Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
On Tue, Dec 24, 2013 at 2:42 AM, Gilles Mocellin
<gilles.mocellin@nuagelibre.org> wrote:
> Le 23/12/2013 15:30, Raffaele Morelli a écrit :
>
> 2013/12/14 Lukasz Szybalski <szybalski@gmail.com>
>>>
>>>
>> [...]
>
>
> root should not own files served by apache for any reason, that's really
> "dangerous"!
> you should never do that...
>
>
> Excuse-me, but I think you're wrong.
uhm, ...
> The only reason I see where a file served by a web server must not be root
> is if it's suid and the web server has the rights to write to it (by the
> group membership).
In the ideal situation where you can't write from one path and execute
from another.
> As a security measure, I preach the opposite : all files are root
> (or another user, not used by the web server).
Let's cancel "root or" from that sentence.
A little thought and time will produce that "another user" that is preferred..
Making purpose-specific users is cheap, much cheaper than cleaning up.
> For the directories and files that have to be modified by the application
> and so by the web server, I use a group membership (www-data) with write
> privileges for the group.
Purpose-specific groups are also cheap. (Which is one of the reasons I
go with the "every user has its own group" concept.)
> Like this, if someone find a hole in the web app, it can make it execute
> something with the user running the web server, and can not write to the
> files served by the web server (except those specified above, using the
> group www-data).
> And so, it can not modify application files (php scripts...) and make it do
> what they want (send spam, propagate...).
Except there are other paths in that you aren't seeing, or, if you
have them closed, you need to explain that when you suggest ownership
by root as an option.
(And I'd still say it's just cheaper in the long run to leave as
little owned by root as possible.)
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: