[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

On 1/1/2014 10:24 PM, Bob Proulx wrote:

Jerry Stuckle wrote:

Raffaele Morelli wrote:

Bob Proulx wrote:

2) The ownership of the files by root are safe.  The default owner is
root.  Files owned by root with the default permissions are not
writable by the web process.  Files in the default configuration are
not exploitable by that vulnerability which requires write access to
files in the DocumentRoot.  There is never a problem with web files
owned by the root user.


It also means only the root user can modify those files.


Yes.  That is by intent and design.  Users should not be modifying
system files!  For example if you install squirrelmail it will include
/usr/share/squirrelmail/**.php files in the package.  Root owns those
files.  This is good because that prevents any other account from
being able to modify those files.  That is just long standing good
design.



(Sorry for the delay - attglobal is having email problems).
The phpmyadmin config file is not a system file. And the squirrelmail files are owned by root because there is no other standard userid for it.
Now using root for PHP files that may not be so bad - but when you DO need to modify those files (i.e. apply a security patch), you have to do it as root. IMHO it would be much better to be owned by a separate user with write access to the files, with the www-data having only read access. 


It is a very bad idea to use the root user to do such mundane
things.


System administration is hardly mundane.  It is often misunderstood
(as in this thread) but very important work.
Setting up a phpmyadmin config file is hardly "system administration". It's configuration affects only itself, not the entire system. 


It is much better to have the files owned by a non-privileged user
(not www-data), and provide read access to the web user.


Files owned by squirrelmail are not user files.  They belong to the
package.  Root is the natural owner of those files.
Just because something is in a package does NOT mean it is a system file. It only means that it has been deemed by the PTB that it is of sufficient interest to the users to be worth the time and effort to create a package for it. There are many user files (like squirrelmail) which, if installed by other than a package, do NOT get installed in root. 


I see having to use root to modify user files as a major problem.


User files?  Why bring those up?  You keep talking about user files
but expanding that to cover all files.  That is the point I am
objecting to.  I thought you and I had converged in other thread but I
guess not.  Sigh.  Continued misunderstanding.
No, I am talking about non-system files. Again, just because it's part of a package does NOT make it a system file. 


All of the world is not user files.  I object to the statements above
that conclude that because any file is owned by root that all work
must be done as root.  That is an incorrect deduction.
No, and not all files in packages are system files. And I did NOT say that "because any file is owned by root that all work must be done as root". I said CHANGING ANY FILE OWNED BY ROOT MUST BE DONE BY ROOT (unless, of course, you've modified the privileges to allow group and/or all users to modify it - but that is not the default). 


If you as a web developer are going to be uploading files to be used
in a web site then the most natural thing would be for your non-root
(and non-www-data) account to own those files.  (Why would root even
be considered for that purpose?  Why would you think that root is
needed for this purpose?  That is a real puzzler!)
What is the difference between uploading phpmyadmin or squirrelmail via a Debian package or manually? Either way I have *exactly* the same files (other than the package files themselves, of course - but the result is the same). But when I upload manually, they are owned by the upload ID, not root (which www-data has read access to, of course).
Does installing them as packages somehow change them so that they are now system files? 


Regardless from this it cannot be concluded that having a file owned
by root is a security vulnerability.  It is not.  The ownership of the
files by root are safe.  If you still do not believe this then please
file a bug report so that it may be peer reviewed.
The required EDITING of those files (i.e. configuration files) is a security vulnerability, because it must be done by root. 


Quite wrong.
Unless you are administering your own server with just you as user
there's no problem in using root for everything.
But if you have other users you should grant write permissions to the
website document root for them to upload stuff and simply you can't let
anyone other than you to access as root (would you?).
Now, rwx permissions and unprivileged users exist for that, root
ownership is absolutely not needed.


I see this as a huge problem, even on my own servers.  It is way to
easy to make a mistake that can destroy your system. Try rm -r .
from the wrong directory, for instance.  But then some people use
root for everything.


Humorously you should try 'rm -r .' on a recent system.  Sure, make it
safe first.

   # mkdir /tmp/testdir
   # cd /tmp/testdir
   # rm -r .
   rm: cannot remove directory: ‘.’

This is now required behavior by POSIX.

   http://pubs.opengroup.org/onlinepubs/009695399/utilities/rm.html

   The rm utility is forbidden to remove the names dot and dot-dot in
   order to avoid the consequences of inadvertently doing something like:
     rm -r .*



OK, so change that to rm -r /


Personally I think this is a "nanny state" type of behavior.  It
annoys me.  It shouldn't be prevented by the rm command.  It is a
kernel system policy layer decision.  It can be useful to allow the
_attempt_ to remove "." which must fail.  In the past it was useful to
allow root to unlink ".." from a directory.  But now rm is required to
avoid trying it.


But then some people use root for everything.


And that is bad.  Often because of lack of experience.  Eventually
they will make a mistake and it will bite them and then they will be
more cautious.

Of course so far no one in this thread is proposing that all work be
done as root.  Let's drop that please.  (No!  I haven't suggested all
work be done as root either.)


Someone should explain why it's safe using root as the
owner of php scripts instead of an unprivileged user
(with no write permission on dir/files).


Actually either would be okay.  As long as the non-priviledge user is
NOT the www-data user.  As long as file permissions prevent the
www-data from being able to write to the DocumentRoot.


As noted above, I do not agree it is OK.


I need your definition of "OK" in this context.  Not OK means what?
I think it must mean personal preference.  Because I see no security
vulnerability using a non-root non-www-data account for PHP files.
I have no problem using a non-root non-www-data account for PHP files. My problem is with using root unnecessarily, just because there is no other appropriate id to place them in. 


Files owned by a non-root and non-www-data account are safe because
the web process owned by www-data cannot write to those files.  This
would be the normal typical case for user files.  (Almost by
definition since the files would be owned by the user.)  Users
typically own their own files.  Uploading files to a web site isn't
system administration any more than writing personal diary entries or
editing a spreadsheet.  None of those need root.

Files owned by root are safe because the web process owned by www-data
cannot write to those files.  Note that this does not cause the
process to be run as root.  It does not.  The web process is still run
as the www-data user.  Note that this does not require all work to be
done as root.  It does not.  It doesn't make sense to "do all of your
web hacking as root".  Use your non-root non-www-data account for
uploading web files.  Note that the presence of root owned files is
not a security vulnerability.  Packaged files will be owned by root
for example and that is not a security vulnerability.



I never claimed any of the above.


Files owned by www-data are not safe due to the reasoning previously
discussed.  Not safe because the web process also running as www-data
can write those files and it removes the OS security layer.  In PHP
traps and pitfalls such as insufficient quoting and other issues are
too common and mistakes like that allow the attacker to wedge in
additional files.  That is the situation of the original poster's
report that started this thread.  Because the files were changed to
www-data an exploit through the PHP code reportedly allowed the
attacker to turn a system into a spam source.  That sounds very not
safe to me.


BTW - your quoting style is not consistent, making it difficult to
see which are your comments and which are in the post you are
replying to.


Agreed.  I had to manually and carefully correct the quoting on the
sections I responded to here.

Bob
What I would like to see is, as part of the web server installation process, it asks for a userid (new or existing) to own web-related files. Then things like phpmyadmin and squirrelmail could be owned by that id instead of root. Since it is a non-privileged user (with its own password, of course). one could easily log in (or su) to that id to make the necessary changes, without the exposure of affecting the rest of the system. It also means you could have one person administering the system and another person administering the web server. 

Jerry
Reply to: