Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

[Jerry Stuckle <jstuckle@attglobal.net>]

On 12/31/2013 3:00 AM, Raffaele Morelli wrote:>
> 2013/12/30 Bob Proulx <bob@proulx.com <mailto:bob@proulx.com>>
>
>     Raffaele Morelli wrote:
>      > Reco wrote:
>      > > Raffaele Morelli wrote:
>      > > > The main point was that an attacker wrote a php script in 
the OP
>      > > > (wordpress? joomla?) theme folder and used this script to
>     access sendmail
>      > > > executable (I wonder those file/folder ownership, root?
>     www-data?).
>      > >
>      > > Directory's owner is www-data, according to OP's mail. See:
>      > >
>      > > http://lists.debian.org/debian-user/2013/12/msg00806.html
>      > >
>      > > And note that attacker could rewrite any php file where just as
>     well.
>      >
>      > So ownership to root does matter?
>
>     1) The exploit was because the file was NOT owned by root.  The
>     exploit was possible because the files were locally changed to the
>     www-data user and were therefore exploitable by the web process.
>
>
> The exploit was possible because that DIR had write permissions and a
> file was uploaded in it (not overwrited).
>

Which would not have occurred if the www-data user did not have write 
access to the directory.

>
>     2) The ownership of the files by root are safe.  The default owner is
>     root.  Files owned by root with the default permissions are not
>     writable by the web process.  Files in the default configuration are
>     not exploitable by that vulnerability which requires write access to
>     files in the DocumentRoot.  There is never a problem with web files
>     owned by the root user.
>

It also means only the root user can modify those files.  It is a very 
bad idea to use the root user to do such mundane things.  It is much 
better to have the files owned by a non-privileged user (not www-data), 
and provide read access to the web user.

I see having to use root to modify user files as a major problem.

>
> Quite wrong.
> Unless you are administering your own server with just you as user
> there's no problem in using root for everything.
> But if you have other users you should grant write permissions to the
> website document root for them to upload stuff and simply you can't let
> anyone other than you to access as root (would you?).
> Now, rwx permissions and unprivileged users exist for that, root
> ownership is absolutely not needed.
>

I see this as a huge problem, even on my own servers.  It is way to easy 
to make a mistake that can destroy your system. Try rm -r . from the 
wrong directory, for instance.  But then some people use root for 
everything.

>
>      > > > It's a matter of who is allowed to do what on a dir/file 
basis.
>
>     Yes.  Full agreement.
>
>      > > > Someone should explain why it's safe using root as the 
owner of
>      > > > php scripts instead of an unprivileged user (with no write
>      > > > permission on dir/files).
>
>     Actually either would be okay.  As long as the non-priviledge user is
>     NOT the www-data user.  As long as file permissions prevent the
>     www-data from being able to write to the DocumentRoot.
>

As noted above, I do not agree it is OK.

>      > > You have a root account on every OS that counts. And if it 
does not
>      > > have a root account it's a toy OS anyway.
>      >
>      > so your policy is to use root account for every task? Pure
>     redmond style :-)
>
>     I know you are joking but it is impossible to administer a system
>     without the root account.  And by administer I mean use apt-get,
>     aptitude or dpkg to install, remove, configure packages.  Does that
>     make Unix-like systems the same as Redmond style systems?  No. 
Not by
>     a lot.  Pleae do not say that because all of /usr/bin and /bin are
>     owned by root that the user must be root to use them!
>

Yes, and root should ONLY be used for system administration, not editing 
user files.

>
> You are going far by misrepresenting, in the joke it's quite clear what
> I mean, security it's not a matter of doing everything as root, unless
> you want to restyle *nix user/group architecture.
>

Quite frankly, I don't see the joke as a misrepresentation.  It seems to 
me also that is what you are suggesting.

>
>      > Using account other than www-data requires either:
>      >
>      > > a) Creating such account.
>
>     Which creates lint when the package is removed and leaves the user
>     behind.
>

You already have at least one non-privileged user (unless you do 
everything in root, that is).  All of my systems have at least one such 
user; that is the one which creates and edits those files.

And actually, while I do have a couple of sites with Drupal installed, 
the vast majority of my sites are NOT packages but pages I have created. 
 Each site is owned by its own non-privileged user.  If I move or dump 
a site,  it's a simple matter to get rid of that user.

>      > > b) Using some account that is used to run other daemons in 
this OS.
>      > > And allowing such daemon overwrite php files is a potential
>     security
>      > > hole by itself.
>
>     Full agreement.
>
>      > and again, does ownership to root matter when the script is
>     running as
>      > apache user?
>
>     Correct.  It does not matter.
>

It does matter.

>     This appears to be a basic and repeating misunderstanding.  The owner
>     of the file is NOT the same as the owner of the process running the
>     file.  They are completely different.  By default files are owned by
>     root but the process running the web server is the www-data account.f
>
>     Bob
>
>

BTW - your quoting style is not consistent, making it difficult to see 
which are your comments and which are in the post you are replying to.

Jerry