2014/1/2 Bob Proulx <b...@proulx.com> > Raffaele Morelli wrote: > > Bob Proulx wrote: > > > 2) The ownership of the files by root are safe. The default owner is > > > root. Files owned by root with the default permissions are not > > > writable by the web process. Files in the default configuration are > > > not exploitable by that vulnerability which requires write access to > > > files in the DocumentRoot. There is never a problem with web files > > > owned by the root user. > > > > Quite wrong. > > No. This is correct. If you disagree then please file a bug report. > Please let me know where it is filed so that I can participate in the > review. Peer review is the best way to deal with it. > > > Unless you are administering your own server with just you as user > there's > > no problem in using root for everything. > > But if you have other users you should grant write permissions to the > > website document root for them to upload stuff and simply you can't let > > anyone other than you to access as root (would you?). > > Now, rwx permissions and unprivileged users exist for that, root > ownership > > is absolutely not needed. > > Why are you responding here with this? I never said that creating a > non-priviledged and non-www-data account to hold the files was bad. > Why are you responding as if I did? Please read the thread again. I > repeatedly said creating such users were a good way to do things. > > Here I was discussing the reason the exploit was successful. The > exploit allowed the attacker access to the system as the www-data > user. Because the files were owned by the www-data user it allowed > the attacker to write files. The ability to write files gave the > attacker even more capability in this case to generate spam from the > server. The ability of the attacker to write files enabled the > attacker to leave more doors open even if the original exploit was > closed until the attacker's files are cleaned up. > > If the files were not owned by the www-data user then while the > exploit may still have occurred then the attacker would have been > prevented by the OS from writing files into the DocumentRoot. This > would likely have prevented the compromised host from becoming the > spam source that it was reported to have become. Because it would > have limited the attacker to the original exploit and prevented the > attacker from created expanded capabilities by adding files on disk. > > > Unless you are administering your own server with just you as user > > there's no problem in using root for everything. > > No one has proposing using root for everything. That would be very > bad. Why do you respond as if someone did? > Bob >
Put it here as a whole to avoid unwanted breaks (as you did between "Quite wrong." and the rest of the sentence). root ownership for DocumentRoot is a problem when you deal with N developers working on N websites, because you should provide write access to them for their work to be uploaded. I solve this clearer using unprivileged users other than www-data for the ownership and r-x group access to www-data (repeating the fourth time). So, I never said nor responded as your 2) statement was bad but IMHO is just a case specific (phpmyadmin and others living in /usr/share/ which are installed by root) and should not be used as a general rule for each and every website. As I stated in one of my first responses to the OP the exploit was possibile because the dir was writeable, the files were owned by www-data but a NEW file was uploaded in the dir not overwritten. If the dir is writeable root ownership of files doesn't help, am I wrong? Moreover, I bet that if the OP will have a look at the apache log files he will find the POST request for that script. /r
