[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

On Tue, 24 Dec 2013 16:37:45 +0100
Raffaele Morelli <raffaele.morelli@gmail.com> wrote:

> > > So ownership to root does matter?
> >
> > Which ownership are you talking about?
> > Was directory in question was owned by root, the attacker could not
> > create own files.
> > Was php files in question was owned by root, the attacker could not
> > overwrite existing files.
> > Now, if there was some php script run as a root, now that would be a
> > trouble.
> 
> 
> The point is that you should use chmod instead.

Whatever was chmod'ed, the owner of the file or directory can chmod
back. And sure enough, php has chmod wrapper.


> > No, my policy is to change file and it's group to root if I want to
> > prevent something writing into it. It's a big difference from running
> > everything under root, which is Redmond-style indeed.
> 
> 
> chmod is your friend.

I prefer chown, just to be sure. And if I want to be absolutely sure, I
use 'chattr +i'.


> > > Using account other than www-data requires either:
> > > >
> > > > a) Creating such account.
> > > >
> > > > b) Using some account that is used to run other daemons in this OS.
> > > > And allowing such daemon overwrite php files is a potential security
> > > > hole by itself.
> > > >
> > >
> > > and again, does ownership to root matter when the script is running as
> > > apache user?
> >
> > Let me explain my point one more time:
> >
> > Apache user is unable to write into file. Whenever the file is owned by
> > root or user-created account is irrelevant.
> > Apache user is unable to make files in a directory. Whenever the
> > directory is owned by root or user-created account is irrelevant.
> > One does not have to create root, it's already there.
> > One has to create user-created account.
> >
> 
> Are u kidding? Apache writes and creates everything you want if
> directory/files permissions are designed for and that is what you want.

And why would I want design file and directory permissions in such way?
If the needed usage of certain php script does not require creating or
modifying files, I'll just chown to root appropriate files and
directories just to be sure that improper usage of such script would
not cause trouble.
Given security record of PHP, the last thing that want I want usually
is to rely that certain PHP script written in a sane way.


> > > > So, php files owned by root are convenience, nothing more.
> > > >
> > >
> > > ...and it's not what is worth to do to keep things in their
> > place/context.
> >
> > That's one way of doin' it. Now, to rely on poorly-implemented
> > 'security' features of PHP - that's something really not worth doing.
> 
> 
> That's absolutely you point of view, a wise and skilled developer does
> everything safe, a poor minded simply does not.

Sadly, 'wise and skilled' label cannot be applied to a majority of
developers writing something in PHP. Or any Web developer for that
matter. Of course, you might be an exception.

Reco
Reply to: