Customizing Disk Security
Custom changes to disk security metadata should not be applied to the
DiskSecurity.xml
file itself. The disk security metadata can be
contained in multiple files. All disk security metadata do not have to
be contained only in the DiskSecurity.xml
file. You can create any
number of additional disk security metadata files. To customize disk
security, you should create an additional file with the xml
extension in the %plesk_dir%\etc\DiskSecurity
directory and specify
additional security rules in the file. This will enable you to track
changes and manipulate sets of security metadata easily.
To customize disk security rules in Plesk:
-
Log in as administrator to a Plesk-managed server over Remote Desktop.
-
Determine the Windows objects for which you would like to set new security rules.
-
Open the
%plesk_dir%\etc\DiskSecurity
folder. -
In the folder, create a file with the
xml
extension.You can name this file anything you want.
-
Open and edit the file by using your favorite XML file editor to create security rule entries.
Disk security rule entries have the same format as hosting security rule entries. For help in completing this step, see Adding New Security Rule to Hosting Security Metadata File Template. See also an explanatory example of a security rule entry following this procedure. For entry attribute descriptions and possible values, see General Security Metadata Structure.
-
Save and close the file.
-
Once you have made necessary modifications to the security metadata file, run the
plesk repair
utility with the--directory-permissions
command and the-directory <path to the directory>
option to apply the security rules to Windows objects. For example, to apply the disk security rules to theC:\Temp
directory run the following command:plesk repair --directory-permissions -directory C:\Temp
For example, you have an application (say, IIS module) installed into
the folder c:\Program Files\AppName
. This module is used on
customers’ sites, but it does not work properly because Plesk’s default
security rules prohibit customers from accessing arbitrary folders on
the disk. To resolve this, you can create a file named AppName.xml, add
your security rules as described further, and place the file into the
directory %plesk_dir%\etc\DiskSecurity
.
Example
<?xml version="1.0" encoding="utf-8" ?>
<Entries>
<Entry AccounType="1" Account="Psacln" Path="{ProgramFiles}" SubPath="AppName" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="FullAccess" EntryFlags="0" />
<Entry AccounType="1" Account="Psaadm" Path="{ProgramFiles}" SubPath="AppName" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="FullAccess" EntryFlags="0" />
</Entries>
Explanation
Because the names Psacln
and Psaadm
are not standard Windows
system accounts, they have to be resolved in the system (hence,
AccounType="1"
). Path="{ProgramFiles}"
and SubPath="AppName"
specify that the security rules will be applied to the folder where your
application is installed. AceFlags="ThisFolderSubfoldersAndFiles"
specifies that, according to these rules, ACEs with permission defined
by AccessMask="FullAccess"
will be created for the specified folder,
and all of its subfolders and files. EntryFlags="0"
sets the ACE
type to Allow
.