[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli <raffaele.morelli@gmail.com> wrote:

> The main point was that an attacker wrote a php script in the OP
> (wordpress? joomla?) theme folder and used this script to access sendmail
> executable (I wonder those file/folder ownership, root? www-data?).

Directory's owner is www-data, according to OP's mail. See:

http://lists.debian.org/debian-user/2013/12/msg00806.html

And note that attacker could rewrite any php file where just as well.


> It's a matter of who is allowed to do what on a dir/file basis.
> Someone should explain why it's safe using root as the owner of php scripts
> instead of an unprivileged user (with no write permission on dir/files).

You have a root account on every OS that counts. And if it does not
have a root account it's a toy OS anyway.
Using account other than www-data requires either:

a) Creating such account.

b) Using some account that is used to run other daemons in this OS.
And allowing such daemon overwrite php files is a potential security
hole by itself.

So, php files owned by root are convenience, nothing more.

Reco
Reply to: