Raffaele Morelli wrote: > Bob Proulx wrote: > > 2) The ownership of the files by root are safe. The default owner is > > root. Files owned by root with the default permissions are not > > writable by the web process. Files in the default configuration are > > not exploitable by that vulnerability which requires write access to > > files in the DocumentRoot. There is never a problem with web files > > owned by the root user. > > Quite wrong.
No. This is correct. If you disagree then please file a bug report. Please let me know where it is filed so that I can participate in the review. Peer review is the best way to deal with it. > Unless you are administering your own server with just you as user there's > no problem in using root for everything. > But if you have other users you should grant write permissions to the > website document root for them to upload stuff and simply you can't let > anyone other than you to access as root (would you?). > Now, rwx permissions and unprivileged users exist for that, root ownership > is absolutely not needed. Why are you responding here with this? I never said that creating a non-priviledged and non-www-data account to hold the files was bad. Why are you responding as if I did? Please read the thread again. I repeatedly said creating such users were a good way to do things. Here I was discussing the reason the exploit was successful. The exploit allowed the attacker access to the system as the www-data user. Because the files were owned by the www-data user it allowed the attacker to write files. The ability to write files gave the attacker even more capability in this case to generate spam from the server. The ability of the attacker to write files enabled the attacker to leave more doors open even if the original exploit was closed until the attacker's files are cleaned up. If the files were not owned by the www-data user then while the exploit may still have occurred then the attacker would have been prevented by the OS from writing files into the DocumentRoot. This would likely have prevented the compromised host from becoming the spam source that it was reported to have become. Because it would have limited the attacker to the original exploit and prevented the attacker from created expanded capabilities by adding files on disk. > Unless you are administering your own server with just you as user > there's no problem in using root for everything. No one has proposing using root for everything. That would be very bad. Why do you respond as if someone did? > But if you have other users you should grant write permissions to the > website document root for them to upload stuff Sure. One of many good strategies. > and simply you can't let anyone other than you to access as root > (would you?). Sorry but this part of the sentence did not parse. Could you clarify what you mean here? I prefer to work with a team of people instead of having a single responsible person. Anyone in the team may work on any part of the system. (Although obviously people will have specialties and comfort zones.) This allows individual people to take vacations and go to the doctor and that type of thing. Other people in the team are able to handle issues. I don't understand how talking here about system administration ties into a web developer uploading files for the web server. Is web content part of the system? No. Not any more than the contents of my personal diary are part of the system. Just because something exists as a file on a system does not make it a system administration task to edit it. The most obvious strategy for a web developer would be for the files to be owned by that web developer. Why would the system admin be involved at all in that case? Of course it is possible and often likely that the web developer is also the system admin too but there isn't any requirement that this be so. > Now, rwx permissions and unprivileged users exist for that, root ownership > is absolutely not needed. Of course. That is as has been stated already many times. But nonetheless that does not mean that no files can be owned by root. Root is not needed to own php files but neither is it a problem for php files to be owned by root. > > > > You have a root account on every OS that counts. And if it does not > > > > have a root account it's a toy OS anyway. > > > > > > so your policy is to use root account for every task? Pure redmond style > > :-) > > > > I know you are joking but it is impossible to administer a system > > without the root account. And by administer I mean use apt-get, > > aptitude or dpkg to install, remove, configure packages. Does that > > make Unix-like systems the same as Redmond style systems? No. Not by > > a lot. Pleae do not say that because all of /usr/bin and /bin are > > owned by root that the user must be root to use them! > > You are going far by misrepresenting, in the joke it's quite clear what I > mean, security it's not a matter of doing everything as root, unless you > want to restyle *nix user/group architecture. I know that both you (Raffaele and Jerry both) were joking here at this point. But why are you even joking about doing everything as root here? Who said anything about doing everything as root? I read the thread through again and I don't see anyone suggesting that users should be doing all work as root. Most people have made the effort to mention that it is a better practice to work as a non-privileged user. And yet people keep talking about using root for every task. Why? What is that connection? Root is absolutely needed to do things like the actions I mentioned above such as using apt-get, aptitude, or dpkg to install, remove, configure packages. Both of you are jokingly arguing that using root is bad. Newbies will read this and not know how to filter and discard "things they read on the internet" appropriately and be misled by it. They will be thinking that anyone that uses root is opening a security vulnerability. That just is not true. But specifically for unclear reasons tying in having any files on disk owned by root with doing all work as root. The logic behind that connection puzzles me. "All men are mortal. Socrates is a man. Therefore Socrates is mortal." Yes. That follows perfectly. "All men are mortal. Socrates is a man. Therefore all men are Socrates." No. That does not follow. That is an incorrect deduction. Bob
signature.asc
Description: Digital signature