Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

[Raffaele Morelli <raffaele.morelli@gmail.com>]

2013/12/24 PaulNM <debian@paulscrap.com>

On 12/24/2013 04:37 AM, Reco wrote:
>  Hi.
>
> On Tue, 24 Dec 2013 09:59:39 +0100
> Raffaele Morelli <raffaele.morelli@gmail.com> wrote:
>> Yes, I missed this point.
>>
>> BTW, as I don't want to rewrite someone else system security rules, let's
>> say that: MY best practice is to have www-data or any other NON-root user
>> as the scripts owner.
>
> So, basically you're allowing any php script to rewrite any php script
> with an arbitrary contents. An interesting policy, to say the least.
>
> Reco
>

I'll say this much, there's nothing wrong with setting a non-root user
as owner, provided www-data (or whoever apache/php runs as) can't write
to the file(s).  I've seen and done it before.

While a good discussion can be had about root vs alt-user ownership,
lets not lose sight of the main point here: Don't let the process
*serving* the files have *write* access to them unless absolutely
necessary.

The main point was that an attacker wrote a php script in the OP (wordpress? joomla?) theme folder and used this script to access sendmail executable (I wonder those file/folder ownership, root? www-data?).

It's a matter of who is allowed to do what on a dir/file basis.

Someone should explain why it's safe using root as the owner of php scripts instead of an unprivileged user (with no write permission on dir/files).

Shared host and CMS security tips at https://drupal.org/node/244924

/r