticket, feature request). The support subscription is active.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The following document might be of help if it was a file the account needed to access under a jailed shell environment:

    How to Add Directories to Jailed Shell (VirtFS)

    However, this seems different than what you are describing. Feel free to open a support ticket so we can take a closer look and determine if the behavior you are reporting is by design. Post the ticket number here and we can update this thread with the outcome.

    Thank you.
     
  8. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Thank you, Michael. The support ticket number is 4915817.
     
  9. dev_ll

    dev_ll Member

    Joined:
    Mar 23, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    As it turns out the problem is due to Linux kernel limitations. Thanks for assistance!
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page