2013/12/24 Reco <recovery...@gmail.com> > On Tue, 24 Dec 2013 14:32:58 +0100 > Raffaele Morelli <raffaele.more...@gmail.com> wrote: > > > The main point was that an attacker wrote a php script in the OP > > (wordpress? joomla?) theme folder and used this script to access sendmail > > executable (I wonder those file/folder ownership, root? www-data?). > > Directory's owner is www-data, according to OP's mail. See: > > http://lists.debian.org/debian-user/2013/12/msg00806.html > > And note that attacker could rewrite any php file where just as well. >
So ownership to root does matter? > > > It's a matter of who is allowed to do what on a dir/file basis. > > Someone should explain why it's safe using root as the owner of php > scripts > > instead of an unprivileged user (with no write permission on dir/files). > > You have a root account on every OS that counts. And if it does not > have a root account it's a toy OS anyway. > so your policy is to use root account for every task? Pure redmond style :-) Using account other than www-data requires either: > > a) Creating such account. > > b) Using some account that is used to run other daemons in this OS. > And allowing such daemon overwrite php files is a potential security > hole by itself. > and again, does ownership to root matter when the script is running as apache user? > > So, php files owned by root are convenience, nothing more. > ...and it's not what is worth to do to keep things in their place/context. /r
