Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

[Raffaele Morelli <raffaele.morelli@gmail.com>]

2013/12/24 Bob Proulx <bob@proulx.com>

Raffaele Morelli wrote:
> Lukasz Szybalski wrote:
> > Thanks for the feedback. I did check with other production sites I run,
> > and most of them are owned by root. I have to test to see "if you want to
> > use the "wordpress" to upload a theme using the site UI", I think you might
> > be forced to have the www-data own and being able to write to theme folder.
> > If you don't you would have to sftp the theme there and unzip it manually.

>
> root should not own files served by apache for any reason, that's really
> "dangerous"!

No.  Files owned by root and served by Apache are not dangerous.

What is dangerous are files owned by the Apache process user www-data,
writable by www-data, and then potentially written using an attack
against the web server code base.  But some projects require that just
the same regardless of the danger.

> you should never do that...

You should always do this.  :-)

Read apache webserver documentation.

 

There is no problem whatsoever with files being owned by root.  This
is done all of the time.  It is okay.  This is the default for files
installed by Debian packages for example.

If you truly believe that files owned by root are a problem then
please start filing bug reports because there are a lot of packages
with files owned by root.

You are quite wrong here, "debian packages" (what are you referring to?) are not php script supposed to go online and be exposed to the world.

Keep in mind that if a php script is owned by root user and there's a security hole in it, an attacker can easily access every block of your file system.

Web pages are supposed to run with the same privileges and (limited) shell as the user who runs the webserver.

Please, don't you spread confusion and read about security stuff.

/r