Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:
> 1. one should not be using root ownership for websites to solve
> permissions problems in website document root. On servers where there
> are N web developers this is absolutely the wrong way to go (you can't
> go IMO).
Webservers where there are N developers shouldn't work in production.
On multiuser hosting sites you should consider chrooted environment for
the users to protect the users from each other.
> root should only be used for system administration.
> security it's not a matter of doing everything as root but in using
> right permissions and user/group rules.
>
> 2. www-data user should have r-x group permissions and unprivileged
> users (eg developer account) should have rwx (or rw-) permissions and
> ownership.
www-data user shouldn't own any files and directories except the area
where uploading is necessary.
> www-data ownership it's safe without write permission.
It can be safe, and it is much safer if www-data doesn't own anything.
>
> I just want to add a (relevant) bit.
> Apache has tons of directives to secure a website and if you really need
> to upload in a dir you can tell apache to not execute php scripts in
> there or force file type to text or prevent POST request from untrusted
> ip, etc etc.... and you'are done.
Security is not a one point tool, it has to be different level. Apache
directives is one level, file ownership is another. If you provide
security in depth, your system will be more safe.
--
--- Friczy ---
'Death is not a bug, it's a feature'
Reply to: