Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

To: Jerry Stuckle <jstuckle@attglobal.net>
Cc: Debian User <debian-user@lists.debian.org>
Subject: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From: Raffaele Morelli <raffaele.morelli@gmail.com>
Date: Wed, 25 Dec 2013 12:10:17 +0100
Message-id: <[🔎] CAD4guxMfwnA_Mdkbo_V6Y9kOxFgj8Y3J=W2D3cHEMfnYqvQHsw@mail.gmail.com>
In-reply-to: <[🔎] 52B9BD2E.10809@attglobal.net>
References: <[🔎] CAKkTUv2hUccoNBJ-UX1E=aqkdT9JSoVddG9mcVxgxQjE3qCzFQ@mail.gmail.com> <[🔎] CAKkTUv0p5wvswzRn6+g2w64gc5oE+fVRZtgJsVKmdPPhRyN9qQ@mail.gmail.com> <[🔎] CAD4guxO2TOCk4a78SS9EyhJUz1v-ZCF2njcDOQx5EiEerRObDQ@mail.gmail.com> <[🔎] 52B87600.2030007@nuagelibre.org> <[🔎] CAD4guxPGvPMp52sgQASdr6K8-TG77jksTSrh48-Q9BZBXhNHDA@mail.gmail.com> <[🔎] 20131224115409.10889818aead08a56e8f34e7@gmail.com> <[🔎] CAD4guxNbOBgFqXPofcJHg0W9Swfv4r_7hGJN-iTxr-FLJu-eyQ@mail.gmail.com> <[🔎] 52B948F5.7030204@paulscrap.com> <[🔎] CAD4guxPuro2-6deZG26P+s6dDDUzB4NhQnrCLjzjGoZFo_1PDw@mail.gmail.com> <[🔎] 20131224133752.9a8f118c07350cc0bf75659b@gmail.com> <[🔎] 52B95C3E.8040202@paulscrap.com> <[🔎] CAD4guxMFWHUu926650Woni_pkc=-f=fxO_HvzC871fbkkp59PQ@mail.gmail.com> <[🔎] 20131224175426.7426a5ed6300ba2d466978f4@gmail.com> <[🔎] CAD4guxP1oaZVw=c3sYHKD2mcg5a-43QbGPaLGEbd0frUQzxChA@mail.gmail.com> <[🔎] 20131224190900.f08ecb0d202f926c6cff6579@gmail.com> <[🔎] CAD4guxMdt_Yy+0jGqEyqSFBM75vNAH9Hv57sBWQ+rQtnxF5gww@mail.gmail.com> <[🔎] 52B9BD2E.10809@attglobal.net>

2013/12/24 Jerry Stuckle <jstuckle@attglobal.net>

On 12/24/2013 10:37 AM, Raffaele Morelli wrote:
<snip>

Are u kidding? Apache writes and creates everything you want if
directory/files permissions are designed for and that is what you want.

Incorrect. Apache writes or creates NOTHING. The web server user can create and write files from a script, but it is not Apache doing it.

Do we have to use strict jargon? Of course is not apache but the httpd process, it's the whole thread we are referring to this.

I agree with the others. User-created files should never be owned by root. On my servers, files are owned by the person doing the uploading (which is NOT www-data) and are accessed read-only by group permissions (with www-data being a member of the group).

On local systems, files are owned by the user creating the files (again, not www-data), and accessed via the group.

Again, the www-data user can safely be the owner of everything in the webroot, just think of phpmyadmin, there's nothing unsafe in www-data being the owner because it's an app, same apply eg. for drupal where a user might be allowed to write his own module and be the owner while www-data has group access r-x permissions.

Having user files owned by root means they can only be edited by root (unless you extend the group permissions - in which case www-data can also change the permissions). And you should only use root when you need to change system configurations, update packages, etc. Not for general user file editing.

Jerry

Reply to:

Follow-Ups:
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Jerry Stuckle <jstuckle@attglobal.net>

References:
- Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Lukasz Szybalski <szybalski@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Lukasz Szybalski <szybalski@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Gilles Mocellin <gilles.mocellin@nuagelibre.org>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: PaulNM <debian@paulscrap.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: PaulNM <debian@paulscrap.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Jerry Stuckle <jstuckle@attglobal.net>

Prev by Date: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by Date: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Previous by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Index(es):
- Date
- Thread