Facebook
Twitter
MichalisZ
New Pleskian
Hello to all,
i have searched the forum and the net for an answer on this, but i could not find anything so i am starting a new post.
The issue is about the reseller settings and permissions, which are not to restricted by the server wide policies. We noticied this after one reseller on our server started using in his subscriptions the php "by OS vendor" as FPM, which we had disabled at the General Settings -> PHP Settings and also we found that he managed to override our PHP Performance settings (like max_execution_time), with his own.
In our Reseller Plans we provide the following permissions which affect php permissions:
--------------------------------------------------------------------------------
[ON] Hosting settings management
[ON] Common PHP settings management
[OFF] PHP version and handler management
[OFF] Setup of potentially insecure web scripting options that override provider's policy
--------------------------------------------------------------------------------
Also we have changed the /usr/local/psa/admin/conf/site_isolation_settings.ini, like this:
--------------------------------------------------------------------------------
[hosting]
;php = any
;php_handler_type = fastcgi, cgi
python = off
perl = off
;fastcgi = any
miva = off
ssi = off
;ssl = any
;shell = /usr/local/psa/bin/chrootsh
asp = off
;php_safe_mode = on
coldfusion = off
--------------------------------------------------------------------------------
Due to the above the reseller or his customers can only directly manage the settings as they are shown in the following pictures:
a)Hosting Settings
b)PHP Settings
1)they can choose the php versions plesk 5.2-7, only for FactCGI and there is not any os vendor or fpm option
2)they can not change the php permormance settigns
3)the can change same basic php settings
The above restrictions can be easily overrided by the reseller, from the Service Plans, even thought he does not have the permisions required.
Specifically at the service plans the resellers has access to all the options, even if they are not available. For example he can choose from all installed php versions and handlers (not only from the available), or even set max_execution_time to a high value.
The same applies to all plan options.
So by doing this, his subscriptions can end up having values like this:
So, i think that the reseller should not be able to do this and should be restricited to choose only the options available to his account.
I guess the issue relies on how the reseller service plans work, as the direct permissions seem to be working as they should.
Some topics that seem close to my issue are the following:
http://talk.plesk.com/threads/plesk-12-5-how-fastcgi-by-default-not-php-fpm.336051/
http://talk.plesk.com/threads/bug-report-php-handler-type-in-site_isolation_settings-ini.259114/
Any kind of advice would be helpfull.
Thank you
i have searched the forum and the net for an answer on this, but i could not find anything so i am starting a new post.
The issue is about the reseller settings and permissions, which are not to restricted by the server wide policies. We noticied this after one reseller on our server started using in his subscriptions the php "by OS vendor" as FPM, which we had disabled at the General Settings -> PHP Settings and also we found that he managed to override our PHP Performance settings (like max_execution_time), with his own.
In our Reseller Plans we provide the following permissions which affect php permissions:
--------------------------------------------------------------------------------
[ON] Hosting settings management
[ON] Common PHP settings management
[OFF] PHP version and handler management
[OFF] Setup of potentially insecure web scripting options that override provider's policy
--------------------------------------------------------------------------------
Also we have changed the /usr/local/psa/admin/conf/site_isolation_settings.ini, like this:
--------------------------------------------------------------------------------
[hosting]
;php = any
;php_handler_type = fastcgi, cgi
python = off
perl = off
;fastcgi = any
miva = off
ssi = off
;ssl = any
;shell = /usr/local/psa/bin/chrootsh
asp = off
;php_safe_mode = on
coldfusion = off
--------------------------------------------------------------------------------
Due to the above the reseller or his customers can only directly manage the settings as they are shown in the following pictures:
a)Hosting Settings
b)PHP Settings
1)they can choose the php versions plesk 5.2-7, only for FactCGI and there is not any os vendor or fpm option
2)they can not change the php permormance settigns
3)the can change same basic php settings
The above restrictions can be easily overrided by the reseller, from the Service Plans, even thought he does not have the permisions required.
Specifically at the service plans the resellers has access to all the options, even if they are not available. For example he can choose from all installed php versions and handlers (not only from the available), or even set max_execution_time to a high value.
The same applies to all plan options.
So by doing this, his subscriptions can end up having values like this:
So, i think that the reseller should not be able to do this and should be restricited to choose only the options available to his account.
I guess the issue relies on how the reseller service plans work, as the direct permissions seem to be working as they should.
Some topics that seem close to my issue are the following:
http://talk.plesk.com/threads/plesk-12-5-how-fastcgi-by-default-not-php-fpm.336051/
http://talk.plesk.com/threads/bug-report-php-handler-type-in-site_isolation_settings-ini.259114/
Any kind of advice would be helpfull.
Thank you
Last edited by a moderator:
