Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
On 12/30/2013 4:30 PM, Bob Proulx wrote:
> Jerry Stuckle wrote:
>> Raffaele Morelli wrote:
>>> Again, the www-data user can safely be the owner of everything in the
>>> webroot, just think of phpmyadmin, there's nothing unsafe in www-data
>
> The default for phpmyadmin is that the files are owned by root not
> www-data. If they were owned by www-data then they would be unsafe.
> (If, and this is a hypothetical if, you told me the files were owned
> by a special phpmyadmin-data account, then I would say okay too.
> Because that is a different user from the www-data user.)
>
They also should never have to be changed by the user (except for the
config file). But I suspect the real reason is because there is no
standard user which would be a good one to use. You obviously wouldn't
want to use www-data, for reasons previously mentioned. bin, sys, man
and other standard id's aren't appropriate. There may or may not be
user id's (there should be, but they are not required, AFAIK). And if
you do have multiple userids, which one would be appropriate?
By default, root is the selection.
But then we weren't talking about phpmyadmin. We were talking about
user files.
>>> being the owner because it's an app, same apply eg. for drupal where a
>>> user might be allowed to write his own module and be the owner while
>>> www-data has group access r-x permissions.
>>
>> No, the Apache user should NEVER have write access to the
>> files/scripts it can execute. The is a huge security hole. Even
>> Drupal recommends this - see https://drupal.org/node/244924.
>
> Agreed. However I believe many web frameworks require that in order
> to operate. Which is why we keep hearing about exploits happening to
> those frameworks every other month. They are ripe for expoitation.
>
>> Yes, this causes a problem with Drupal 7 being unable to update it's
>> own modules. But you can't have both. I'd rather have security.
>
> Me too!
>
> Unfortunately others like it to be all of viewed from the web,
> installed from the web, upgraded from the web, managed from the web.
> And there lies the problem.
>
Yes, it is. I use Drupal 7 on some of my sites; when I want to update
from the web, I find it a simple matter to place the site in maintenance
mode, ssh into it, and chown -R to www-data on the directory, update via
the web, then chown -R back to the original id. A couple of extra
steps, but worth the security.
>>> Having user files owned by root means they can only be edited by
>>> root (unless you extend the group permissions - in which case
>>> www-data can also change the permissions). And you should only use
>>> root when you need to change system configurations, update
packages,
>>> etc. Not for general user file editing.
>
> Agreed.
>
> Bob
>
Jerry
Reply to: