Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

To: debian-user@lists.debian.org
Subject: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From: Jerry Stuckle <jstuckle@attglobal.net>
Date: Tue, 31 Dec 2013 14:43:48 -0500
Message-id: <[🔎] 52C31E74.4090802@attglobal.net>
In-reply-to: <[🔎] 52C2F0F8.1000700@freemail.hu>
References: <[🔎] CAD4guxPGvPMp52sgQASdr6K8-TG77jksTSrh48-Q9BZBXhNHDA@mail.gmail.com> <[🔎] 20131224115409.10889818aead08a56e8f34e7@gmail.com> <[🔎] CAD4guxNbOBgFqXPofcJHg0W9Swfv4r_7hGJN-iTxr-FLJu-eyQ@mail.gmail.com> <[🔎] 52B948F5.7030204@paulscrap.com> <[🔎] CAD4guxPuro2-6deZG26P+s6dDDUzB4NhQnrCLjzjGoZFo_1PDw@mail.gmail.com> <[🔎] 20131224133752.9a8f118c07350cc0bf75659b@gmail.com> <[🔎] 52B95C3E.8040202@paulscrap.com> <[🔎] CAD4guxMFWHUu926650Woni_pkc=-f=fxO_HvzC871fbkkp59PQ@mail.gmail.com> <[🔎] 20131224175426.7426a5ed6300ba2d466978f4@gmail.com> <[🔎] CAD4guxP1oaZVw=c3sYHKD2mcg5a-43QbGPaLGEbd0frUQzxChA@mail.gmail.com> <[🔎] 20131230212357.GA28879@hysteria.proulx.com> <[🔎] CAD4guxP8Sgx3Fc-YxhsrVgT7H2oTyBdsoPLE10aKn5bYZuhFrw@mail.gmail.com> <[🔎] 52C2CF8D.60402@attglobal.net> <[🔎] CAD4guxN4oaDehh28FNcKro02VUSpDA8o2fce4-FMHRBcjAhTeA@mail.gmail.com> <[🔎] 52C2F0F8.1000700@freemail.hu>

On 12/31/2013 11:29 AM, Nemeth Gyorgy wrote:

2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:

1. one should not be using root ownership for websites to solve
permissions problems in website document root. On servers where there
are N web developers this is absolutely the wrong way to go (you can't
go IMO).


Webservers where there are N developers shouldn't work in production.
On multiuser hosting sites you should consider chrooted environment for
the users to protect the users from each other.

Good in theory, but doesn't work in practice. Large websites often havemultiple developers, each responsible for a section of the site.Saying only one person can update the site means everything is dependenton that one person - and changes to the site have to wait until thatperson has the time to upload the files.

And, in fact, any site other than small hobby or one-person shops shouldhave at least two people with access to the site for backup purposes.

root should only be used for system administration.
security it's not a matter of doing everything as root but in using
right permissions and user/group rules.

2. www-data user should have r-x group permissions and unprivileged
users (eg developer account) should have rwx (or rw-) permissions and
ownership.


www-data user shouldn't own any files and directories except the area
where uploading is necessary.

www-data ownership it's safe without write permission.


It can be safe, and it is much safer if www-data doesn't own anything.


Agreed.  It also means www-data cannot chmod the files.


I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need
to upload in a dir you can tell apache to not execute php scripts in
there or force file type to text or prevent POST request from untrusted
ip, etc etc.... and you'are done.


Security is not a one point tool, it has to be different level. Apache
directives is one level, file ownership is another. If you provide
security in depth, your system will be more safe.


Which is why I have a security system in addition to locking the door.

Jerry

Reply to:

References:
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: PaulNM <debian@paulscrap.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: PaulNM <debian@paulscrap.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Bob Proulx <bob@proulx.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Raffaele Morelli <raffaele.morelli@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Nemeth Gyorgy <friczy@freemail.hu>

Prev by Date: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by Date: Re: USB mouse on Latitude D430
Previous by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Index(es):
- Date
- Thread