Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
On Mon, 23 Dec 2013 18:42:24 +0100, Gilles Mocellin wrote:
> Le 23/12/2013 15:30, Raffaele Morelli a écrit :
>> 2013/12/14 Lukasz Szybalski <szybalski@gmail.com
>> <mailto:szybalski@gmail.com>>
>>
>>
>> [...]
>>
>>
>> root should not own files served by apache for any reason, that's
>> really "dangerous"!
>> you should never do that...
>
> Excuse-me, but I think you're wrong.
> The only reason I see where a file served by a web server must not be
> root is if it's suid and the web server has the rights to write to it
> (by the group membership).
>
> As a security measure, I preach the opposite : all files are root (or
> another user, not used by the web server).
> For the directories and files that have to be modified by the
> application and so by the web server, I use a group membership
> (www-data) with write privileges for the group.
>
> Like this, if someone find a hole in the web app, it can make it execute
> something with the user running the web server, and can not write to the
> files served by the web server (except those specified above, using the
> group www-data).
> And so, it can not modify application files (php scripts...) and make it
> do what they want (send spam, propagate...).
>
> <html>
> <head>
> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
> </head>
> <body bgcolor="#FFFFFF" text="#000000">
> <div class="moz-cite-prefix">Le 23/12/2013 15:30, Raffaele Morelli a
> écrit :<br>
> </div>
> <blockquote
> cite="mid:CAD4guxO2TOCk4a78SS9EyhJUz1v-
ZCF2njcDOQx5EiEerRObDQ@mail.gmail.com"
> type="cite"> <div dir="ltr">
> <div class="gmail_extra">
> <div class="gmail_quote">2013/12/14 Lukasz Szybalski <span
> dir="ltr"><<a moz-do-not-send="true"
> href="mailto:szybalski@gmail.com";
> target="_blank">szybalski@gmail.com</a>></span><br>
> <blockquote class="gmail_quote" style="margin:0 0 0
> .8ex;border-left:1px #ccc solid;padding-left:1ex">
> <div dir="ltr">
> <div>
> <div class="h5">
> <div class="gmail_extra">
> <div class="gmail_quote">
> <blockquote class="gmail_quote" style="margin:0
> 0 0 .8ex;border-left:1px #ccc
> solid;padding-left:1ex"> <div dir="ltr">
> <div class="gmail_extra">
> <br>
> </div>
> </div>
> </blockquote>
> </div>
> </div>
> </div>
> </div>
> [...]</div>
> </blockquote>
> </div>
> </div>
> </div>
> </blockquote>
> <br>
> <blockquote
> cite="mid:CAD4guxO2TOCk4a78SS9EyhJUz1v-
ZCF2njcDOQx5EiEerRObDQ@mail.gmail.com"
> type="cite"> <div dir="ltr">
> <div class="gmail_extra">
> <div class="gmail_quote">
> <div>root should not own files served by apache for any
> reason, that's really "dangerous"!</div>
> <div>you should never do that...</div>
> </div>
> </div>
> </div>
> </blockquote>
> <br>
> Excuse-me, but I think you're wrong.<br>
> The only reason I see where a file served by a web server must not
> be root is if it's suid and the web server has the rights to write
> to it (by the group membership).<br>
> <br>
> As a security measure, I preach the opposite : all files are root
> (or another user, not used by the web server).<br>
> For the directories and files that have to be modified by the
> application and so by the web server, I use a group membership
> (www-data) with write privileges for the group.<br>
> <br>
> Like this, if someone find a hole in the web app, it can make it
> execute something with the user running the web server, and can not
> write to the files served by the web server (except those specified
> above, using the group www-data).<br>
> And so, it can not modify application files (php scripts...) and
> make it do what they want (send spam, propagate...).<br>
> <br>
> </body>
> </html>
This is a long standing 'hot' topick, it is even a legendary page on the
apache web site ...
Basically you're both right. On the one hand if a file is owned by root
it cannot be easily overwritten if it is to be accessed from another
proces, on the other hand if the process running as root get's
compromised you're a looong way from home.
It is a best practice, by default, in Debian to not run a web-server as a
privileged user. As such any compromise will execute code as this user,
which might as well be privilege escalation code but it's a barrier of
some kind to start with.
What you'd need is a wheel group and setfacl and getfacl for fine grained
access control. Personally i allways set files to the least possible
privilege and if i can block world from one or more of rwxs i will.
Reply to: