Bug#270593: marked as done (apache2: /var/wwww should be owned by www-data, not root)

Wed, 08 Sep 2004 04:08:26 -0500 

Your message dated Wed, 8 Sep 2004 10:00:10 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Interesting definition of secure
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Sep 2004 07:50:32 +0000
>From [EMAIL PROTECTED] Wed Sep 08 00:50:32 2004
Return-path: <[EMAIL PROTECTED]>
Received: from fep07-0.kolumbus.fi (fep07-app.kolumbus.fi) [193.229.0.51] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1C4xDr-0005zi-00; Wed, 08 Sep 2004 00:50:31 -0700
Received: from bongo.cante.net ([81.197.3.110]) by fep07-app.kolumbus.fi
          with ESMTP
          id <[EMAIL PROTECTED]>;
          Wed, 8 Sep 2004 10:50:30 +0300
Received: from jaalto by bongo.cante.net with local (Exim 4.34)
        id 1C4x5J-0005ZN-LT; Wed, 08 Sep 2004 10:41:42 +0300
MIME-Version: 1.0
From: Jari Aalto <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
X-Mailer: reportbug 2.64
Date: Wed, 08 Sep 2004 10:41:41 +0300
Message-Id: <[EMAIL PROTECTED]>
Sender: Jari Aalto <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: apache2: /var/wwww should be owned by www-data, not root
X-SA-Exim-Version: 4.1 (built Tue, 17 Aug 2004 11:06:07 +0200)
X-SA-Exim-Scanned: Yes (on bongo.cante.net)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: apache2
Version: 2.0.50-12
Severity: grave
Justification: user security hole


I'm not sure which process is responsible of creating /var/www, but
I'm resuming that apache2, whcih is the only web server installed
in this system.

The permissions look like this now:

    host:~# ls -la /var/www
    drwxr-xr-x   3 root root 4096 Sep  6 23:53 .

But wouldn't it bemore secure to to use:

    chown -R www-data.www-data /var/www

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-12  Traditional model for Apache2

-- no debconf information

---------------------------------------
Received: (at 270593-done) by bugs.debian.org; 8 Sep 2004 08:59:50 +0000
>From [EMAIL PROTECTED] Wed Sep 08 01:59:50 2004
Return-path: <[EMAIL PROTECTED]>
Received: from dev.bitch-whore.com (localhost.localdomain) [213.208.111.147] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1C4yIw-0004vk-00; Wed, 08 Sep 2004 01:59:50 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
        id 43E9711C45B; Wed,  8 Sep 2004 10:00:10 +0100 (BST)
Date: Wed, 8 Sep 2004 10:00:10 +0100
From: Thom May <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Interesting definition of secure
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.5.6+20040818i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
        version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Hi,
I'm not sure how your thought processes worked on this one. But let's think
about this for a second:
web server runs as www-data. /var/www is owned by www-data. All your cgi
scripts run as www-data.=20
You have a script with an exploit. Unchecked input or whatever. attacker
runs 'rm -rf /var/www/*'. With /var/www owned by anything !www-data, this
isn't a problem. With /var/www owned by www-data, all your web pages are now
in the deep blue void.
So no, it would not be more secure. (And no, we will not be doing this)
-Thom

Reply via email to