• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk file manager can delete Files with root rights!

B

B4c4rd1

Regular Pleskian
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
B4c4rd1 said:
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
Click to expand...

This is not a bug, it's only logic linux permissions . Plesk will never use root owner in user directory.
 
Because you own the directory and have write permission for it, you can unlink any file from that directory (the unlink action is just modifying the directory, which you own / have write permission for), regardless of who the owner of the file is.
Note that unlinking a file is not the same as deletion: On unix filesystems, the file itself will only be removed when all references to it - including file handles - are gone. This is different from Windows where you can't remove a file that is in use.
Example: upload a big backup file and immediately unlink it; the uploading will still proceed, and only after it finished you will see the disk space being freed. This can be quite useful when you want to ensure no old backup files stay around even in case of errors.

In case of a folder: A directory can only be unlinked when it is empty, and as you don't have write permission for that directory because you don't own it, you cannot unlink its contents and make it empty.
 
You must log in or register to reply here.

Similar threads

Azurel
Forwarded to devs After deleting a subdomain, the empty folder remains in the subscription root
Replies
4
Views
994
Azurel
Azurel
L
Resolved Sitejet Builder - Publication failed
Replies
5
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
D
Issue Folder created with fs.mkdirSync() has root as group owner, can't delete it via Plesk
Replies
0
Views
489
denemeaa
D
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
512
Raul A.
R
B
Issue Plesk task manager service trying to run task with id that does not exist
Replies
2
Views
539
BigBlock
B
Back
Top