Raffaele Morelli wrote: > Reco wrote: > > Raffaele Morelli wrote: > > > The main point was that an attacker wrote a php script in the OP > > > (wordpress? joomla?) theme folder and used this script to access sendmail > > > executable (I wonder those file/folder ownership, root? www-data?). > > > > Directory's owner is www-data, according to OP's mail. See: > > > > http://lists.debian.org/debian-user/2013/12/msg00806.html > > > > And note that attacker could rewrite any php file where just as well. > > So ownership to root does matter? 1) The exploit was because the file was NOT owned by root. The exploit was possible because the files were locally changed to the www-data user and were therefore exploitable by the web process. 2) The ownership of the files by root are safe. The default owner is root. Files owned by root with the default permissions are not writable by the web process. Files in the default configuration are not exploitable by that vulnerability which requires write access to files in the DocumentRoot. There is never a problem with web files owned by the root user. > > > It's a matter of who is allowed to do what on a dir/file basis. Yes. Full agreement. > > > Someone should explain why it's safe using root as the owner of > > > php scripts instead of an unprivileged user (with no write > > > permission on dir/files). Actually either would be okay. As long as the non-priviledge user is NOT the www-data user. As long as file permissions prevent the www-data from being able to write to the DocumentRoot. > > You have a root account on every OS that counts. And if it does not > > have a root account it's a toy OS anyway. > > so your policy is to use root account for every task? Pure redmond style :-) I know you are joking but it is impossible to administer a system without the root account. And by administer I mean use apt-get, aptitude or dpkg to install, remove, configure packages. Does that make Unix-like systems the same as Redmond style systems? No. Not by a lot. Pleae do not say that because all of /usr/bin and /bin are owned by root that the user must be root to use them! > Using account other than www-data requires either: > > > a) Creating such account. Which creates lint when the package is removed and leaves the user behind. > > b) Using some account that is used to run other daemons in this OS. > > And allowing such daemon overwrite php files is a potential security > > hole by itself. Full agreement. > and again, does ownership to root matter when the script is running as > apache user? Correct. It does not matter. This appears to be a basic and repeating misunderstanding. The owner of the file is NOT the same as the owner of the process running the file. They are completely different. By default files are owned by root but the process running the web server is the www-data account.f Bob
Attachment:
signature.asc
Description: Digital signature