Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

To: debian-user@lists.debian.org
Subject: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From: Jerry Stuckle <jstuckle@attglobal.net>
Date: Tue, 31 Dec 2013 09:14:10 -0500
Message-id: <[🔎] 52C2D132.8020208@attglobal.net>
In-reply-to: <[🔎] 20131230212854.GB28879@hysteria.proulx.com>
References: <[🔎] 20131224133752.9a8f118c07350cc0bf75659b@gmail.com> <[🔎] 52B95C3E.8040202@paulscrap.com> <[🔎] CAD4guxMFWHUu926650Woni_pkc=-f=fxO_HvzC871fbkkp59PQ@mail.gmail.com> <[🔎] 20131224175426.7426a5ed6300ba2d466978f4@gmail.com> <[🔎] CAD4guxP1oaZVw=c3sYHKD2mcg5a-43QbGPaLGEbd0frUQzxChA@mail.gmail.com> <[🔎] 20131224190900.f08ecb0d202f926c6cff6579@gmail.com> <[🔎] CAD4guxMdt_Yy+0jGqEyqSFBM75vNAH9Hv57sBWQ+rQtnxF5gww@mail.gmail.com> <[🔎] 52B9BD2E.10809@attglobal.net> <[🔎] CAD4guxMfwnA_Mdkbo_V6Y9kOxFgj8Y3J=W2D3cHEMfnYqvQHsw@mail.gmail.com> <[🔎] 52BAE6AF.9020509@attglobal.net> <[🔎] 20131230212854.GB28879@hysteria.proulx.com>


On 12/30/2013 4:30 PM, Bob Proulx wrote:
> Jerry Stuckle wrote:
>> Raffaele Morelli wrote:
>>> Again, the www-data user can safely be the owner of everything in the
>>> webroot, just think of phpmyadmin, there's nothing unsafe in www-data
>
> The default for phpmyadmin is that the files are owned by root not
> www-data.  If they were owned by www-data then they would be unsafe.
> (If, and this is a hypothetical if, you told me the files were owned
> by a special phpmyadmin-data account, then I would say okay too.
> Because that is a different user from the www-data user.)
>

They also should never have to be changed by the user (except for theconfig file). But I suspect the real reason is because there is nostandard user which would be a good one to use. You obviously wouldn'twant to use www-data, for reasons previously mentioned. bin, sys, manand other standard id's aren't appropriate. There may or may not beuser id's (there should be, but they are not required, AFAIK). And ifyou do have multiple userids, which one would be appropriate?


By default, root is the selection.

But then we weren't talking about phpmyadmin. We were talking aboutuser files.


>>> being the owner because it's an app, same apply eg. for drupal where a
>>> user might be allowed to write his own module and be the owner while
>>> www-data has group access r-x permissions.
>>
>> No, the Apache user should NEVER have write access to the
>> files/scripts it can execute.  The is a huge security hole.  Even
>> Drupal recommends this - see https://drupal.org/node/244924.
>
> Agreed.  However I believe many web frameworks require that in order
> to operate.  Which is why we keep hearing about exploits happening to
> those frameworks every other month.  They are ripe for expoitation.
>
>> Yes, this causes a problem with Drupal 7 being unable to update it's
>> own modules.  But you can't have both.  I'd rather have security.
>
> Me too!
>
> Unfortunately others like it to be all of viewed from the web,
> installed from the web, upgraded from the web, managed from the web.
> And there lies the problem.
>

Yes, it is. I use Drupal 7 on some of my sites; when I want to updatefrom the web, I find it a simple matter to place the site in maintenancemode, ssh into it, and chown -R to www-data on the directory, update viathe web, then chown -R back to the original id. A couple of extrasteps, but worth the security.


>>>     Having user files owned by root means they can only be edited by
>>>     root (unless you extend the group permissions - in which case
>>>     www-data can also change the permissions).  And you should only use

>>> root when you need to change system configurations, updatepackages,

>>>     etc.  Not for general user file editing.
>
> Agreed.
>
> Bob
>

Jerry

Reply to:

References:
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: PaulNM <debian@paulscrap.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by Date: Re: moving buffers/caching from RAM to SSD
Previous by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Index(es):
- Date
- Thread