A a_guy New Pleskian Jun 7, 2021 #1 Hello, What is the recommended way (security wise) to launch a bash script as root from a Plesk extension from customer UI? Thanks
Hello, What is the recommended way (security wise) to launch a bash script as root from a Plesk extension from customer UI? Thanks
W weltonw Regular Pleskian Plesk Guru Jun 7, 2021 #2 Be careful about user input validation - the ideal way is pm_Cli's callSbin function, which will escalate a script's permissions to root
Be careful about user input validation - the ideal way is pm_Cli's callSbin function, which will escalate a script's permissions to root
A a_guy New Pleskian Jul 21, 2021 #5 john0001 said: Be careful about user input validation - the ideal way is pm_Cli's callSbin function, which will escalate a script's permissions to root Click to expand... I assume you mean pm_ApiCli::callSbin. The script runs as psaadm, shouldn't it run as root? IndexController.php: Code: <?php class IndexController extends pm_Controller_Action { public function myTestAction() { $result = pm_ApiCli::callSbin("myscript.sh"); $this->redirect('index/index'); } } /usr/local/psa/admin/bin/modules/my-plugin/myscript.sh: Code: #!/bin/bash systemctl stop fail2ban.service &> /tmp/mytest.txt whoami >> /tmp/mytest.txt and the result Code: [root@plesk ~]# cat /tmp/mytest.txt Failed to stop fail2ban.service: Interactive authentication required. See system logs and 'systemctl status fail2ban.service' for details. psaadm Thanks
john0001 said: Be careful about user input validation - the ideal way is pm_Cli's callSbin function, which will escalate a script's permissions to root Click to expand... I assume you mean pm_ApiCli::callSbin. The script runs as psaadm, shouldn't it run as root? IndexController.php: Code: <?php class IndexController extends pm_Controller_Action { public function myTestAction() { $result = pm_ApiCli::callSbin("myscript.sh"); $this->redirect('index/index'); } } /usr/local/psa/admin/bin/modules/my-plugin/myscript.sh: Code: #!/bin/bash systemctl stop fail2ban.service &> /tmp/mytest.txt whoami >> /tmp/mytest.txt and the result Code: [root@plesk ~]# cat /tmp/mytest.txt Failed to stop fail2ban.service: Interactive authentication required. See system logs and 'systemctl status fail2ban.service' for details. psaadm Thanks
W weltonw Regular Pleskian Plesk Guru Jul 21, 2021 #6 Yeah, sorry. You have to put it in the /sbin folder in your plugin. Take a look at the example extensions
Yeah, sorry. You have to put it in the /sbin folder in your plugin. Take a look at the example extensions
A a_guy New Pleskian Aug 19, 2021 #8 I assume that on extension installation the sbin symlink should be created, in post-install.php. Is there any sample code of creating a symlink from PHP using Plesk API? Thank.
I assume that on extension installation the sbin symlink should be created, in post-install.php. Is there any sample code of creating a symlink from PHP using Plesk API? Thank.
W weltonw Regular Pleskian Plesk Guru Aug 19, 2021 #9 No. Put the files in /sbin, and it will automatically work on installatino
Facebook
Twitter
