Question
The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of the root user.
How to disable root access for the Plesk administrator?
Answer
By default, Plesk runs utilities or scripts on behalf of the root user in the following cases:
- When the Plesk administrator creates a scheduled task and selects to run it as root.
- When the Plesk administrator creates an event handler and selects to run the associated command as root.
- When the Plesk administrator and/or subscription owners use the SSH Terminal extension.
There are three ways to disable the root access:
Creating files in the $PRODUCT_ROOT_D/var/
directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.
- Log in to the server as root via SSH .
-
Create an empty file named
root.crontab.lock
in the$PRODUCT_ROOT_D/var/
directory. This will prevent admin users from running cron tasks and viewing scheduled tasks to be run as root. -
Create an empty file named
root.event_handler.lock
in the$PRODUCT_ROOT_D/var/
directory. This will prevent admin users from creating event handlers running as root. - Once you complete the two previous steps, SSH Terminal will not expose the root access.
NOTE: The $PRODUCT_ROOT_D
is /usr/local/psa
on RPM-based systems and /opt/psa
on Debian-based systems.
Disabling the root access in SSH Terminal via panel.ini
for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.
-
Disable root access using the following panel.ini option:
[ext-ssh-terminal]
rootAccessAllowed = false -
To avoid panel in redactions from the Plesk GUI add 'Panel.ini Editor' extension to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:
[extensions]
blacklist = panel-ini-editor
Disabling the SSH Terminal extension via panel.ini
. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers.
Add 'SSH Terminal' and 'Panel.ini Editor' extensions to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:
[extensions]
blacklist = ssh-terminal, panel-ini-editor
Note: Plesk partners may blacklist the installation of this extension using the instruction.