• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk file manager can delete Files with root rights!

B

B4c4rd1

Regular Pleskian
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
B4c4rd1 said:
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
Click to expand...

This is not a bug, it's only logic linux permissions . Plesk will never use root owner in user directory.
 
Because you own the directory and have write permission for it, you can unlink any file from that directory (the unlink action is just modifying the directory, which you own / have write permission for), regardless of who the owner of the file is.
Note that unlinking a file is not the same as deletion: On unix filesystems, the file itself will only be removed when all references to it - including file handles - are gone. This is different from Windows where you can't remove a file that is in use.
Example: upload a big backup file and immediately unlink it; the uploading will still proceed, and only after it finished you will see the disk space being freed. This can be quite useful when you want to ensure no old backup files stay around even in case of errors.

In case of a folder: A directory can only be unlinked when it is empty, and as you don't have write permission for that directory because you don't own it, you cannot unlink its contents and make it empty.
 
You must log in or register to reply here.

Similar threads

O
File Browser options are unavailable when search
Replies
2
Views
883
Peter Debik
P
Hangover2
Resolved Smart static files processing is only working for lowercase file extensions
Replies
8
Views
518
ChristophRo
ChristophRo
D
Issue Files deleted from site
Replies
11
Views
2K
Dimitra
D
jlocana
Question How can I access the root of the server using ftp software or file manager?
Replies
2
Views
433
jlocana
jlocana
N
Forwarded to devs Missing IncomingMailServerIMAPPathPrefix in the mobilconfig file generated by Plesk.
Replies
10
Views
847
Kaspar
K
Back
Top