Re: Web directories attacked with bad .htaccess

To: debian-security@lists.debian.org
Subject: Re: Web directories attacked with bad .htaccess
From: Vladislav Kurz <vladislav.kurz@webstep.net>
Date: Fri, 27 Jan 2006 18:27:47 +0100
Message-id: <[🔎] 200601271827.47936.vladislav.kurz@webstep.net>
In-reply-to: <[🔎] 1138359577.445.30.camel@pangeadm.upc.es>
References: <[🔎] 1138359577.445.30.camel@pangeadm.upc.es>

On Friday 27 January 2006 11:59, Ramon Acedo wrote:
> Hello,
Hello

> As a measure I changed 777 to www-data owner + 755:
>
> find . -perm 777  -exec chmod 755 {} \; -exec chown www-data {} \;
>
> Where . was DocumentRoot

chown www-data is IMHO bad idea. Apache/CGI/PHP will still have full 
(read/write) access to web content. (Unless you use suexec or something 
similar.) Web pages should be owned by some normal unprivileged user, 
preferably the one who reads "webmaster" e-mail and chmod 644 (or 755 for 
directories)

-- 
Regards
Vladki

Reply to:

References:
- Web directories attacked with bad .htaccess
  - From: Ramon Acedo <ramon@linux-labs.net>

Prev by Date: unsubscribe
Next by Date: Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution
Previous by thread: Web directories attacked with bad .htaccess
Next by thread: Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution
Index(es):
- Date
- Thread