Restrict PHP settings for resellers when using FastCGI

[Thomas Becker]

Hello,
I’m using PHP as FastCGI for hosting plans. That is working great so far.
CentOS 6 and Plesk 10.4.4

1. The problem is in case of reseller accounts. As far as I know there is no possibility to restrict PHP settings such as memory_limit, max_execution_time, … for resellers.
This means that a reseller could generate service plans with any value they want. That could harm the whole server.
Did I understand something wrong? How to deal with that?

I think it would be nice to have a php.ini with maximum values that are loaded after the custom php.ini of a domain which is generated by a reseller (or by a customer of a reseller).

2. Is it possible to restrict resellers to only select PHP as FastCGI when creating service plans?

Thanks and Greets
Thomas

 

[minosj]

Hi,

I don't think there is an option for this in the Plesk Panel.

Thank you.

 

[burnleyvic]

I would suggest you look at plesk manual for panel.ini you can disable client and reseller ability to enter custom values for php settings and then only give them options you define from drop down box. e.g.

;memory_limit
settings.performance.memory_limit.values[]=128M
settings.performance.memory_limit.values[]=192M
settings.performance.memory_limit.values[]=256M
settings.performance.memory_limit.custom=false

You should also look at site_isolation_settings.ini as the out of the box settings are far from optimal.

 

[Thomas Becker]

Thanks, burnleyvic for your info. The panel.ini is not the best solution but will work so far.

I already had set the site_isolation_settings (PSA was restarted too):
php_handler_type = fastcgi

In Plesk Panel it's still possible to select handler type "Apache-Module", "FastCGI", "CGI".

Some time ago I read that Plesk sometimes is showing all the possible options and doesn't care about some restrictions that are set in config files. Is that really true and is that the reason why I still can select all handlers?
Do I have to worry about it or are the restrictions from files like site_isolation_settings.ini are in use?
Thanks.

 

[burnleyvic]

It is my understanding site isolation settings work provided the reseller service plan does not give permission for "Setup of potentially insecure web scripting options that override provider's policy" If this option is enabled in resellers service plan then they effectively can set what ever they want. If they don't have this open enabled then they can't set this option in any service plans they make and should only be able to select from the options you give them.

As the admin if you look at their accounts you will still be able to select any option. The only way to verify this would be to create a reseller and then log into plesk with that reseller login and then do your testing.

The only other thing you could try would be to set some php variables in a php.ini file and place it in the /conf folder. Any settings from the /conf folder are imported when plesk re-generates the main php.ini in /etc for a vhost. Possibly placing this in the default skeleton will work. If you have resellers able to create their own skeleton you may need to use an event handler triggered on domain & sub-domain create.

Not ideal i know but if you find a better way of doing it in plesk I'd love to know.

 

[Thomas Becker]

Thanks again, burnleyvic for your reply.

If I disallow "Setup of potentially insecure web scripting options that override provider's policy" in service plan for resellers then creating a reseller and log in as reseller I’m getting this warning wenn trying to set an other handler type as allowed:

There are settings that conflict with the server-wide security policy. Are you sure you want to continue?

If you really want to override the security policy and apply the conflicting settings, click Yes. Otherwise, click No, and then click the link 'apply secure setting preset' to bring the settings in accordance with the server-wide security policy. The following settings conflict with the policy:
• PHP handler type

If I click on "Yes" when this warning appears, the service plan is saved with the disallowed handler type.
Is this a bug?


Second question. How to disallow managing the skeleton for resellers?

Thanks again.

 

[burnleyvic]

You must define what settings you want resellers and clients to be able to use in your site_isolation_settings.ini For example if you want to only allow them to select fastcgi and the handler type set

php_handler_type = fastcgi

If you have no preference to what they set then use

php_handler_type = any

 

[burnleyvic]

It may well be a bug, I've certainly filed more with 10.4.4 than I'd care to count. Not sure about preventing resellers from updating the skeleton. I know you can override the setting in logged in as admin but to my knowledge you should not be able to when logged in as a reseller or customer. It would defeat the reason for the setting. I'll see if I can re-produce it.

 

[burnleyvic]

I just created a reseller, logged out of plesk and logged in as the reseller. Our servers have php_handler_type = fastcgi so when I created a subscription as the reseller I did not even get the option to select handler type. The only options available were the options we had set to 'any' such as SSL support. As for php settings they could only select the options we had configured in panel.ini Provided you set reasonable options and turn off the horribly dangerous option to allow people to enter custom settings you should be ok. I also had a quick play with the vhost templates and was not able get a skeleton with a /conf directory to upload as a reseller. It did not give an error but it didn't work. You may want to test this yourself just to be sure.

 

[Thomas Becker]

Thanks again, burnleyvic.

I did some more intensive testing and I think there is a bug which I reported here:
http://forum.parallels.com/showthread.php?t=259114

You said that you cannot select the php handler type as reseller when setting "php_handler_type = fastcgi" but on my system it is still possible when creating service plans. The good thing is that a hosting which is created by a reseller is anyway running with FastCGI as I can see at phpinfo();
"Server API" at phpinfo(); shows "CGI/FastCGI"