On Tue, 24 Dec 2013 14:32:58 +0100 Raffaele Morelli <raffaele.more...@gmail.com> wrote:
> The main point was that an attacker wrote a php script in the OP > (wordpress? joomla?) theme folder and used this script to access sendmail > executable (I wonder those file/folder ownership, root? www-data?). Directory's owner is www-data, according to OP's mail. See: http://lists.debian.org/debian-user/2013/12/msg00806.html And note that attacker could rewrite any php file where just as well. > It's a matter of who is allowed to do what on a dir/file basis. > Someone should explain why it's safe using root as the owner of php scripts > instead of an unprivileged user (with no write permission on dir/files). You have a root account on every OS that counts. And if it does not have a root account it's a toy OS anyway. Using account other than www-data requires either: a) Creating such account. b) Using some account that is used to run other daemons in this OS. And allowing such daemon overwrite php files is a potential security hole by itself. So, php files owned by root are convenience, nothing more. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224175426.7426a5ed6300ba2d46697...@gmail.com
