Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
2013-12-31 09:01 keltezéssel, Raffaele Morelli írta:
> Jerry Stuckle wrote:
> > Raffaele Morelli wrote:
> > > Again, the www-data user can safely be the owner of everything
> in the
> > > webroot, just think of phpmyadmin, there's nothing unsafe in
> www-data
>
> The default for phpmyadmin is that the files are owned by root not
> www-data. If they were owned by www-data then they would be unsafe.
> (If, and this is a hypothetical if, you told me the files were owned
> by a special phpmyadmin-data account, then I would say okay too.
> Because that is a different user from the www-data user.)
>
>
> phpmyadmin files can be safely owned by www-data with NO write
> permissions and you should explain why they are not.
If there is no write permission for www-data user (which of course
should be provided) than there is no reason to be the files in www-data
ownership.
The one thing you should provide that these files shouldn't be written
by www-data user (and the group which it belongs to). And the simplest
way to provide it is to change the ownership of the whole directory tree
to a user which is not www-data. (e.g with a chown -R ....) Of course
there can be other solutions too but they are more complicated. And if
you can choose between different solutions the simpler is the better.
--
--- Friczy ---
'Death is not a bug, it's a feature'
Reply to: