'Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From:       Jerry Stuckle <jstuckle () attglobal ! net>
Date:       2013-12-31 19:43:48
Message-ID: 52C31E74.4090802 () attglobal ! net
[Download RAW message or body]

On 12/31/2013 11:29 AM, Nemeth Gyorgy wrote:
> 2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:
>> 1. one should not be using root ownership for websites to solve
>> permissions problems in website document root. On servers where there
>> are N web developers this is absolutely the wrong way to go (you can't
>> go IMO).
>
> Webservers where there are N developers shouldn't work in production.
> On multiuser hosting sites you should consider chrooted environment for
> the users to protect the users from each other.
>

Good in theory, but doesn't work in practice.  Large websites often have 
multiple developers, each responsible for a section of the site.
Saying only one person can update the site means everything is dependent 
on that one person - and changes to the site have to wait until that 
person has the time to upload the files.

And, in fact, any site other than small hobby or one-person shops should 
have at least two people with access to the site for backup purposes.

>> root should only be used for system administration.
>> security it's not a matter of doing everything as root but in using
>> right permissions and user/group rules.
>>
>> 2. www-data user should have r-x group permissions and unprivileged
>> users (eg developer account) should have rwx (or rw-) permissions and
>> ownership.
>
> www-data user shouldn't own any files and directories except the area
> where uploading is necessary.
>
>> www-data ownership it's safe without write permission.
>
> It can be safe, and it is much safer if www-data doesn't own anything.
>

Agreed.  It also means www-data cannot chmod the files.

>>
>> I just want to add a (relevant) bit.
>> Apache has tons of directives to secure a website and if you really need
>> to upload in a dir you can tell apache to not execute php scripts in
>> there or force file type to text or prevent POST request from untrusted
>> ip, etc etc.... and you'are done.
>
> Security is not a one point tool, it has to be different level. Apache
> directives is one level, file ownership is another. If you provide
> security in depth, your system will be more safe.
>
>

Which is why I have a security system in addition to locking the door.

Jerry


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/52C31E74.4090802@attglobal.net

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic