[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From: Jerry Stuckle <jstuckle () attglobal ! net>
Date: 2013-12-31 19:43:48
Message-ID: 52C31E74.4090802 () attglobal ! net
[Download RAW message or body]
On 12/31/2013 11:29 AM, Nemeth Gyorgy wrote:
> 2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:
>> 1. one should not be using root ownership for websites to solve
>> permissions problems in website document root. On servers where there
>> are N web developers this is absolutely the wrong way to go (you can't
>> go IMO).
>
> Webservers where there are N developers shouldn't work in production.
> On multiuser hosting sites you should consider chrooted environment for
> the users to protect the users from each other.
>
Good in theory, but doesn't work in practice. Large websites often have
multiple developers, each responsible for a section of the site.
Saying only one person can update the site means everything is dependent
on that one person - and changes to the site have to wait until that
person has the time to upload the files.
And, in fact, any site other than small hobby or one-person shops should
have at least two people with access to the site for backup purposes.
>> root should only be used for system administration.
>> security it's not a matter of doing everything as root but in using
>> right permissions and user/group rules.
>>
>> 2. www-data user should have r-x group permissions and unprivileged
>> users (eg developer account) should have rwx (or rw-) permissions and
>> ownership.
>
> www-data user shouldn't own any files and directories except the area
> where uploading is necessary.
>
>> www-data ownership it's safe without write permission.
>
> It can be safe, and it is much safer if www-data doesn't own anything.
>
Agreed. It also means www-data cannot chmod the files.
>>
>> I just want to add a (relevant) bit.
>> Apache has tons of directives to secure a website and if you really need
>> to upload in a dir you can tell apache to not execute php scripts in
>> there or force file type to text or prevent POST request from untrusted
>> ip, etc etc.... and you'are done.
>
> Security is not a one point tool, it has to be different level. Apache
> directives is one level, file ownership is another. If you provide
> security in depth, your system will be more safe.
>
>
Which is why I have a security system in addition to locking the door.
Jerry
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/52C31E74.4090802@attglobal.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic