MySQL Cron Jobs

Discussion in 'General' started by madara, Dec 18, 2019.

  1. madara

    madara New Member

    Hello, I’m coming to browse several topics about Cron Jobs that do not or not fully answer my problem,
    I cannot launch a created command from ISPConfig.

    ISPConfig Version: 3.1dev
    Ubuntu 18.04.3 LTS

    cat /etc/cron.d/ispc_chrooted_web9
    Code:
    0    1    *    *    *    web9    /usr/bin/mysql -uXXXXX -pXXXXX -DXXXXX -e'TRUNCATE TABLE XXXXX' >>/private/cron.log 2>>/private/cron_error.log #XXXXX.XX
    tail -f /var/log/ispconfig/cron.log (before saving the cron from UI)
    Code:
    ...
    Wed Dec 18 15:41:01 UTC 2019 ERROR: /usr/bin/nano does not exist
    Wed Dec 18 15:41:01 UTC 2019
    Wed Dec 18 15:41:02 UTC 2019 usermod: user web9 is currently used by process 6357
    Wed Dec 18 15:41:02 UTC 2019 failed to execute usermod -d /var/www/clients/client9/web9/. -s /usr/sbin/jk_chrootsh web9
    Wed Dec 18 15:41:02 UTC 2019 failed to modify user web9
    ...
    
    ERROR: /usr/bin/nano does not exist nano is well installed, and that's not the subject

    If I launch the command from the ssh user "web9" with his login and password created from the interface, I can execute the command without problem:
    Code:
    /usr/bin/mysql -uXXXXX -pXXXXX -DXXXXX -e'TRUNCATE TABLE XXXXX'
    Thank you for taking the time to read me,

    I use ISPConfig for many years and to thank the work you provide daily, I modestly bought the invoice documentation RE20180888
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    A chrooted cronjob will run within the jailkit environment, and the other logs you posted sound like the setup for that may have failed. (Also, you will have to install the mysql client in that jailkit, I don't think that's done by default.) What does the web9 entry in /etc/passwd look like? When you login as web9 user, are you in the jailkit (very limited environment), or are you accessing the full system (ie. is the jailkit setup working, or failed)?
     
  3. madara

    madara New Member

    Thank-you for your prompt response
    In the interface of ISPConfig, I have not defined a user "Chroot Shell" should I do it?
    grep web9 /etc/passwd
    Code:
    web9:x:1010:1011::/var/www/clients/client9/web9:/bin/false
    XXXXXXX:x:1010:1011::/var/www/clients/client9/web9/home/XXXXXXX:/bin/bash
    
    There is one thing that I do not understand at the level of "Chroot Shell JailKit", it is that I do not have access to the web folder "/var/www/clients/client9/web9" so i don't really understand why it's done.
     
    Last edited: Dec 18, 2019
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So when you ssh to your server, you are logged in to the full system. Chroot (configured/managed by jailkit in ISPConfig) is a very good measure to increase the security of your system against things your shell users can do, so, "yes, you should" - however you do have to install/setup jailkit to use it, so don't just arbitrarily set that if you haven't set it up yet.

    Note also that you might trust all the people who are intended to login as those shell users, but consider that shell accounts are at times compromised (eg. password reuse/theft/guessing), and allowing arbitrary Cron commands (which would be required if jailkit is not setup) could (normally does) extend that trust to very untrustworthy folks of whomever actually would access the shell login or take control over a client's browser (in order to create a cron job). So yes, you want to get a working jailkit setup. :)

    A quick fix for your case would be to run the mysql command from a php script (using MySQLi) under the website, then create a URL Cron to run it. (In fact I only allow URL Cron's to run on the servers I maintain .. at least currently, as there hasn't been a use case which required otherwise.)
     
    Last edited: Dec 18, 2019
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    One quick question, have you installed and configured jailkit? Ie. if you create a Jailkit chroot user, can you login and you access a pretty restricted system? If so, I would consider it a bug in ISPConfig that creating a chroot cron job does not initialize the chroot environment, even without a jailkit chroot user having been created. But the workaround would be to simply create such a user, to trigger the jailkit setup, then delete the afterwards. And you'd need to proceed with setting up mysql within that jail (binary, libraries, maybe config file(s)).
     
    madara likes this.
  6. madara

    madara New Member

    Thank you for these details, to date, i am the only one to access my server (for these security reasons ). I create SSH users to clone Git repositories and install dependencies with composer for example.

    To correct my CronJob, if I switch to Chroot Shell JailKit my user "web9" and after, if JailKit can use mysql, its ok?

    If i understand correctly, i can extend JailKit globally for all users, so Chroot Shell can use git / myqsl / composer / ...?
    Do you have documentation on this subject adapted to ISPConfig so that I secure my SSH users.
     
  7. madara

    madara New Member

    Yes I have configured (by default) JailKit so that my users if they are defined as "Chroot Shell" I can agree to it but I can do nothing jsue wander around "home" and "web" and these directories are empty
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you create a jailkit shell user which logs in and has mysql setup, then yes, I would expect the cronjob to work as well.

    As for web9 specifically, I don't know just how to change the current web9 user to work correctly offhand. Try adding a new shell user which is set to use jailkit and make sure that user works. If so, I'd try resyncing shell accounts from Tools > Resync, and see if it fixes things for 'web9' as well. If not, something like
    Code:
    usermod -d /var/www/clients/client9/web9/./home/web9 -s /usr/sbin/jk_chrootsh web9
    might be all that's needed. (I don't know if there's anything saved in the database which should be updated or not - you could create a new website / jailkit user that works correctly and compare the db entries for the two.)

    Yes, you can configure what gets added to a jail by default, under System > Server Config > {server} > Jailkit. You can specify apps or jk_init.ini sections. That does not add them to existing jails, you would have to do that manually or maybe find the jk_updater_ispc script and run with -reinit.

    The installation guide gets jailkit installed, but doesn't address any OS-specific changes to jk_init.ini, iirc. Debian (and I suspect Ubuntu) work pretty well with the jk_init.ini that is distributed, though I've found a few minor adjustments needed. It will probably be missing some things entirely, eg. mysql. I think there was a git section in the most recent jk_init.ini I was working on (~2 weeks ago). I have no idea about composer, maybe search and see if you can find an example, else you might have to work it out with trial & error.

    Note also that jails are not updated currently (though iirc, that was going to be added, maybe in 3.2?), so you should use something like https://git.ispconfig.org/ispconfig/ispconfig3/issues/2140
     
    Last edited: Dec 18, 2019
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I just tested here and it functions correctly in this regard. On a site with no shell users and no chroot setup (I verified as a first step), I added a chroot cron job and it did setup the chroot environment. My guess is your cronjob isn't working simply because you don't have /usr/bin/mysql in your chroot.

    BTW, this same procedure did change my web# user so that I presume ssh would work:
    Code:
    # grep web26 /etc/passwd
    web26:x:10026:10026::/var/www/clients/client17/web26/./home/web26:/usr/sbin/jk_chrootsh
    
    # cat /var/www/clients/client17/web26/etc/passwd
    root:x:0:0:root:/root:/bin/bash
    web26:x:10026:10026::/home/web26:/bin/bash
    
    So I expect that should fix your web9 user, too. Eg. delete your cronjob and add it again, then verify the passwd entries both within the chroot and in the full system.
     
  10. madara

    madara New Member

    A big thank you again for the time you spend answering my questions
    I went to visit my configuration file /etc/jailkit/jk_init.ini
    Code:
    ....
    [php]
    comment = the php interpreter and libraries
    executables = /usr/bin/php
    directories = /usr/lib/php, /usr/share/php, /usr/share/php, /etc/php, /usr/share/php-geshi, /usr/share/zoneinfo
    includesections = env
    
    [composer]
    executables = /usr/local/bin/composer
    
    [env]
    comment = environment variables
    executables = /usr/bin/env
    
    
    - To test, I added instructions to allow my "future" JailKit users to benefit from "composer", "env", "php"
    - Then from ISPConfig, I went to "System> Server Config> {server}> Jailkit" to add to the line "Jailkit chroot app sections" "composer", "php" ...
    - After I edited my ssh web9 user to remove the "Chroot Shell" then after the job completed, I reactivated "Chroot Shell" (I think it's magic lol)
    - And to make sure i did the job right, i run your script found here : https://git.ispconfig.org/ispconfig/ispconfig3/issues/2140

    But nothing to do, my Cron Job still does not work.
    By cons, i have a new command available "php", but "git" is no longer and "composer" still not available

    grep web9 /etc/passwd
    Code:
    web9:x:1010:1011::/var/www/clients/client9/web9/./home/web9:/usr/sbin/jk_chrootsh
    XXXXXXXX:1010:1011::/var/www/clients/client9/web9/./home/XXXXXXXX:/usr/sbin/jk_chrootsh
    
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Did you run with -reinit?

    Because you did not add mysql to the jail?

    Did you add git to the jail? Previously you were not logging in under jailkit, so you would have been using git from the system /usr/bin/git.

    As for composer, did /usr/local/bin/composer get copied to the jail? Is /usr/local/bin/ in your PATH?
     
    madara likes this.
  12. clixclix

    clixclix ISPConfig Developer ISPConfig Developer

    I had an identical problem.
    In order to solve the problem, I had to create a chrooted shell user related to the website.
     

Share This Page