Customizing Disk Security
Custom changes to disk security metadata should not be applied to the
DiskSecurity.xml
file itself. The disk security metadata can be
contained in multiple files. All disk security metadata do not have to
be contained only in the DiskSecurity.xml
file. You can create any
number of additional disk security metadata files. To customize disk
security, you should create an additional file with the xml
extension in the %plesk_dir%etc\DiskSecurity
directory and specify
additional security rules in the file. This will enable you to track
changes and manipulate sets of security metadata easily.
To customize disk security rules in Plesk:
-
Log in as administrator to a Plesk-managed server over Remote Desktop.
-
Determine the Windows objects for which you want to set new security rules.
-
Open the
%plesk_dir%etc\DiskSecurity
folder. -
In the folder, create a file with the
xml
extension. You can give this file any name. -
Create disk security rule entries in the file. To do so, use the XML file editor of your choice and the references below.
Disk security rule entries have the same format as hosting security rule entries. To learn about the entry attributes in more detail, refer to General Security Metadata Structure. We also recommend that you see the example provided below.
-
Once you have finished adding the security rules, save and close the file.
-
Run the
plesk repair
utility with the--directory-permissions
command and the-directory <path to the directory>
option to apply the security rules to Windows objects. For example, to apply the disk security rules to theC:\Temp
directory run the following command:plesk repair --directory-permissions -directory C:\Temp
For example, you have an application (say, IIS module) installed into
the folder c:\Program Files\AppName
. This module is used on
customers’ sites, but it does not work properly because Plesk’s default
security rules prohibit customers from accessing arbitrary folders on
the disk. To resolve this, you can create a file named AppName.xml, add
your security rules as described further, and place the file into the
directory %plesk_dir%etc\DiskSecurity
.
Security Rules Example
<?xml version="1.0" encoding="UTF-8"?>
<Entries>
<Entry EntryFlags="0x1" AccessMask="FullAccess" AceFlags="ThisFolderSubfoldersAndFiles" Path="C:\dir1" Account="Psacln" AccounType="1"/>
<Entry EntryFlags="0" AccessMask="ReadAndExecute" AceFlags="ThisFolderandSubfolders" Path="C:\dir1" Account="Psacln" AccounType="1" SubPath="dir2"/>
<Entry EntryFlags="0" AccessMask="FullAccess" AceFlags="ThisFolderSubfoldersAndFiles" Path="C:\dir1" Account="Psaadm" AccounType="1"/>
</Entries>
Explanation
-
AccessMask=”FullAccess” indicates the “Full control” permission and
AccessMask="ReadAndExecute"
—generic execute. -
EntryFlags specifies what to do with the
AccessMask
permission mentioned above. The"0"
value ofEntryFlags"
allows the permission, while"0x1"
—denies. -
Path specifies the path to the object the security rule will be applied to (for example,
C:\dir1
). -
SubPath
specifies the remaining part of the object path if the path is not fully defined byPath
. - AceFlags specifies if the object’s child objects (for example, subfolders and files) inherit the security rule.
-
Account
is a Windows user account type.Psacln
andPsaadm
are not standard Windows system accounts. To be resolved in the system, they have AccounType=”1”.
Note: To fine-tune custom disk security, you can combine the “Deny” security rules of the higher level
with the “Allow” security rules of the lower level and apply this combination to the same object.
In the example above, the first security rule prohibits Psacln
users from getting full control of the dir1
folder, its subfolders, and files.
The second security rule, on the contrary, allows generic execute but only for one subfolder dir1\dir2
.
As a result, the combination of the two security rules allows Psacln
users to list the dir1
folder and its subfolders
but prohibits full control of files in dir1
.