On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli <raffaele.morelli@gmail.com> wrote:
> The main point was that an attacker wrote a php script in the OP
> (wordpress? joomla?) theme folder and used this script to access sendmail
> executable (I wonder those file/folder ownership, root? www-data?).
Directory's owner is www-data, according to OP's mail. See:
http://lists.debian.org/debian-user/2013/12/msg00806.html
And note that attacker could rewrite any php file where just as well.
> It's a matter of who is allowed to do what on a dir/file basis.
> Someone should explain why it's safe using root as the owner of php scripts
> instead of an unprivileged user (with no write permission on dir/files).
You have a root account on every OS that counts. And if it does not
have a root account it's a toy OS anyway.
Using account other than www-data requires either:
a) Creating such account.
b) Using some account that is used to run other daemons in this OS.
And allowing such daemon overwrite php files is a potential security
hole by itself.
So, php files owned by root are convenience, nothing more.