• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk file manager can delete Files with root rights!

B

B4c4rd1

Regular Pleskian
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
B4c4rd1 said:
TITLE:
Plesk file manager can delete Files with root rights!
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx, Version 17.5.3 Update #30, Ubuntu 16.04.2 LTS‬, x64
PROBLEM DESCRIPTION:
The internal filemanager may seem to delete files created with the root owner. Theoretically, the user could delete all folders and all files with Plesk File Manager. Even if the file may only be read by root:

upload_2017-12-15_11-54-35-png.13854


This fil can delete over the filemanager.​
STEPS TO REPRODUCE:
Create a file over SSH under root and change the file rights to: 0400

This file can delete with the filemanager under plesk panel.​
ACTUAL RESULT:
All files and folders can be deleted​
EXPECTED RESULT:
It may be deleted only the files and folders that can describe the current user too.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
Click to expand...

This is not a bug, it's only logic linux permissions . Plesk will never use root owner in user directory.
 
Because you own the directory and have write permission for it, you can unlink any file from that directory (the unlink action is just modifying the directory, which you own / have write permission for), regardless of who the owner of the file is.
Note that unlinking a file is not the same as deletion: On unix filesystems, the file itself will only be removed when all references to it - including file handles - are gone. This is different from Windows where you can't remove a file that is in use.
Example: upload a big backup file and immediately unlink it; the uploading will still proceed, and only after it finished you will see the disk space being freed. This can be quite useful when you want to ensure no old backup files stay around even in case of errors.

In case of a folder: A directory can only be unlinked when it is empty, and as you don't have write permission for that directory because you don't own it, you cannot unlink its contents and make it empty.
 
You must log in or register to reply here.

Similar threads

Azurel
Forwarded to devs After deleting a subdomain, the empty folder remains in the subscription root
Replies
4
Views
519
Azurel
Azurel
D
Issue Folder created with fs.mkdirSync() has root as group owner, can't delete it via Plesk
Replies
0
Views
188
denemeaa
D
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
5
Views
1K
Kaspar@Plesk
Kaspar@Plesk
O
File Browser options are unavailable when search
Replies
2
Views
1K
Peter Debik
P
O
Question vhosts: Log files are rebuilt
Replies
3
Views
423
ollibraun
O
Back
Top