[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

2014/1/2 Bob Proulx <bob@proulx.com>
Raffaele Morelli wrote:
> Bob Proulx wrote:
> > 2) The ownership of the files by root are safe.  The default owner is
> > root.  Files owned by root with the default permissions are not
> > writable by the web process.  Files in the default configuration are
> > not exploitable by that vulnerability which requires write access to
> > files in the DocumentRoot.  There is never a problem with web files
> > owned by the root user.
>
> Quite wrong.

No.  This is correct.  If you disagree then please file a bug report.
Please let me know where it is filed so that I can participate in the
review.  Peer review is the best way to deal with it.

> Unless you are administering your own server with just you as user there's
> no problem in using root for everything.
> But if you have other users you should grant write permissions to the
> website document root for them to upload stuff and simply you can't let
> anyone other than you to access as root (would you?).
> Now, rwx permissions and unprivileged users exist for that, root ownership
> is absolutely not needed.

Why are you responding here with this?  I never said that creating a
non-priviledged and non-www-data account to hold the files was bad.
Why are you responding as if I did?  Please read the thread again.  I
repeatedly said creating such users were a good way to do things.

Here I was discussing the reason the exploit was successful.  The
exploit allowed the attacker access to the system as the www-data
user.  Because the files were owned by the www-data user it allowed
the attacker to write files.  The ability to write files gave the
attacker even more capability in this case to generate spam from the
server.  The ability of the attacker to write files enabled the
attacker to leave more doors open even if the original exploit was
closed until the attacker's files are cleaned up.

If the files were not owned by the www-data user then while the
exploit may still have occurred then the attacker would have been
prevented by the OS from writing files into the DocumentRoot.  This
would likely have prevented the compromised host from becoming the
spam source that it was reported to have become.  Because it would
have limited the attacker to the original exploit and prevented the
attacker from created expanded capabilities by adding files on disk.

> Unless you are administering your own server with just you as user
> there's no problem in using root for everything.

No one has proposing using root for everything.  That would be very
bad.  Why do you respond as if someone did?
Bob

Put it here as a whole to avoid unwanted breaks (as you did between "Quite wrong." and the rest of the sentence).

root ownership for DocumentRoot is a problem when you deal with N developers working on N websites, because you should provide write access to them for their work to be uploaded.
I solve this clearer using unprivileged users other than www-data for the ownership and r-x group access to www-data (repeating the fourth time).

So, I never said nor responded as your 2) statement was bad but IMHO is just a case specific (phpmyadmin and others living in /usr/share/ which are installed by root) and should not be used as a general rule for each and every website.

As I stated in one of my first responses to the OP the exploit was possibile because the dir was writeable, the files were owned by www-data but a NEW file was uploaded in the dir not overwritten. If the dir is writeable root ownership of files doesn't help, am I wrong?
Moreover, I bet that if the OP will have a look at the apache log files he will find the POST request for that script.

/r
Reply to: