Articles in this section

How to disable root access via the SSH Terminal extension for the Plesk administrator?

Renan Poss Moreira
Updated
DoNotDelete:docref kb: how-to ext: ssh-terminal

Applicable to:

  • Plesk for Linux

Question

The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of the root user.

How to disable root access for the Plesk administrator?

Answer

By default, Plesk runs utilities or scripts on behalf of the root user in the following cases:

  • When the Plesk administrator creates a scheduled task and selects to run it as root.
  • When the Plesk administrator creates an event handler and selects to run the associated command as root.
  • When the Plesk administrator and/or subscription owners use the SSH Terminal extension.

There are three ways to disable the root access:

Creating files in the $PRODUCT_ROOT_D/var/ directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.

Warning: Enabling root.event_handler.lock prevents CloudLinux from creating and managing root user event handler scripts (/usr/share/cloudlinux/hooks/plesk/*). This functionality is required for proper operation during installations, updates, or removal of CloudLinux packages.

  1. Log in to the server as root via SSH .
  2. Create an empty file named root.crontab.lock in the $PRODUCT_ROOT_D/var/ directory. This will prevent admin users from running cron tasks and viewing scheduled tasks to be run as root.
  3. Create an empty file named root.event_handler.lock in the $PRODUCT_ROOT_D/var/ directory. This will prevent admin users from creating event handlers running as root.
  4. Once you complete the two previous steps, SSH Terminal will not expose the root access.

NOTE: The $PRODUCT_ROOT_D is /usr/local/psa on RPM-based systems and /opt/psa on Debian-based systems.

Disabling the root access in SSH Terminal via panel.ini for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.

  1. Disable root access using the following panel.ini option:

    CONFIG_TEXT: [ext-ssh-terminal]
    rootAccessAllowed = false

  2. To avoid panel in redactions from the  Plesk GUI add 'Panel.ini Editor' extension to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:

    CONFIG_TEXT: [extensions]
    blacklist = panel-ini-editor

Disabling the SSH Terminal extension via panel.ini. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers. 

Add 'SSH Terminal' and 'Panel.ini Editor' extensions to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:

CONFIG_TEXT: [extensions]
blacklist = ssh-terminal, panel-ini-editor

Note: Plesk partners may blacklist the installation of this extension using the instruction.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.