Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

Securely give PHP entire root access? – Plesk

I am developing a CMS and the tool I use for developing the CMS is almost entirely the CMS itself (almost entirely is not good enough, as I am developing tools within my CMS to automate everything I can). It would help a great deal if I could provide myself with entire root access via PHP and even perform tasks such as restarting Nginx directly from my CMS.

Security has to be the most important consideration to everything I do. I do not want to simply allow any PHP script to be able to access and modify any file on my server. How can I allow certain PHP files complete root access without compromising on security? If I could enable entire root access for just one PHP file, within that file, I can have multiple security checks, such as checking the IP address, session data checking, checking for a unique cookie, 2 step verification etc. I would even like to implement my own SSH console from within my CMS. Again, that must be 100% secure.

N.B. I am using Plesk Onyx Version 17.5.3 (webhost edition, VPS hosting and wildcard SSL) and Nginx with PHP-FPM 7.1.16. I do not use Apache, but it keeps re-enabling after I turn it off.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I solved the problem using PHPSeclib and here is a class I wrote to give PHP root access to any file. I will later make it even more secure by using SSH keys. I can now secure my system further by using chmod to make certain files root only read / write.

    class Ssh
{
    private $ssh;
    private function connectTOSsh()
    {
        if (!self::$ssh)
        {
            $path = $pathTo/phpseclib/';
            require $path.'vendor/autoload.php';
            require $path.'phpseclib/Net/SSH2.php';
            self::$ssh = new phpseclibNetSSH2('www.mysite.com');
        }
        if (!self::$ssh->isConnected())
        {
            self::$ssh->setTimeout(10);
            self::$ssh->login('username', 'password');
        }
    }

    public function restartNginx()
    {
        self::connectTOSsh();
        // TODO
    }

    public function getFileContents($path)
    {
        self::connectTOSsh();
        return self::$ssh->exec('cd /'.PHP_EOL.'cat '.$path);
    }

    public function writeToFile($path, $contents)
    {
        self::connectTOSsh();
        $tempFile = $pathTo.'temp/'.basename($path);
        file_put_contents($tempFile, $contents);
        self::$ssh->exec('cd /'.PHP_EOL.'mv '.$tempFile.' '.$path);
    }
}

  2. 0

    this sounds like a bad idea – as keeping it simple is probably the best way to not compromise security etc. Automating things with cronjobs and having a command line scripts to do things makes sense; but trying to implement ‘ssh within the CMS’ feels like it will add bloat to the app – and likely introduce a security risk.

    You mention you are using PLESK – plesk does have a XML api – https://docs.plesk.com/en-US/onyx/api-rpc/about-xml-api/reference/managing-plesk-services.36910/ and https://github.com/plesk/api-examples

    And https://github.com/plesk/ext-ssh-terminal

    Can you not make use of some of the existing plesk functionality to achieve your aims and focus on the CMS?

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search