Plesk for Linux gives customers the ability to create scheduled tasks that run commands on the server. The shell being used determines which areas of the file system scheduled tasks have access to. By default, access is limited to the customer's webspace. However, Plesk administrator has the ability to change that.
Note: If you are not familiar with the concept of shells, we recommend learning more before changing the settings described in this topic.
The shell used for "Run a Command" scheduled tasks is tied to the subscription's system user (that is, all scheduled tasks created under a subscription share the same shell). By default, it matches the default shell configured in server settings and used for all subscriptions on the server. However, there are two exceptions to this rule:
In both cases, "Run a Command" scheduled tasks created under the subscription will use the custom shell instead of the default one.
By default, the "/bin/bash (chrooted)
" shell is configured as the default shell for scheduled tasks. This makes it so that commands run by scheduled tasks only have access to the files contained within the webspace associated with the subscription. This is an important security measure that ensures that customers cannot use scheduled tasks to disrupt the operation of the server or access files belonging to the Plesk administrator or to other customers.
Note: This setting affects all subscriptions on the server, including those owned by the Plesk administrator. It does not affect the scheduled tasks created by the Plesk administrator in Tools & Settings > Scheduled Tasks that are configured to run under the root
user.
The main reason you may want to change the default shell for scheduled tasks is to give everyone on the server the ability to run commands via scheduled tasks that have access to the whole file system of the server.
If you are not sharing the server with anyone, or if you trust the other tenants, you can select a non-chrooted shell for scheduled tasks. If you want to use a non-chrooted shell for scheduled tasks but are unsure which one to choose, select "/bin/bash
".
On a shared hosting server, we recommend leaving the default shell for scheduled tasks set to "/bin/bash (chrooted)
". If one of your customers requires a non-chrooted shell for his or her scheduled tasks, you can grant it on a subscription per subscription basis.
Caution: Granting a customer access to any other shell than "/bin/bash (chrooted)
" gives them the ability to execute binaries and access files and data that do not belong to them. This is a security risk and may lead to the server being compromised.
To set the shell that will be used to run all "Run a Command" scheduled tasks by default, go to Tools & Settings > Scheduled Tasks > Settings and select the desired shell from the menu.
Alternatively, you can log in to the server via ssh and run the following command:
plesk bin server_pref -u -crontab-secure-shell "<shell>"
Where <shell>
is the desired shell. For example:
plesk bin server_pref -u -crontab-secure-shell "/bin/bash"
If you believe one of your customers has created a scheduled task performing malicious activity on the server (for example, sending out spam), you can disable all "Run a command" scheduled tasks while you investigate.
Log in to the Plesk server via ssh and run the following command
plesk bin server_pref -u -crontab-secure-shell "/bin/false"
to set the default shell for scheduled tasks to "/bin/false
". This will make all "Run a command" scheduled tasks created by customers to fail.
Note: Customers that have the permission to select a different shell can override this for their subscriptions by selecting a different shell in Websites & Domains > Web Hosting Access.
To set a custom shell for an individual subscription, follow these steps:
All "Run a Command" scheduled tasks for this subscription will use the selected shell.
To allow a customer to set a custom shell for one of their subscriptions, follow these steps:
This will give the customer the ability to select a different shell in Websites & Domains > Web Hosting Access. If they do, all "Run a Command" scheduled tasks for their subscription will use the selected shell.
To find out what shell is used for the "Run a Command" scheduled tasks of a subscription, follow these steps:
crontab -u <system user name> -l | grep SHELL