Enhancing Security

When you share a single physical server between many users, you consider all security aspects thoroughly. Although Plesk provides an acceptable security level, there are suggested ways to improve it. This chapter provides instructions on protecting Plesk server and hosted domains from unauthorized access.

In this chapter:

Restricting Script Execution in the /tmp Directory

Configuring Site Isolation Settings

Protecting from Running Tasks on Behalf of root


Restricting Script Execution in the /tmp Directory

To secure the Plesk server, it is recommended to create /tmp as a separate partition and mount it with noexec and nosuid options. These options do the following:

  • noexec disables the executable file attribute within an entire file system, effectively preventing any files within the file system from being executed.
  • nosuid disables the SUID file-attribute within an entire file system. This prevents SUID attacks on, for example, the /tmp file system.

To secure the /tmp partition of your Plesk server:

  • If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add the noexec and nosuid options for /tmp. Then remount the partition.
  • If the /tmp directory resides on the / partition:
    1. Create a partition for /tmp, for example with a size of 512 MB:

      # mkdir /filesystems

      # dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M

      # mkfs.ext3 /filesystems/tmp_fs

    2. Add the following line to /etc/fstab:

      /filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1

    3. Move the current /tmp directory content to another location.
    4. Mount the new /tmp partition:

      # mount /tmp

    5. Move the content from the old /tmp directory to the new one.

Configuring Site Isolation Settings

If you offer shared hosting services, one of the most important security aspects is site isolation. This means that users must not be able to access other users’ files and databases.

Customers' files are usually located in separate directories owned by the corresponding system users, so other customers cannot access them by SSH or FTP. The main issue with site isolation is that the server sometimes executes all scripts of the same type (for example, Perl scripts) on behalf of the same system user. This means, for example, that if a customer's Perl script creates a file in the /tmp directory, another customer's Perl script can access this file because the system executes both script on behalf of the same user.

For PHP scripts, you can solve the site isolation problem by running PHP as a FastCGI or CGI application. In this case, the system executes each user's PHP scripts on behalf of the corresponding system user and thus isolates scripts owned by different users. In turn, if Plesk runs PHP as an Apache module, all PHP scripts are executed on behalf of the apache user. This weakens the site isolation.

Some other scripts, such as those written in Perl and Python, are always executed by Plesk on behalf of the same system user. So, in order to provide the best site isolation, you should either prohibit their execution on the server or manually configure the system to execute them securely. Refer to the corresponding documentation for instructions on configuring secure execution of such scripts.

By default, no server-wide site isolation settings are applied: for each subscription, its site isolation settings are defined by its service plan (if the subscription is synced with it) or its own settings (if the subscription is customized and locked).

Note: Customers can change their site isolation settings only if they have the permission Hosting Settings Management.

To define the server-wide site isolation settings:

  1. Open for editing the file PRODUCT_ROOT_D/admin/conf/site_isolation_settings.ini, where $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems and /opt/psa on DEB-based systems.

    This configuration file specifies the list of allowed values for hosting settings:


    ;php = on

    ;php_handler_type = fastcgi

    ;python = off

    ;perl = off

    ;fastcgi = any

    ;miva = off

    ;ssi = any

    ;ssl = on

    ;shell = /usr/local/psa/bin/chrootsh

    ;asp = any

    ;php_safe_mode = on

    By default, all lines are commented out with semicolons (;), so no server-wide settings apply.

  2. To define a server-wide setting, uncomment the corresponding line by removing the semicolon (;) and edit the line. For example, to prohibit executing Perl scripts on your server, remove the semicolon from the line ;perl = off.

    You can set the following values for the settings:

    • on and off for scripting options.
    • module, fastcgi, cgi, or fpm for php_handler_type.
    • A line from /etc/shells file for shell.
    • any for any option if the option value is not restricted (with one exception: if php_handler_type = any, the customer is restricted from changing PHP versions and handlers).

    In addition, there are the following restrictions on the use of these values:

    • If php is off, php_handler_type and php_safe_mode must be set to any.
    • If fastcgi is off, php_handler_type must not be set to fastcgi.

However, you can grant the permission to override the server-wide settings to certain subscriptions or service plans. To do this, select the option Setup of potentially insecure web scripting options that override provider's policy in the subscription or service plan settings, Permissions tab.

Note: You can grant the permission Setup of potentially insecure web scripting options that override provider's policy in a plan only after you grant the permission Hosting settings management.


Protecting from Running Tasks on Behalf of root

By default, Plesk allows utilities or scripts to be run on behalf of root in two cases:

Scheduling tasks with the cron manager

  • Handling events with the Event Manager tool

This makes Plesk server vulnerable to malicious software. To eliminate these vulnerabilities, create the following files and leave them empty:

$PRODUCT_ROOT_D/var/root.crontab.lock prevents users from running cron tasks and viewing the list of tasks scheduled on behalf of root.

$PRODUCT_ROOT_D/var/root.event.handler.lock prevents users from creating event handlers functioning on behalf of root.

The $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems or /opt/psa on DEB-based systems