Bug#270593: marked as done (apache2: /var/wwww should be owned by www-data, not root)

To: Thom May <thom@debian.org>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#270593: marked as done (apache2: /var/wwww should be owned by www-data, not root)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 08 Sep 2004 02:03:08 -0700
Message-id: <[🔎] handler.270593.D270593.109463399018968.ackdone@bugs.debian.org>
In-reply-to: <20040908090010.GA20020@fandango.home.clearairturbulence.org>
References: <20040908090010.GA20020@fandango.home.clearairturbulence.org> <[🔎] E1C4x5J-0005ZN-LT@bongo.cante.net>

Your message dated Wed, 8 Sep 2004 10:00:10 +0100
with message-id <20040908090010.GA20020@fandango.home.clearairturbulence.org>
and subject line Interesting definition of secure
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Sep 2004 07:50:32 +0000
>From jaalto@bongo.cante.net Wed Sep 08 00:50:32 2004
Return-path: <jaalto@bongo.cante.net>
Received: from fep07-0.kolumbus.fi (fep07-app.kolumbus.fi) [193.229.0.51] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1C4xDr-0005zi-00; Wed, 08 Sep 2004 00:50:31 -0700
Received: from bongo.cante.net ([81.197.3.110]) by fep07-app.kolumbus.fi
          with ESMTP
          id <20040908075030.BBSK3463.fep07-app.kolumbus.fi@bongo.cante.net>;
          Wed, 8 Sep 2004 10:50:30 +0300
Received: from jaalto by bongo.cante.net with local (Exim 4.34)
	id 1C4x5J-0005ZN-LT; Wed, 08 Sep 2004 10:41:42 +0300
MIME-Version: 1.0
From: Jari Aalto <jari.aalto@poboxes.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Mailer: reportbug 2.64
Date: Wed, 08 Sep 2004 10:41:41 +0300
Message-Id: <[🔎] E1C4x5J-0005ZN-LT@bongo.cante.net>
Sender: Jari Aalto <jaalto@bongo.cante.net>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: jaalto@bongo.cante.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: apache2: /var/wwww should be owned by www-data, not root
X-SA-Exim-Version: 4.1 (built Tue, 17 Aug 2004 11:06:07 +0200)
X-SA-Exim-Scanned: Yes (on bongo.cante.net)
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: apache2
Version: 2.0.50-12
Severity: grave
Justification: user security hole


I'm not sure which process is responsible of creating /var/www, but
I'm resuming that apache2, whcih is the only web server installed
in this system.

The permissions look like this now:

    host:~# ls -la /var/www
    drwxr-xr-x   3 root root 4096 Sep  6 23:53 .

But wouldn't it bemore secure to to use:

    chown -R www-data.www-data /var/www

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-12  Traditional model for Apache2

-- no debconf information

---------------------------------------
Received: (at 270593-done) by bugs.debian.org; 8 Sep 2004 08:59:50 +0000
>From thom@debian.org Wed Sep 08 01:59:50 2004
Return-path: <thom@debian.org>
Received: from dev.bitch-whore.com (localhost.localdomain) [213.208.111.147] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1C4yIw-0004vk-00; Wed, 08 Sep 2004 01:59:50 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
	id 43E9711C45B; Wed,  8 Sep 2004 10:00:10 +0100 (BST)
Date: Wed, 8 Sep 2004 10:00:10 +0100
From: Thom May <thom@debian.org>
To: 270593-done@bugs.debian.org
Subject: Interesting definition of secure
Message-ID: <20040908090010.GA20020@fandango.home.clearairturbulence.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.5.6+20040818i
Delivered-To: 270593-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Hi,
I'm not sure how your thought processes worked on this one. But let's think
about this for a second:
web server runs as www-data. /var/www is owned by www-data. All your cgi
scripts run as www-data.=20
You have a script with an exploit. Unchecked input or whatever. attacker
runs 'rm -rf /var/www/*'. With /var/www owned by anything !www-data, this
isn't a problem. With /var/www owned by www-data, all your web pages are now
in the deep blue void.
So no, it would not be more secure. (And no, we will not be doing this)
-Thom

Reply to:

References:
- Bug#270593: apache2: /var/wwww should be owned by www-data, not root
  - From: Jari Aalto <jari.aalto@poboxes.com>

Prev by Date: Bug#270593: apache2: /var/wwww should be owned by www-data, not root
Next by Date: Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed
Previous by thread: Bug#270593: apache2: /var/wwww should be owned by www-data, not root
Next by thread: Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed
Index(es):
- Date
- Thread