If you offer shared hosting services, one of the most important security
aspects is site isolation. This means that users must not be able to
access other users’ files and databases.
Customers’ files are usually located in separate directories owned by
the corresponding system users, so other customers cannot access them by
SSH or FTP. The main issue with site isolation is that the server
sometimes executes all scripts of the same type (for example, Perl
scripts) on behalf of the same system user. This means, for example,
that if a customer’s Perl script creates a file in the /tmp
directory, another customer’s Perl script can access this file because
the system executes both script on behalf of the same user.
For PHP scripts, you can solve the site isolation problem by running PHP
as a FastCGI or CGI application. In this case, the system executes each
user’s PHP scripts on behalf of the corresponding system user and thus
isolates scripts owned by different users. In turn, if Plesk runs PHP as
an Apache module, all PHP scripts are executed on behalf of the
apache user. This weakens the site isolation.
Some other scripts, such as those written in Perl and Python, are always
executed by Plesk on behalf of the same system user. So, in order to
provide the best site isolation, you should either prohibit their
execution on the server or manually configure the system to execute them
securely. Refer to the corresponding documentation for instructions on
configuring secure execution of such scripts.
By default, no server-wide site isolation settings are applied: for each
subscription, its site isolation settings are defined by its service
plan (if the subscription is synced with it) or its own settings (if the
subscription is customized and locked).
Note: Customers can change their site isolation settings only if they have
the permission Hosting Settings Management.
To define the server-wide site isolation settings:
-
Open for editing the file
PRODUCT_ROOT_D/admin/conf/site_isolation_settings.ini, where
$PRODUCT_ROOT_Dis/usr/local/psafor RPM-based systems and
/opt/psaon DEB-based systems.This configuration file specifies the list of allowed values for
hosting settings:
[hosting]
;php = on
;php_handler_type = fastcgi
;…