- Plesk for Linux
How to add new programs to a chrooted shell environment template?
Note: Chrooted access for domain owners is not intended to be the equivalent of full server access. Instead, it is designed to be a helpful tool to perform elementary operations like changing permissions, copying and moving files, and performing test searches on files. If you notice that you have to add more and more software into the chrooted environment template for a small number of customers, you may want to consider offering them an upgrade for their hosting to dedicated or virtual servers.
For further manipulations, SSH access to the server is required.
For CloudLinux you would need to add program to CageFS first:
# cagefsctl --addrpm mutt cagefsctl --force-update
Run the following commands to download, unzip, make executable and execute the script on your server:
# wget https://support.plesk.com/hc/article_attachments/115004544309/chroot_update.zip
# unzip chroot_update.zip
# chmod +x chroot_update.sh
# ./chroot_update.sh --help
The command will display this "help" message:
# ./chroot_update.sh --help
Manage chrooted template in /var/www/vhosts/chroot and apply it to domains.
Create default chrooted environment or update existing one
using actual libraries from the system.
./chroot_update.sh --add <path>
Add program to chrooted environment. All linked libraries
will be copied as well. Program will always be put in /bin
directory of chrooted environment.
Add additional devices to chrooted environment template. List
of devices added includes: /dev/tty, /dev/urandom, /dev/ptmx
and /dev/zero. Useful for some commands like 'rsync', 'ssh' etc.
./chroot_update.sh --remove <domain,...>
./chroot_update.sh --remove all
Remove chrooted environment from specific domains (comma-separated
list) or all domains with enabled chrooted shell if no domains are
given. Useful if full re-initialization of chrooted shell environment
on domain is needed.
./chroot_update.sh --apply <domain,...>
./chroot_update.sh --apply all
Apply new chrooted template to specific domains (comma-separated
list) or all domains with enabled chrooted shell if no domains
are given. This operation is necessary to apply changes done by
'--install', '--add' and '--devices' commands to specific or all
Example 1: Adding SSH
To add the SSH command into the chrooted environment template, follow these steps:
Add standard devices inside the chrooted environment template. Without access to
/dev/tty, SSH will not be able to work:
# ./chroot_update.sh --devices
Add the SSH utility itself:
# ./chroot_update.sh --add `which ssh`
Copy the file
/etc/resolv.confto the chrooted environment template manually (since the script is only intended for adding binaries and their dependent libraries or shell scripts):
# cp /etc/resolv.conf /var/www/vhosts/chroot/etc/
Apply changes to either of the selected domains (provided in the form of a comma-separated list) or to all domains at once:
# ./chroot_update.sh --apply all
Now it is possible to use SSH while logged in as the domain's user.
Example 2: Adding PHP to chrooted environment
Some programs require not only libraries with which the main binary is linked, but also configuration files and plug-ins. An example of such a program is PHP.
Although adding PHP to the chrooted environment will not benefit the security of PHP scripts on the website (as PHP scripts are executed in a non-chrooted context by Apache or FastCGI/CGI processes), it may be useful for the development and debugging of PHP scripts.
Note: This section is applicable is only for system PHP and not for additional ones.
To add PHP to the chrooted environment template, follow these steps:
Add the PHP binary itself:
# ./chroot_update.sh --add `which php`
Add timezone definitions:
# mkdir /var/www/vhosts/chroot/usr/share
# cp -a /usr/share/zoneinfo /var/www/vhosts/chroot/usr/share
Note: Without them, PHP will produce the error whenever date/time functions are used:
glibc detected php: free(): invalid pointer: 0x00007f11249fccd8 ***
Add PHP modules. They are not added on the first step because the PHP binary is not dynamically linked with these libraries. Also, adding modules will put them in the bin directory of the chrooted environment template. They should be removed afterward:
# for f in /usr/lib64/php/modules/*.so ; do ./chroot_update.sh --add $f ; done
# rm -f /var/www/vhosts/chroot/bin/*.so
Note: The path to the modules directory may be different on your system. To find out where PHP modules are stored on the server, run the following command:
# php -i | grep extension_dir
Copy PHP modules to the correct directory in the chrooted environment template:
# mkdir /var/www/vhosts/chroot/usr/lib64
# cp -a /usr/lib64/php /var/www/vhosts/chroot/usr/lib64
Copy the PHP configuration:
# cp -a /etc/php.ini /etc/php.d /var/www/vhosts/chroot/etc
Note: Paths to configuration files may be different depending on your operating system. For example, on a default Plesk installation on Debian, the loaded configuration file is stored in
/etc/php5/cli/php.ini. Additional .ini files are stored in
If the domain is set up to use PHP as a CGI/FastCGI application, it is better to omit this step, as php.ini is managed by Plesk. To adjust PHP settings, go to Websites & Domains > example.com > PHP Settings .
Also, by default
date.timezonevariable is not set, which can result in some PHP scripts failing to parse the output of
date("r")call, because it will return warning before returning date:
CONFIG_TEXT: ~ php -a
php > echo date("r");
PHP Warning : date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'UTC' for 'UTC/0.0/no DST' instead in php shell code on line 1
This issue can be resolved by uncommenting and setting up
date.timezone = "Area/Location"line in /var/www/vhosts/chroot/etc/php.ini or by setting timezone directly from PHP itself by
Apply the changes:
# ./chroot_update.sh --apply all
You may run the following command if changes are not required for all domains:
# ./chroot_update.sh --apply <example.com,...>
Note: The changes will not be applied if the type of shell access for a particular user is set to /bin/false ('Forbidden' in Plesk).