Resolved SSH for www-data, jail to vhosts

[ollibraun]

Hi,

how can I add ssh access for the Apache user www-data, and jail his ssh access to the vhosts
directory? Without breaking Plesk...

Ubuntu 14.04, Plesk 12.5

Regards,
Daniel

 

[lvalics]

You can add SSH access to any domain owners, if you go to domain and choose Web Hosting Access and there you can add any type you like. In Plesk environment there is no more www.data user as I know, all is domain owner user or root.

 

[ollibraun]

I think apache is running as www-data (Ubuntu 14.04, Plesk 12.5, fresh installation, about three customers, about 15 domains):

ps -A -F
UID    PID  PPID  C    SZ   RSS PSR STIME TTY     TIME CMD
root    1     0  0  8367  2804   1 18:38 ?    00:00:01 /sbin/init
...
root    543     1  0  4901   924   0 18:38 ?    00:00:00 upstart-udev-bridge --daemon
root    548     1  0 12846  1708   0 18:38 ?    00:00:00 /lib/systemd/systemd-udevd --daemon
message+   555     1  0  9805  1260   1 18:38 ?    00:00:00 dbus-daemon --system --fork
root    614     1  0 10861  1788   0 18:38 ?    00:00:00 /lib/systemd/systemd-logind
root    619     2  0     0     0   1 18:38 ?    00:00:00 [ttm_swap]
syslog     621     1  0 63959  1504   1 18:38 ?    00:00:00 rsyslogd
root    656     1  0  3884   912   0 18:38 ?    00:00:00 upstart-file-bridge --daemon
root    767     1  0  2556  2584   1 18:38 ?    00:00:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root    821     1  0  3814   628   0 18:38 ?    00:00:00 upstart-socket-bridge --daemon
root    956     1  0  3195   844   0 18:38 tty4     00:00:00 /sbin/getty -8 38400 tty4
root    959     1  0  3195   848   0 18:38 tty5     00:00:00 /sbin/getty -8 38400 tty5
root    969     1  0  3195   844   0 18:38 tty2     00:00:00 /sbin/getty -8 38400 tty2
root    970     1  0  3195   852   0 18:38 tty3     00:00:00 /sbin/getty -8 38400 tty3
root    972     1  0  3195   844   0 18:38 tty6     00:00:00 /sbin/getty -8 38400 tty6
root    973     1  0 70138 28524   1 18:38 ?    00:00:00 /usr/bin/sw-engine -c /opt/psa/admin/conf/php.ini /opt/psa/admin/bin/modules/watchdog/wdcollect -c /opt/psa/etc/modules/watchdog/wdcollect.inc.php
root    990     1  0 15343  3044   0 18:38 ?    00:00:00 /usr/sbin/sshd -D
root    996     1  0  3747  1064   0 18:38 ?    00:00:00 /usr/sbin/xinetd -dontfork -pidfile /var/run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
root      1005     1  0  5912  1020   0 18:38 ?    00:00:00 cron
daemon    1006     1  0  4783   164   0 18:38 ?    00:00:00 atd
root      1017     1  0  1091   648   1 18:38 ?    00:00:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1037     1  0  4814   804   1 18:38 ?    00:00:00 /usr/sbin/irqbalance
root      1099     1  0  4469  1268   0 18:38 ?    00:00:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
root      1113     1  0 90314 18480   0 18:38 ?    00:00:00 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)         
dovecot   1114  1099  0  2347   984   0 18:38 ?    00:00:00 dovecot/anvil
root      1115  1099  0  2381  1192   0 18:38 ?    00:00:00 dovecot/log
root      1141     1  0 308272 16808  0 18:38 ?    00:00:18 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
root      1319     2  0     0     0   0 18:38 ?    00:00:00 [kauditd]
mysql     1321     1  0  1110   740   0 18:38 ?    00:00:00 /bin/sh /usr/bin/mysqld_safe
mysql     1680  1321  0 608117 240928 1 18:38 ?    00:00:04 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
postfix   1765     1  0 99701  1976   0 18:38 ?    00:00:00 /usr/lib/plesk-9.0/psa-pc-remote -p inet:[email protected] -P /run/psa-pc-remote.pid -u postfix -g popuser
root      1902     1  0  6334  1684   1 18:38 ?    00:00:00 /usr/lib/postfix/master
postfix   1912  1902  0  6892  1768   1 18:38 ?    00:00:00 qmgr -l -t fifo -u
root      2048     1  0 93750 10000   1 18:38 ?    00:00:00 sw-engine-fpm: master process (/etc/sw-engine/sw-engine-fpm.conf)                 
root      2117     1  0  9359  1668   0 18:38 ?    00:00:00 sw-cp-server: master process /usr/sbin/sw-cp-serverd
sw-cp-s+  2118  2117  0  9472  2348   1 18:38 ?    00:00:00 sw-cp-server: worker process
bind      2233     1  0 60063 15092   0 18:38 ?    00:00:00 /usr/sbin/named -t /var/named/run-root -c /etc/named.conf -u bind -n 2
root      2410     1  0 34462 64716   0 18:38 ?    00:00:02 /usr/sbin/spamd --helper-home-dir=/var/qmail --nouser-config --username=popuser --max-children=5 --daemonize -d --pidfile=/var/run/spamd.pid
popuser   2412  2410  0 34462 63184   0 18:38 ?    00:00:00 spamd child
popuser   2416  2410  0 34462 63184   0 18:38 ?    00:00:00 spamd child
root      2503     1  0 44084  8296   1 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2504  2503  0 42971  4556   1 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2505  2503  0 43265  4588   0 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2508  2503  0 44231  7188   0 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2509  2503  0 44231  7228   0 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2511  2503  0 44233  7220   0 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  2512  2503  0 44225  7144   0 18:38 ?    00:00:00 /usr/sbin/apache2 -k start
root      3203     1  0 72291 32264   0 18:38 ?    00:00:00 /usr/bin/sw-engine -c /opt/psa/admin/conf/php.ini /usr/lib/plesk-9.0/psa-health-monitor-notification.php
root      3221     1  0  2696   816   0 18:38 ?    00:00:00 /opt/psa/admin/sbin/modules/vpn/openvpn --config /opt/psa/var/modules/vpn/openvpn.conf
root      3249     1  0 137409 2880   1 18:38 ?    00:00:02 /usr/sbin/sw-collectd -C /etc/sw-collectd/collectd.conf -P /var/run/sw-collectd.pid
root      3321     1  0 22474  4348   0 18:38 ?    00:00:05 /usr/bin/vmtoolsd
root      3392     1  0  3195   852   0 18:38 tty1     00:00:00 /sbin/getty -8 38400 tty1
postfix   3433  1902  0 10076  3020   1 18:39 ?    00:00:00 tlsmgr -l -t unix -u -c
root      3545     2  0     0     0   0 18:46 ?    00:00:00 [kworker/u128:0]
www-data  3603  2503  0 44230  7108   0 18:48 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  4125  2503  0 44202  7092   0 19:32 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  4128  2503  0 44201  6872   0 19:32 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  4130  2503  0 44217  6984   0 19:32 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  4132  2503  0 44239  7184   0 19:32 ?    00:00:00 /usr/sbin/apache2 -k start
www-data  4377  2503  0 44162  6324   0 20:00 ?    00:00:00 /usr/sbin/apache2 -k start
postfix   4462  1902  0  6850  1616   1 20:10 ?    00:00:00 pickup -l -t fifo -u -c
root      4917     2  0     0     0   0 20:52 ?    00:00:00 [kworker/u128:2]
root      5219     2  0     0     0   1 21:18 ?    00:00:00 [kworker/u129:1]
root      5256   990  0 28942  4664   0 21:22 ?    00:00:00 sshd: root@pts/0  
root      5348  5256  0  7286  3884   0 21:22 pts/0    00:00:00 -bash
root      5363  5348  0 21227  2596   0 21:22 pts/0    00:00:00 su
root      5364  5363  0  6863  2100   0 21:22 pts/0    00:00:00 bash
root      5390  5256  0  3204   868   0 21:23 ?    00:00:00 /usr/lib/openssh/sftp-server
root      5411  1099  0  6226  2176   0 21:26 ?    00:00:00 dovecot/config
root      5413  1099  0  7889  2968   0 21:26 ?    00:00:00 dovecot/auth
root      5414  1099  0  2346   768   0 21:26 ?    00:00:00 dovecot/ssl-params
root      5424  5364  0  5682  1212   0 21:26 pts/0    00:00:00 ps -A -F

 

[ollibraun]

...or is Apache running as domain owner? How can I find out?

 

[lvalics]

If your domain are running on FastCGI or php-fpm then each files written with apache will be 644 and ftpuser marked. Hope this help.