Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
On 12/24/2013 04:37 AM, Reco wrote:
> Hi.
>
> On Tue, 24 Dec 2013 09:59:39 +0100
> Raffaele Morelli <raffaele.morelli@gmail.com> wrote:
>> Yes, I missed this point.
>>
>> BTW, as I don't want to rewrite someone else system security rules, let's
>> say that: MY best practice is to have www-data or any other NON-root user
>> as the scripts owner.
>
> So, basically you're allowing any php script to rewrite any php script
> with an arbitrary contents. An interesting policy, to say the least.
>
> Reco
>
I'll say this much, there's nothing wrong with setting a non-root user
as owner, provided www-data (or whoever apache/php runs as) can't write
to the file(s). I've seen and done it before.
While a good discussion can be had about root vs alt-user ownership,
lets not lose sight of the main point here: Don't let the process
*serving* the files have *write* access to them unless absolutely
necessary.
I've helped someone clean up a compromised install where .htaccess was
edited. It was a php script vulnerability in an extremely out-of-date
Wordpress install that let the attacker redirect any 404's to a
drive-by-download site. Had .htaccess been owned by someone else, this
type of attack wouldn't have been possible. Had the directories been
owned by someone else, the attackers also wouldn't be able to add their
own scripts/files either.
Of course, all that alternate-owner stuff assumes the group www-data
only has read access. If you give the group write access, it really
doesn't matter much who the owner is. :)
Generally, I only let www-data have write access to temp and/or upload
directories if the CMS requires it. On the self-updating CMS's, I have
a simple script to change the permissions to www-data for the
update/upgrades, than another to change them back (usually to root)
afterwards. Minor inconvenience, but still way easier than manual
upgrades. :)
- PaulNM
Reply to: