Hi.
On Tue, 24 Dec 2013 15:40:39 +0100
Raffaele Morelli <raffaele.morelli@gmail.com> wrote:Which ownership are you talking about?
> 2013/12/24 Reco <recoverym4n@gmail.com>
>
> > On Tue, 24 Dec 2013 14:32:58 +0100
> > Raffaele Morelli <raffaele.morelli@gmail.com> wrote:
> >
> > > The main point was that an attacker wrote a php script in the OP
> > > (wordpress? joomla?) theme folder and used this script to access sendmail
> > > executable (I wonder those file/folder ownership, root? www-data?).
> >
> > Directory's owner is www-data, according to OP's mail. See:
> >
> > http://lists.debian.org/debian-user/2013/12/msg00806.html
> >
> > And note that attacker could rewrite any php file where just as well.
> >
>
> So ownership to root does matter?
Was directory in question was owned by root, the attacker could not
create own files.
Was php files in question was owned by root, the attacker could not
overwrite existing files.
Now, if there was some php script run as a root, now that would be a
trouble.
No, my policy is to change file and it's group to root if I want to
> > > It's a matter of who is allowed to do what on a dir/file basis.
> > > Someone should explain why it's safe using root as the owner of php
> > scripts
> > > instead of an unprivileged user (with no write permission on dir/files).
> >
> > You have a root account on every OS that counts. And if it does not
> > have a root account it's a toy OS anyway.
> >
>
> so your policy is to use root account for every task? Pure redmond style :-)
prevent something writing into it. It's a big difference from running
everything under root, which is Redmond-style indeed.
Let me explain my point one more time:
> Using account other than www-data requires either:
> >
> > a) Creating such account.
> >
> > b) Using some account that is used to run other daemons in this OS.
> > And allowing such daemon overwrite php files is a potential security
> > hole by itself.
> >
>
> and again, does ownership to root matter when the script is running as
> apache user?
Apache user is unable to write into file. Whenever the file is owned by
root or user-created account is irrelevant.
Apache user is unable to make files in a directory. Whenever the
directory is owned by root or user-created account is irrelevant.
One does not have to create root, it's already there.
One has to create user-created account.
> > So, php files owned by root are convenience, nothing more.That's one way of doin' it. Now, to rely on poorly-implemented
> >
>
> ...and it's not what is worth to do to keep things in their place/context.
'security' features of PHP - that's something really not worth doing.