How to disable root access via the SSH Terminal extension for the Plesk administrator?

Dmitry Bystrov

10 months ago

Question

The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of the root user.

How to disable root access for the Plesk administrator?

Answer

By default, Plesk runs utilities or scripts on behalf of the root user in the following cases:

When the Plesk administrator creates a scheduled task and selects to run it as root.
When the Plesk administrator creates an event handler and selects to run the associated command as root.
When the Plesk administrator and/or subscription owners use the SSH Terminal extension.

There are three ways to disable the root access:

Creating files in the `$PRODUCT_ROOT_D/var/` directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.

Log in to the server as root via SSH .
Create an empty file named root.crontab.lock in the $PRODUCT_ROOT_D/var/ directory. This will prevent admin users from running cron tasks and viewing scheduled tasks to be run as root.
Create an empty file named root.event_handler.lock in the $PRODUCT_ROOT_D/var/ directory. This will prevent admin users from creating event handlers running as root.
Once you complete the two previous steps, SSH Terminal will not expose the root access.

NOTE: The $PRODUCT_ROOT_D is /usr/local/psa on RPM-based systems and /opt/psa on Debian-based systems.

Disabling the root access in SSH Terminal via `panel.ini` for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.

Disable root access using the following panel.ini option:

[ext-ssh-terminal]
rootAccessAllowed = false
To avoid panel in redactions from the Plesk GUI add 'Panel.ini Editor' extension to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:

[extensions]
blacklist = panel-ini-editor

Disabling the SSH Terminal extension via `panel.ini`. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers.

Add 'SSH Terminal' and 'Panel.ini Editor' extensions to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:

[extensions]
blacklist = ssh-terminal, panel-ini-editor

Note: Plesk partners may blacklist the installation of this extension using the instruction.

0 Shares

Question

Answer

Creating files in the $PRODUCT_ROOT_D/var/ directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.

Disabling the root access in SSH Terminal via panel.ini for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.

Disabling the SSH Terminal extension via panel.ini. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers.

Creating files in the `$PRODUCT_ROOT_D/var/` directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.

Disabling the root access in SSH Terminal via `panel.ini` for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.

Disabling the SSH Terminal extension via `panel.ini`. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers.