STOP Plesk resetting file permissions !!

[AndreasY]

Hi,

how can we stop Plesk resetting the file permissions on a dll file that is found in

C:\Program Files (x86)\

??

Specifically,

we have a file, jmail.dll,

here

C:\Program Files (x86)\Dimac\w3JMail

By default Plesk permissions are set to DENY for PSACLN.

But the JMail plugin cannot work with these permissions !

We change this to be ALLOW for READ & EXECUTE and DENY for WRITE.

And everything works fine.

But every time Plesk does an update it reverts it back !

This means that a number of our customers contact forms stop working !

How we can stop this or some workaround ?!

Thanks

 

[24x7serversupports]

Hey,

Have you tried applying permission on the parent folder? Normally sub folder takes permission of their parent folders. You can check permission of that folder.

 

[AndreasY]

Hey,

Have you tried applying permission on the parent folder? Normally sub folder takes permission of their parent folders. You can check permission of that folder.

Hi, thanks for your comment, I have put this in place just waiting for the next automatic update to take place, then will check if the permissions 'stuck'.

 

[24x7serversupports]

Hey,

Seems that the issue is resolved.

 

[AndreasY]

Hey,

Seems that the issue is resolved.

Nope, not for me anyhow,

the automated update for 12.0.18 #32

Reset the permissions.

I had applied the permissions to the folder

C:\Program Files (x86)\Dimac\w3JMail

Now I will try on the folder

C:\Program Files (x86)\Dimac\

Wish a Plesk representative would chime in and clear this mess up!

They SHOULD know !

 

[PeteSDG]

Hi,

(For the less informed who stumble upon this via Google, replace mentions of PATH_TO_PLESK to the actual path to plesk on your system)

You need to be looking in the direction of PATH_TO_PLESK\plesk\admin\bin\ApplySecurity.exe

Every time Plesk installs an update, users psaadm and psacln are either deleted and recreated or their custom permissions are wiped clean.

These users (or at least psacln in some cases) need to be applied to certain directories or .dll's depending on the configuration of your server but because of the update process you need to inform Plesk which directories these users should be applied to and what permissions they require. Plesk will then refer to these instructions upon update.

For example, one of our servers has the following configuration:

• MS IIS SMTP / Used by CDO for sending form submissions by email using ASP
  
• Persists AspJpeg / Image manipulation by ASP scripts
  
• Persists AspPDF / PDF manipulation by ASP scripts
• Persists AspUpload / Uploads via ASP scripts

These need specific permissions to be able to perform correctly when invoked by scripts.

Plesk stores these instructions in the following directory: PATH_TO_PLESK\plesk\etc\DiskSecurity (DO NOT ALTER DISKSECURITY.XML)

ApplySecurity.exe will take those instructions and apply them to the correct directories/files.

I'm going to use our files as an example...

For MS IIS SMTP I have a file that I created called mailroot-pickup.xml (again do not alter DiskSecurity.xml, create your own file) located in PATH_TO_PLESK\plesk\etc\DiskSecurity (full path = PATH_TO_PLESK\plesk\etc\DiskSecurity\mailroot-pickup.xml) with the following contents

<?xml version="1.0" encoding="utf-8" ?>
<Entries>
    <Entry AccounType="1" Account="Psacln" Path="C:\inetpub\mailroot\Pickup" SubPath="" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="ReadWrite" EntryFlags="0" />

</Entries>

This tells Plesk to apply Read & Write permissions for the user Psacln to the directory, sub directory and files of C:\inetpub\mailroot\Pickup

The above enables ASP to create CDO message and place it in the Pickup directory where it will await processing by IIS SMTP.

Similarly with Persists AspJpeg/AspPDF/AspUpload I did the following

Created a file called persists-software.xml (again do not alter DiskSecurity.xml, create your own file) in PATH_TO_PLESK\plesk\etc\DiskSecurity (full path = PATH_TO_PLESK\plesk\etc\DiskSecurity\persists-software.xml) with the following contents

<?xml version="1.0" encoding="utf-8" ?>
<Entries>
    <Entry AccounType="1" Account="Psacln" Path="C:\Program Files (x86)\Persits Software\AspUpload\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
    <Entry AccounType="1" Account="Psaadm" Path="C:\Program Files (x86)\Persits Software\AspUpload\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
    <Entry AccounType="1" Account="Psacln" Path="C:\Program Files (x86)\Persits Software\AspJpeg\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
    <Entry AccounType="1" Account="Psaadm" Path="C:\Program Files (x86)\Persits Software\AspJpeg\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
    <Entry AccounType="1" Account="Psacln" Path="C:\Program Files (x86)\Persits Software\AspPDF\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
    <Entry AccounType="1" Account="Psaadm" Path="C:\Program Files (x86)\Persits Software\AspPDF\Bin" SubPath="" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" />
</Entries>

(Psacln may have been enough in this case but I wasn't taking chances and added Psaadm also.)

This tells Plesk to apply Full Permissions for the users Psacln & Psaadm to the directory and files (.dll) contained inside

Doing this is alone is not enough, we need to tell Plesk to action these new instructions for the first time (it's done automatically after this point in the future).

Using Command Prompt navigate to the location of ApplySecurity.exe (PATH_TO_PLESK\plesk\admin\bin\)

Once inside the directory enter the following command

ApplySecurity.exe --apply-to-directory --directory="PATH_TO_THE_DIRECTORY"

Replacing PATH_TO_THE_DIRECTORY with an example from my mailroot\pickup scenario would be entered like this

ApplySecurity.exe --apply-to-directory --directory="C:\inetpub\mailroot\Pickup"

Do the above for each directory that you have listed in your xml files.

Alternatively, if you have a lot of time to spare, you can force Plesk to process all instructions contained in the xml files by typing the following

ApplySecurity.exe --apply

Be warned, the above line can be a lengthy process!

More information on Disc Security Customisations can be read here
http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=49493.htm

More information on ApplySecurity.exe command line instructions can be read here
http://download1.parallels.com/Ples...ne/plesk-win-cli/index.htm?fileName=45411.htm

 

[Mr Fett]

Half the time Plesk updates I get permissions issues and inconsistencies across all our subscriptions - very annoying.

 

[AndreasY]

Hi,

(For the less informed who stumble upon this via Google, replace mentions of PATH_TO_PLESK to the actual path to plesk on your system)
snip......

Thanks ever so much Pete,

I will be giving this a try soon and will report back.

The response you have given is the sort of response I would have expected a Plesk representative to give, but ofcourse they are more interested in us purchasing a ticket to get an answer !

-- EDIT --

OK put that in place and works as you have stated, just waiting for an update.

Had a look at the .XML file and in the Plesk admin guide but could not see how this can be applied to

1/ A file
2/ How to add deny permissions along with allow permissions

If you or someone knows would be great to hear from you !

Thank you

 

[AndreasY]

Half the time Plesk updates I get permissions issues and inconsistencies across all our subscriptions - very annoying.

Yup, this has been a bane with Plesk for years !!!

 

[Andrei C]

Hello,

How can I ignore the changes of directory owner, after applying next command:

ApplySecurity.exe --apply

all files and folders defined owner from parent folder, so it's not good?

 

[iltera]

Pete, you rock!

That bothered me for years, and not even once I thought about the existance of such a feature
Thanks for the detailed instructions!!!

 

[PeteSDG]

Had a look at the .XML file and in the Plesk admin guide but could not see how this can be applied to

1/ A file
2/ How to add deny permissions along with allow permissions

Hi Andreasy,

I've not tested this so it's theory based on the documentation, spend a little time getting to know the manual it's quite comprehensive.

This page references General Security Metadata Structure and explains the attributes. http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=49506.htm

Scenario 1:

<Entry AccounType="1" Account="Psacln" Path="C:\Program Files (x86)\Persits Software\AspUpload\Bin\aspupload.dll" SubPath="" AceFlags="ThisObjectOnly" AccessMask="FullAccess" EntryFlags="0" />

Path contains the full path including file
AceFlags contains ThisObjectOnly

Scenario 2:

<Entry AccounType="1" Account="Psacln" Path="C:\Program Files (x86)\Persits Software\AspUpload\Bin\aspupload.dll" SubPath="" AceFlags="ThisObjectOnly" AccessMask="NoAccess" EntryFlags="0" />

Path contains the full path including file
AccessMask contains NoAccess

More can be read on AceFlags here http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=49507.htm
More can be read on AccessMask here http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=49508.htm

 

[FizzyDev]

We have lived with plesk v10 for many years without permission resetting issues. However, we've just upgraded to v12.0.18 and discovered the delights of plesk randomly resetting our custom folder permissions on a daily basis.

We just don't understand why the permissions set via GUI are being dropped. What's the point of having the facility to set permissions if they are subsequently ignored without any warning or notification. Sorry rant over!

So we discovered this thread and read much of the plesk KB articles which has helped and confused the situation but understand that we need to create XML config files and deploy them using CLI.

Taking the example of an ftp account "testftpuser" that required full access to folder "d:\plesk\vhosts\testdomain.com\private\logs" then would the xml look like this?

<?xml version="1.0" encoding="utf-8" ?>
<Entries>
<Entry AccounType="1" Account="testftpuser" Path="[HTTPD_VHOSTS_D]" SubPath="testdomain.com\private\logs" AceFlags="ThisFolderAndFiles" AccessMask="FullAccess" EntryFlags="0" Tag="DomainUser" Tag2="" />
</Entries>

My next question is what is the difference between ApplySecurity.exe and HostingSecurity.exe?

If we save the above XML to a file, say D:\Plesk\VHOSTS\testdomain.com\testsecurity.v1.xml and then should we run this CLI code?

HostingSecurity.exe --create-webuser-security --vhost-name=testdomain.com --file-name="D:\Plesk\VHOSTS\testdomain.com\testsecurity.v1.xml" --web-user=testftpuser

 

[EclipZ]

I was linked to this post recently, for the benefit of anyone else who stumbles on this, there is an alternative workaround or could be used in conjuction with the method Pete described.

How we have handled this since Plesk 7 is to install all third party modules to a custom location such as c:\ThirdParty or ThirdParty\Subdirectory, instead of the default location.
Then go into the advanced NTFS permissions for c:\ThirdParty and set them to no longer be inherited, with the existing entries copied.
Then remove the psa_cln and psa_adm group deny permissions.

When Plesk next goes through and applies security permissions to the entire disk for security hardening after an update, that directory should not be affected, but if it is just remove the psa_cln and psa_adm group deny permissions again.

 

[PeteSDG]

How we have handled this since Plesk 7 is to install all third party modules to a custom location such as c:\ThirdParty or ThirdParty\Subdirectory, instead of the default location.
Then go into the advanced NTFS permissions for c:\ThirdParty and set them to no longer be inherited, with the existing entries copied.
Then remove the psa_cln and psa_adm group deny permissions..

That's one way to do it but I wouldn't personally use it. The whole point of the security permissions update is to remove old permissions that may be a security risk and replace them with a best known config. Then if you've instructed Plesk to give special permissions to user accounts it will do that also. However by disinheriting permissions and removing plesk system accounts from your third party folder you're actually saying I don't want any security updates to these modules, ever, and I want any existing security flaws if any to remain. Depending on what you have in your modules folder it might not be that much of a big deal but I know I sleep better at night doing it the proper way.

 

[EclipZ]

Hmmm that's an interesting stretch, not even sure where to begin, believe we will have to disagree.
Good luck sleeping better with your FullAccess permissions on DLLs.

 

[EclipZ]

Security risks are a thing, I won't say any more as it should be clear to anyone with a good understanding of NTFS permissions and how IIS functions.

To clarify some more for others, the less you can do outside of Plesk, the better.
Using the method to have Plesk reinstate permissions is a great idea and likely best, as long as this is done correctly and also recorded somewhere as a customisation from base Plesk operation.

The best solution would be to script the removal of the applied group deny permissions using this method, really only the "psacln" group should matter, thus leaving the allow permissions required for function as it would on a vanilla Windows server.
That does means tracking down all the paths for this, as well as correctly setting the ACLs.

Using a separate directory for third party modules is perhaps just an easier suggestion to keep track of for some that may end up in this thread.

 

[Bewenched]

I'm having a hell of a time getting my persists aspjpeg to work and my new hosting company technical support is extremely frustrating to deal with... put in a request and wait 3+days for them to get back with you saying it's fixed when it's not.

I'm going to try a few of the things mentioned here to see if I can force it.