Issue New added domains are with wrong permissions/group (psaserv (1002))

[jackoackely]

Hello!

I tested this only with subdomain, but I think same goes with regular domains. The behavior is annoying and I don't understand why this happens.
I will document each step and what happens.

1. I add new subdomain for domain.tld with document root is httpdocs/sub.domain.tld/public
2. After that domain get successfully added and everything works totally fine, I can open test page.
3. Now we gonna run "Diagnose and repair" and it will show that " There is incorrect ownership on some items in the WWW root directory of the domain 'maindomain.tld'.
4. Now let's run to understand better what is going on...

# plesk repair fs -verbose

I get next:

There is incorrect ownership on some items in the WWW root directory
of the domain 'maindomain.tld' ...................... [ERROR]
- Incorrect group of /var/www/vhosts/maindomain.tld/httpdocs/sub.domain.tld:
expected is psacln (1003), actual is psaserv (1002)

Now I press Y and fix the issue. It does repair successfully the problem, but then we have new problem.

5. Then I try to open sub.domain.tld I will get next Plesk error page "Server Error 403 Forbidden You do not have permission to access this document.
6. And then we gonna fix it with

# find /var/www/vhosts/maindomain.tld/httpdocs/sub.domain.tld/ -type d -exec chmod 755 {} \;

7. After that diagnose and repair shows no issue and everything is green and I am able to access sub.domain.tld without Server Error 403.

Doing this over and over is very time consuming and stupid. The only thing I found is [FIXED BUG] plesk repair fs utility doesn't set correct ownership if apache user is a file owner, but I am not sure if it will help here. Can someone point me in the right direction? How to fix this issue?

Some info:

maindomain.tld stands for main domain/hostname which is being used for Plesk Obsidian
sub.domaint.tld is a different and new subdomain for testing

OS: ‪CentOS Linux 7.8.2003 (Core)‬
Product: Plesk Obsidian 18.0.28 , last updated at June 24, 2020 10:05 AM

#Added also there is this one [FIXED BUG] Plesk repair fs detects wrong permissions if subdomain's DocumentRoot is inside domain's DocumentRoot, which states that this issue was fixed...

 

[Bitpalast]

I think the trick here is that you should never place a domain or subdomain in the path of another domain or subdomain. /httpdocs is the server's standard path to the subscription domain. It should only be used as the document root for the subscription domain. If you add additional domains or subdomains, these need to go into their own directories that descend from your subscription root directory. Else you'll have an incredibly complicated mix of psacln and psaserv permissions so that some transactions on domains or subdomains will almost certainly fail.

 

[jackoackely]

I think the trick here is that you should never place a domain or subdomain in the path of another domain or subdomain. /httpdocs is the server's standard path to the subscription domain. It should only be used as the document root for the subscription domain. If you add additional domains or subdomains, these need to go into their own directories that descend from your subscription root directory. Else you'll have an incredibly complicated mix of psacln and psaserv permissions so that some transactions on domains or subdomains will almost certainly fail.

Thanks for clarification! So, just to be sure that I understood correctly.

1. Subdomains should have default paths, for example /sub.domain.tld
2. Normal domains can remain in /httpdocs/domain.ltd path?

 

[Bitpalast]

- Subdomains should have default path like /sub.domain.tld
- Normal domains should also have default path like /domain.tld
The /httpdocs is just one default name for the main domain. It could also be anything else, but it is not recommended to place all domains and/or subdomains below that path. Technically it is much safer to have each domain in its own path. In that case you will see that the domain path always starts with a mode 0750 and a group <subscription owner> : psaserv

 

[Hex]

It's really confusing at the begging. once you understand how it works with Plesk, it's going to be more clear on how to organize your domains.

Interesting topic.

 

[jackoackely]

- Subdomains should have default path like /sub.domain.tld
- Normal domains should also have default path like /domain.tld
The /httpdocs is just one default name for the main domain. It could also be anything else, but it is not recommended to place all domains and/or subdomains below that path. Technically it is much safer to have each domain in its own path. In that case you will see that the domain path always starts with a mode 0750 and a group <subscription owner> : psaserv

Ok, I see! I am not sure why I went with /httpdocs since I started using Plesk... don't remember exactly what was the reason for that.

Do you think I should change document root path for them, or leave it as it is?
I have never done it and I am a little bit afraid that it may cause problems. Even thought it seems super simple.