Raffaele Morelli wrote: > Bob Proulx wrote: > > The default for phpmyadmin is that the files are owned by root not > > www-data. If they were owned by www-data then they would be unsafe. > > (If, and this is a hypothetical if, you told me the files were owned > > by a special phpmyadmin-data account, then I would say okay too. > > Because that is a different user from the www-data user.) > > phpmyadmin files can be safely owned by www-data with NO write permissions > and you should explain why they are not.
Using a different user to own the files provides a security layer between the PHP code and the file system. The security layer is enforced by the operating system. Because the OS enforces that security layer it means that the php code cannot break through it. Full stop. Don't need to talk about the PHP code security. It can't get to that layer. Even if there is bad PHP code security the OS will prevent it from writing to the file system. By making the files owned by the web server process it means that the OS security layer is removed. It's gone. Now the security depends only upon the security of the PHP code and the discipline and knowledge of the PHP developers writing that code. That is much more fragile. In theory it can be good. But in practice that layer is often penetrated. Look at the long list of CVEs for any popular PHP based project and it will convince you that there is a huge difference between theory and practice here and in practice most php developers fall prey to many security related traps and pitfalls. If the files are owned by the web process user account then any vulnerability in the php code that can be exploited will allow that process to change the write permission of the files. Sure they started out being not writable. But because of the security vulnerability the attacker is able to change the permissions of files and directories. Because the web process owns the files it can do this. If someone says that php shouldn't be written with bugs then I will totally agree. But the number of times that improper quoting of user provided input has been exploited to crack a site by enabling backtick shell escape is a very large number of times for one example. People make mistakes. Improper quoting is a very common mistake that PHP developers often make. That is long term historical evidence. When it happens and when the files are owned by the web process then the attacker can take advantage of it to change the permissions of the files to be writable and to store additional files there. But if the files were owned by an account different from the web process then they couldn't because the OS would enforce that security layer. Note that I was objecting to the statements made that files owned by root were a security vulnerability. Obviously they are not. Bob
signature.asc
Description: Digital signature
