On 12/31/2013 3:00 AM, Raffaele Morelli wrote:>
> 2013/12/30 Bob Proulx <b...@proulx.com <mailto:b...@proulx.com>>
>
> Raffaele Morelli wrote:
> > Reco wrote:
> > > Raffaele Morelli wrote:
> > > > The main point was that an attacker wrote a php script in
the OP
> > > > (wordpress? joomla?) theme folder and used this script to
> access sendmail
> > > > executable (I wonder those file/folder ownership, root?
> www-data?).
> > >
> > > Directory's owner is www-data, according to OP's mail. See:
> > >
> > > http://lists.debian.org/debian-user/2013/12/msg00806.html
> > >
> > > And note that attacker could rewrite any php file where just as
> well.
> >
> > So ownership to root does matter?
>
> 1) The exploit was because the file was NOT owned by root. The
> exploit was possible because the files were locally changed to the
> www-data user and were therefore exploitable by the web process.
>
>
> The exploit was possible because that DIR had write permissions and a
> file was uploaded in it (not overwrited).
>
Which would not have occurred if the www-data user did not have write
access to the directory.
>
> 2) The ownership of the files by root are safe. The default owner is
> root. Files owned by root with the default permissions are not
> writable by the web process. Files in the default configuration are
> not exploitable by that vulnerability which requires write access to
> files in the DocumentRoot. There is never a problem with web files
> owned by the root user.
>
It also means only the root user can modify those files. It is a very
bad idea to use the root user to do such mundane things. It is much
better to have the files owned by a non-privileged user (not www-data),
and provide read access to the web user.
I see having to use root to modify user files as a major problem.
>
> Quite wrong.
> Unless you are administering your own server with just you as user
> there's no problem in using root for everything.
> But if you have other users you should grant write permissions to the
> website document root for them to upload stuff and simply you can't let
> anyone other than you to access as root (would you?).
> Now, rwx permissions and unprivileged users exist for that, root
> ownership is absolutely not needed.
>
I see this as a huge problem, even on my own servers. It is way to easy
to make a mistake that can destroy your system. Try rm -r . from the
wrong directory, for instance. But then some people use root for
everything.
>
> > > > It's a matter of who is allowed to do what on a dir/file
basis.
>
> Yes. Full agreement.
>
> > > > Someone should explain why it's safe using root as the
owner of
> > > > php scripts instead of an unprivileged user (with no write
> > > > permission on dir/files).
>
> Actually either would be okay. As long as the non-priviledge user is
> NOT the www-data user. As long as file permissions prevent the
> www-data from being able to write to the DocumentRoot.
>
As noted above, I do not agree it is OK.
> > > You have a root account on every OS that counts. And if it
does not
> > > have a root account it's a toy OS anyway.
> >
> > so your policy is to use root account for every task? Pure
> redmond style :-)
>
> I know you are joking but it is impossible to administer a system
> without the root account. And by administer I mean use apt-get,
> aptitude or dpkg to install, remove, configure packages. Does that
> make Unix-like systems the same as Redmond style systems? No.
Not by
> a lot. Pleae do not say that because all of /usr/bin and /bin are
> owned by root that the user must be root to use them!
>
Yes, and root should ONLY be used for system administration, not editing
user files.
>
> You are going far by misrepresenting, in the joke it's quite clear what
> I mean, security it's not a matter of doing everything as root, unless
> you want to restyle *nix user/group architecture.
>
Quite frankly, I don't see the joke as a misrepresentation. It seems to
me also that is what you are suggesting.
>
> > Using account other than www-data requires either:
> >
> > > a) Creating such account.
>
> Which creates lint when the package is removed and leaves the user
> behind.
>
You already have at least one non-privileged user (unless you do
everything in root, that is). All of my systems have at least one such
user; that is the one which creates and edits those files.
And actually, while I do have a couple of sites with Drupal installed,
the vast majority of my sites are NOT packages but pages I have created.
Each site is owned by its own non-privileged user. If I move or dump
a site, it's a simple matter to get rid of that user.
> > > b) Using some account that is used to run other daemons in
this OS.
> > > And allowing such daemon overwrite php files is a potential
> security
> > > hole by itself.
>
> Full agreement.
>
> > and again, does ownership to root matter when the script is
> running as
> > apache user?
>
> Correct. It does not matter.
>
It does matter.
> This appears to be a basic and repeating misunderstanding. The owner
> of the file is NOT the same as the owner of the process running the
> file. They are completely different. By default files are owned by
> root but the process running the web server is the www-data account.f
>
> Bob
>
>
BTW - your quoting style is not consistent, making it difficult to see
which are your comments and which are in the post you are replying to.
Jerry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52c2cf8d.60...@attglobal.net
