• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Security Model Questions

E

eric1234

Guest
I'm trying to understand Plesk's security model. I just recently got a server setup with plesk on it and I want to make sure I understand how things are setup.

From what I have read CGI applications execute via suexec so the script is executed according to the owner of the script. So if I setup a domain with the user "bob" owning the files then the script should execute as "bob" right?

Now what about PHP. I have a PHP application (pLog) that is on one of my domains. It caches processed template files in a temp directory. I have noticed that those files are created with "www-data" as the owner. Shouldn't "bob" be the owner? Or are PHP scripts not executed as a CGI under suexec? If PHP scripts are executed as "www-data" how do I get around safe mode restrictions. The script is owned by "bob" so if it tries to read these cached files then it gets a safe mode restriction. I don't want to turn off safe mode but I think a script should be able to write a file and then read that file. What is the proper Plesk way to get around this problem. Right now the only option seems to be to chown all the script files to www-data but then the user can't edit those file.

Also what about mod_perl and mod_python? I noticed those options and I was wondering about that. From my understanding mod_perl runs a single interpreter under the Apache process. So would all domains that were using mod_perl be running under the same process? Wouldn't this lead to security concerns. Or does Plesk somehow run a seperate interpreter for each domain?

Just trying to make sure I understand how plesk works so that I can ensure I am setting things up properly.
 
PHP is a scripting language processed by apache itself. Therefor temp files are created by apache and not by the user. chowning is as far as i know the only solution for this. But ofcourse, i'm not the only guy on the board :)
 
You are correct about how CGI applicatons run.

PHP applications are not run as the user, this can be accomplished using suPHP but Plesk does not use this by default, you probably can get it to with some manual configuration.

If you use Apache 2 in the same mode Apache 1 worked, multiprocess then the problems you described about mod_perl, mod_python and the 3rd party PHP library threadings should all be fine.
 
This has been an ongoing issue for a long time. When I ran version 6 of plesk this was not an issue. Version 7 on (about a year now) have had this issue.

Please Plesk folks make php be suPHP by default. This issue is a constant annoyance because only administrators can change ownership from apache to the rightful owners. Every update I hope for this change.. but it never comes. Files in a users web directory should never be owned by apache since they cannot modify those items via ftp.

This worked perfectly before, why was it broken in 7/7.x reloaded?
JD
 
You must log in or register to reply here.

Similar threads

Y
Question Prioritise resources to one subscription
Replies
0
Views
1K
yashc
Y
J.Wick
Issue Multiple Vulnerabilities in PHP 5 thru 8.3.7 Could Allow for Remote Code Execution - PATCH NOW
Replies
2
Views
1K
Tobias Sorensson
T
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
138
HawkSky
H
brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
302
brother4
brother4
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
702
NewGate
N
Back
Top