some cPanel update added jailshell to my crontabs

[internetbug256]

Hi there.
This morning some crontab processes stopped working as expected.
After checking the basics, I surprisingly found that my crontab for user accounts was touched!
So above every uncommented line, I found this:

SHELL="/usr/local/cpanel/bin/jailshell"

So cPanel somehow "touched" my crontabs and decided that running on a full shell was unsafe??!!

Anyone knows how to make this TO NOT happen again? I mean, I don't want cPanel to touch my customized crontabs ever.

Thanks in advance

 

[cPanelMichael]

Hello,

It's actually by design that cron jobs run in the jailed environment. This is documented at:

VirtFS - Jailed Shell - Documentation - cPanel Documentation

Could you verify what in-particular stopped working with your cron jobs?

Thank you.

 

[internetbug256]

Well, this never happened before, and it has happened exactly with the last night cpanel update. I mean, that cpanel has added this extra sentences and actually modified my crontab for accounts.

This never happened before. Why?

Let me explain a little further what I am doing. I have a sort of engine that process files (and runs on one user account) that are used by other two user accounts. So the shared directory is actually shared by other two accounts.
Engine need R/W access to the directory, owned by one account, while the other account only has read access.

I miraculously managed to have this working for years, in spite of the cPanel effort to "jail" me (you can check my previous post symbolic links between cPanel accounts).

Unfortunately, cPanel keeps trying to think that the world of hosting can be managed in isolated jails without exceptions. That's not the case in the real world. Many times we developers need to create services to be shared by several accounts. In my case, this server runs accounts for a single company, so no worries about having symlinks between them.

Jail shell is something that is NOT in use on this dedicated server. SSH is used by a single user, root. Jailshell is actually disabled on ALL user accounts. How comes then that my user crontab is "jailed"?

Thanks for you time and patience.

 

[cPanelMichael]

Hello,

Could you verify which version of cPanel is installed on your system, and which version it was updated from? Cron Jobs have ran from the jailed environment since cPanel 11.38, unless the account is assigned full shell access.

Thank you.

 

[internetbug256]

• CENTOS 7.3 x86_64 lxc – host
• cPanel & WHM 64.0 (build 29)

I have all set to automated updates to release version.

My cronjobs run 24x7, so believe me that they have run "unjailed" until this very morning.

Question: if I set from WHM one user from "Disabled Shell" to "Jailed shell", does that instantly adds these sentences to crontab?

 

[cPanelMichael]

Question: if I set from WHM one user from "Disabled Shell" to "Jailed shell", does that instantly adds these sentences to crontab?

Hello,

If you switch the account to "Normal Shell" via "WHM >> Manage Shell Access", then the following line is added to the account's /var/spool/cron/$username file:

SHELL="/bin/bash"

Switching the account to "Disabled" or "Jailed Shell" will lead to the following entry in the account's /var/spool/cron/$username file:

SHELL="/usr/local/cpanel/bin/jailshell"

This is the intended behavior. Feel free to open a support ticket using the link in my signature so we can take a closer look and see what may have happened on system.

Thank you.

 

[internetbug256]

Thank you. That confirms why I found that line. It must have been me playing with shell options, trying to solve my other problem.
I won't touch that anymore!

 

[ladydi711]

Hello,

If you switch the account to "Normal Shell" via "WHM >> Manage Shell Access", then the following line is added to the account's /var/spool/cron/$username file:

SHELL="/bin/bash"

Switching the account to "Disabled" or "Jailed Shell" will lead to the following entry in the account's /var/spool/cron/$username file:

SHELL="/usr/local/cpanel/bin/jailshell"

This is the intended behavior. Feel free to open a support ticket using the link in my signature so we can take a closer look and see what may have happened on system.

Thank you.

I noticed this today as well; my un-jailed users that have custom cron files have the "SHELL="/bin/bash" line inserted before every entry. I have not yet determined if this is causing me any issue, but editing the cron file is quite cumbersome now with all the extra lines in what was once a nicely commented/formatted cron file.

Is there a proper cPanel preferred method for creating/maintaining the cron file now?

If new tasks are created via command prompt editor, will the SHELL line get added in?

Thanks in Advance!

 

[cPanelMichael]

Is there a proper cPanel preferred method for creating/maintaining the cron file now?

If new tasks are created via command prompt editor, will the SHELL line get added in?

Hello,

You'd generally setup the cron jobs for the account using the "Cron Jobs" option in cPanel. If you decide to setup the crontab file via the command line, you'd create the file at:

/var/spool/cron/$username

The file should have "root" ownership, and the permissions are 0600. The "SHELL=" line should appear above each specific cron job. If the account uses jailed shell, or has no shell access, you'd use this line:

SHELL="/usr/local/cpanel/bin/jailshell"

If the account is assigned normal shell access, you'd use this line before each cron job:

SHELL="/bin/bash"

EX:

# cat /var/spool/cron/$user
SHELL="/usr/local/cpanel/bin/jailshell"
0 0 * * * php -v

SHELL="/usr/local/cpanel/bin/jailshell"
0 * * * * php -m

Thank you.