Hi.
On Mon, Nov 09, 2020 at 10:48:22AM -0700, Charles Curley wrote:
> I suspected the package to be apache2, but that does not appear to be
> the case. That alias is present on boxen with no web server. Can anyone
> tell me which package, if any, provides /etc/aliases?
There's no package
I have some occasion to run some cron jobs as the user www-data. It
would be nice to get any output with my regular cron output.
What I found is that the email was sent to www-data. postfix was
dumping the email because it couldn't find procmail. Had it found
procmail, I suspect it would
8, um 16:29, schrieb Sven Joachim:
> On 2018-12-22 15:10 +0100, Manuel Wagesreither wrote:
>
> > I'm running an minbase installation of Debian Stretch and have
> > configured lighttpd to run as a different, non-www-data user. However,
> > when booting, lighttpd do
On 2018-12-22 15:10 +0100, Manuel Wagesreither wrote:
> I'm running an minbase installation of Debian Stretch and have
> configured lighttpd to run as a different, non-www-data user. However,
> when booting, lighttpd does not start successfully, as /run/lighttpd
> is still owned
Hello all,
I'm running an minbase installation of Debian Stretch and have configured
lighttpd to run as a different, non-www-data user. However, when booting,
lighttpd does not start successfully, as /run/lighttpd is still owned by
www-data. Only when I'm chowning it to the diff
On Thursday 01 November 2018 07:50:11 Jonathan Dowland wrote:
> On Tue, Oct 30, 2018 at 09:24:25AM -0400, Gene Heskett wrote:
> >That may be. Right now I see something from the php cleanup spamming
> > my logs. Is anyone else see it, something cron is running several
> > times a day, but which ca
On Tue, Oct 30, 2018 at 09:24:25AM -0400, Gene Heskett wrote:
That may be. Right now I see something from the php cleanup spamming my
logs. Is anyone else see it, something cron is running several times a
day, but which can't be found by htop. So apparently it goes away when
its done. And AFAIK
On 2018-10-28 23:57, Gene Heskett wrote:
I don't think thats how it works. UID/GID as www-data is just part of
the
sandbox apache2 and its ilk play in. In fact after I've equipt apach2
with some new toy, the last thing I do as root is a chown -R
www-data:www-data any directory a
On Tuesday 30 October 2018 09:33:09 Gene Heskett wrote:
> On Tuesday 30 October 2018 09:24:25 Gene Heskett wrote:
> > On Tuesday 30 October 2018 06:15:28 Jonathan Dowland wrote:
> > > On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
> > > >Thats how IUI,
> > >
> > > what does IUI mean
Hi Gene,
Am 30.10.18 um 14:24 schrieb Gene Heskett:
> On Tuesday 30 October 2018 06:15:28 Jonathan Dowland wrote:
>
>> On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
>>> Thats how IUI,
>>
>> what does IUI mean? It doesn't look like any of these acronyms apply
>>
> I Understand It.
On Tuesday 30 October 2018 09:24:25 Gene Heskett wrote:
> On Tuesday 30 October 2018 06:15:28 Jonathan Dowland wrote:
> > On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
> > >Thats how IUI,
> >
> > what does IUI mean? It doesn't look like any of these acronyms apply
>
> I Understand
On Tuesday 30 October 2018 06:15:28 Jonathan Dowland wrote:
> On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
> >Thats how IUI,
>
> what does IUI mean? It doesn't look like any of these acronyms apply
>
I Understand It.
> https://www.acronymfinder.com/IUI.html
>
> > and no one acces
On 2018-10-30, Jonathan Dowland wrote:
> On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
>>Thats how IUI,
>
> what does IUI mean? It doesn't look like any of these acronyms apply
>
> https://www.acronymfinder.com/IUI.html
>
As I understand it, we make them up as we go along (hypothe
On Sun, Oct 28, 2018 at 07:57:08PM -0400, Gene Heskett wrote:
Thats how IUI,
what does IUI mean? It doesn't look like any of these acronyms apply
https://www.acronymfinder.com/IUI.html
and no one accessing my web page (its on this machine)
has jumped the sandbox fence in around 15 years now
On Mon, Oct 29, 2018 at 12:27:53PM -0500, David Wright wrote:
On Sun 28 Oct 2018 at 19:57:08 (-0400), Gene Heskett wrote:
I don't think thats how it works. UID/GID as www-data is just part of the
sandbox apache2 and its ilk play in. In fact after I've equipt apach2
with some new toy
On Sun 28 Oct 2018 at 19:57:08 (-0400), Gene Heskett wrote:
> On Sunday 28 October 2018 18:42:41 mick crane wrote:
> > On 2018-10-28 21:38, Ben Caradoc-Davies wrote:
> > > On 29/10/2018 10:26, Carl Fink wrote:
> > >> On 10/28/2018 05:16 PM, mick crane wrote:
> &g
On Sunday 28 October 2018 18:42:41 mick crane wrote:
> On 2018-10-28 21:38, Ben Caradoc-Davies wrote:
> > On 29/10/2018 10:26, Carl Fink wrote:
> >> On 10/28/2018 05:16 PM, mick crane wrote:
> >>> what's the deal with www-data ?
> >>> I never made
On 29/10/2018 11:42, mick crane wrote:
I'm asking because somebody is saying that webmail server files should
be owned by root but I don't know about that, if somebody as got so far
to be www-data they might as well be root ?
Web server configuration files are typically owned by ro
On 2018-10-28 21:38, Ben Caradoc-Davies wrote:
On 29/10/2018 10:26, Carl Fink wrote:
On 10/28/2018 05:16 PM, mick crane wrote:
what's the deal with www-data ?
I never made that user
I dunno if it has a password or what ?
these are things that some setup / install makes ?
It's crea
On 29/10/2018 10:26, Carl Fink wrote:
On 10/28/2018 05:16 PM, mick crane wrote:
what's the deal with www-data ?
I never made that user
I dunno if it has a password or what ?
these are things that some setup / install makes ?
It's created by the Apache installer. Check the Apache doc
On 29/10/2018 10:26, Carl Fink wrote:
On 10/28/2018 05:16 PM, mick crane wrote:
what's the deal with www-data ?
I never made that user
I dunno if it has a password or what ?
these are things that some setup / install makes ?
It's created by the Apache installer. Check the Apache docs
On 10/28/2018 05:16 PM, mick crane wrote:
what's the deal with www-data ?
I never made that user
I dunno if it has a password or what ?
these are things that some setup / install makes ?
mick
It's created by the Apache installer. Check the Apache docs.
--
Carl Fink
what's the deal with www-data ?
I never made that user
I dunno if it has a password or what ?
these are things that some setup / install makes ?
mick
--
Key ID4BFEBB31
2014-01-05 15:00 keltezéssel, Joel Rees írta:
>>> Only in Debian is phpMyAdmin owned by root.
>
> Has the Fedora project gone to the trouble to set up phpMyAdmin users?
>
> I know they've been pushing a number of services out to
> service-specific users. Would be great if they've gone this far.
On Sun, Jan 5, 2014 at 8:32 PM, Chris Bannister
wrote:
> On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
>> On 1/4/2014 9:57 PM, Chris Bannister wrote:
>> >On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
>> >>Setting up a phpmyadmin config file is hardly "system
>> >>
On 1/5/2014 6:32 AM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
Setting up a phpmyadmin config file is hardly "system
administration". It's conf
On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
> On 1/4/2014 9:57 PM, Chris Bannister wrote:
> >On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
> >>Setting up a phpmyadmin config file is hardly "system
> >>administration". It's configuration affects only itself, not t
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
On 1/1/2014 10:24 PM, Bob Proulx wrote:
System administration is hardly mundane. It is often misunderstood
(as in this thread) but very important work.
Setting up a phpmyadmin config f
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
> On 1/1/2014 10:24 PM, Bob Proulx wrote:
> >System administration is hardly mundane. It is often misunderstood
> >(as in this thread) but very important work.
> >
>
> Setting up a phpmyadmin config file is hardly "system
> administra
On 1/1/2014 7:55 PM, Bob Proulx wrote:
Jerry Stuckle wrote:
Bob Proulx wrote:
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by www-data then they would be unsafe.
(If, and this is a hypothetical if, you told me the files were owned
by a
. apply a security patch), you have to do
it as root. IMHO it would be much better to be owned by a separate user
with write access to the files, with the www-data having only read access.
It is a very bad idea to use the root user to do such mundane
things.
System administration is hardly
On Fri, Jan 3, 2014 at 1:49 AM, Bob Proulx wrote:
> [...pointers to linux containers and stow...]
> Interesting posting concerning lxc on Debian:
>
>
> http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-February/005097.html
>
> The other idea was GNU stow.
>
> https://www.gnu.or
Joel Rees wrote:
> I wonder whether we could design a set of default update calls for
> such a system. It's a project to keep on the back burner, I suppose.
Interesting ideas. When I read your description two different ideas
in different directions came to my mind. One was Linux containers.
Int
unprivileged users exist for that, root
> ownership
> > is absolutely not needed.
>
> Why are you responding here with this? I never said that creating a
> non-priviledged and non-www-data account to hold the files was bad.
> Why are you responding as if I did? Please rea
On Thu, Jan 2, 2014 at 12:24 PM, Bob Proulx wrote:
> [...]
> For example if you install squirrelmail it will include
> /usr/share/squirrelmail/**.php files in the package. Root owns those
> files. This is good because that prevents any other account from
> being able to modify those files. Tha
On Thu, Jan 2, 2014 at 1:52 AM, Jerry Stuckle wrote:
> On 1/1/2014 7:20 AM, Joel Rees wrote:
>>
>> On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle
>> wrote:
>>>
>>> On 1/1/2014 2:52 AM, Joel Rees wrote:
[...]
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle
wrote:
>
> On
those files. That is just long standing good
design.
> It is a very bad idea to use the root user to do such mundane
> things.
System administration is hardly mundane. It is often misunderstood
(as in this thread) but very important work.
> It is much better to have the files owned by a
> website document root for them to upload stuff and simply you can't let
> anyone other than you to access as root (would you?).
> Now, rwx permissions and unprivileged users exist for that, root ownership
> is absolutely not needed.
Why are you responding here with this? I nev
Jerry Stuckle wrote:
> Bob Proulx wrote:
> > The default for phpmyadmin is that the files are owned by root not
> > www-data. If they were owned by www-data then they would be unsafe.
> > (If, and this is a hypothetical if, you told me the files were owned
> > by a spec
Raffaele Morelli wrote:
> Bob Proulx wrote:
> > The default for phpmyadmin is that the files are owned by root not
> > www-data. If they were owned by www-data then they would be unsafe.
> > (If, and this is a hypothetical if, you told me the files were owned
> > b
On 1/1/2014 7:20 AM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle wrote:
On 1/1/2014 2:52 AM, Joel Rees wrote:
[...]
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle
wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
wrote:
On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle wrote:
> On 1/1/2014 2:52 AM, Joel Rees wrote:
>>
>> [...]
>> On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle
>> wrote:
>>>
>>> On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
wrote:
>
On 1/1/2014 2:52 AM, Joel Rees wrote:
Are we going to find ourselves talking around each other again, Jerry?
Only if you insist.
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
wrote:
[...]
Are we going to find ourselves talking around each other again, Jerry?
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle wrote:
> On 12/31/2013 8:43 PM, Joel Rees wrote:
>>
>> On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
>> wrote:
>>>
>>> [...]
>>> I just want to add a (relevant) bit.
>>> Apac
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
wrote:
[...]
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need to
upload in a dir you can tell apache to not execute php scripts in there or
forc
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
wrote:
> [...]
> I just want to add a (relevant) bit.
> Apache has tons of directives to secure a website and if you really need to
> upload in a dir you can tell apache to not execute php scripts in there or
> force file type to text or prevent PO
y or one-person shops should
have at least two people with access to the site for backup purposes.
root should only be used for system administration.
security it's not a matter of doing everything as root but in using
right permissions and user/group rules.
2. www-data user should have r-x g
for system administration.
security it's not a matter of doing everything as root but in using
right permissions and user/group rules.
2. www-data user should have r-x group permissions and unprivileged
users (eg developer account) should have rwx (or rw-) permissions and
ownership.
www-dat
hing as root but in using
> right permissions and user/group rules.
>
> 2. www-data user should have r-x group permissions and unprivileged
> users (eg developer account) should have rwx (or rw-) permissions and
> ownership.
www-data user shouldn't own any files and directories
everything as root but in using right
permissions and user/group rules.
2. www-data user should have r-x group permissions and unprivileged users
(eg developer account) should have rwx (or rw-) permissions and ownership.
www-data ownership it's safe without write permission.
I just want to add
2013-12-31 09:01 keltezéssel, Raffaele Morelli írta:
> Jerry Stuckle wrote:
> > Raffaele Morelli wrote:
> > > Again, the www-data user can safely be the owner of everything
> in the
> > > webroot, just think of phpmyadmin, there's nothing un
On 12/30/2013 4:30 PM, Bob Proulx wrote:
> Jerry Stuckle wrote:
>> Raffaele Morelli wrote:
>>> Again, the www-data user can safely be the owner of everything in the
>>> webroot, just think of phpmyadmin, there's nothing unsafe in www-data
>
> The defaul
t in
the OP
> > > > (wordpress? joomla?) theme folder and used this script to
> access sendmail
> > > > executable (I wonder those file/folder ownership, root?
> www-data?).
> > >
> > > Directory's owner is www-da
2013/12/30 Bob Proulx
> Jerry Stuckle wrote:
> > Raffaele Morelli wrote:
> > > Again, the www-data user can safely be the owner of everything in the
> > > webroot, just think of phpmyadmin, there's nothing unsafe in www-data
>
> The default for phpmyadmin i
dmail
> > > > executable (I wonder those file/folder ownership, root? www-data?).
> > >
> > > Directory's owner is www-data, according to OP's mail. See:
> > >
> > > http://lists.debian.org/debian-user/2013/12/msg00806.html
> > >
>
Jerry Stuckle wrote:
> Raffaele Morelli wrote:
> > Again, the www-data user can safely be the owner of everything in the
> > webroot, just think of phpmyadmin, there's nothing unsafe in www-data
The default for phpmyadmin is that the files are owned by root not
www-data. I
Raffaele Morelli wrote:
> Reco wrote:
> > Raffaele Morelli wrote:
> > > The main point was that an attacker wrote a php script in the OP
> > > (wordpress? joomla?) theme folder and used this script to access sendmail
> > > executable (I wonder those f
On Thu, 26 Dec 2013 11:03:38 +0100
Raffaele Morelli wrote:
> We are going too deep and too far away and you claims on languages are
> generic and personal IMO, bug reports are important but if we judge
> packages on a bug number basis we "destroy" everything.
>
> We have very different point of
2013/12/25 Reco
> Hi.
>
> On Wed, 25 Dec 2013 12:02:50 +0100
> Raffaele Morelli wrote:
>
> > > > IMHO your claim is a little bit conceited, it sounds like a
> self-styled
> > > web
> > > > developer "guru" talking to his ego.
> > >
> > > Have I offended you somehow? Why this personal attack?
>
e referring to this.
No, but when your statement is this incorrect, it needs correcting.
I agree with the others. User-created files should never be owned
by root. On my servers, files are owned by the person doing the
uploading (which is NOT www-data) and are accessed r
Hi.
On Wed, 25 Dec 2013 12:02:50 +0100
Raffaele Morelli wrote:
> > > IMHO your claim is a little bit conceited, it sounds like a self-styled
> > web
> > > developer "guru" talking to his ego.
> >
> > Have I offended you somehow? Why this personal attack?
> >
>
> Nothing personal, just a remind
er-created files should never be owned by
> root. On my servers, files are owned by the person doing the uploading
> (which is NOT www-data) and are accessed read-only by group permissions
> (with www-data being a member of the group).
>
> On local systems, files are owned by the user
2013/12/24 Reco
> On Tue, 24 Dec 2013 17:08:48 +0100
> Raffaele Morelli wrote:
>
> > 2013/12/24 Reco
> >
> > >
> > >
> > > > > That's one way of doin' it. Now, to rely on poorly-implemented
> > > > > 'security' features of PHP - that's something really not worth
> doing.
> > > >
> > > >
> > > >
to write to it
> (by the group membership).
>
> As a security measure, I preach the opposite : all files are root (or
> another user, not used by the web server).
> For the directories and files that have to be modified by the
> application and so by the web server, I use a grou
script, but it is not Apache doing it.
I agree with the others. User-created files should never be owned by
root. On my servers, files are owned by the person doing the uploading
(which is NOT www-data) and are accessed read-only by group permissions
(with www-data being a member of the group
On Tue, 24 Dec 2013 17:08:48 +0100
Raffaele Morelli wrote:
> 2013/12/24 Reco
>
> >
> >
> > > > That's one way of doin' it. Now, to rely on poorly-implemented
> > > > 'security' features of PHP - that's something really not worth doing.
> > >
> > >
> > > That's absolutely you point of view, a wi
On 12/24/2013 11:08 PM, Raffaele Morelli wrote:
IMHO your claim is a little bit conceited, it sounds like a self-styled web
developer "guru" talking to his ego.
Hey Raffaele,
You and Reco are talking about root - www-data, chown - chroot...
things, not his personal characteristics.
2013/12/24 Reco
>
>
> > > That's one way of doin' it. Now, to rely on poorly-implemented
> > > 'security' features of PHP - that's something really not worth doing.
> >
> >
> > That's absolutely you point of view, a wise and skilled developer does
> > everything safe, a poor minded simply does no
d-style indeed.
>
>
> chmod is your friend.
I prefer chown, just to be sure. And if I want to be absolutely sure, I
use 'chattr +i'.
> > > Using account other than www-data requires either:
> > > >
> > > > a) Creating such account.
> >
n attacker wrote a php script in the OP
> > > > (wordpress? joomla?) theme folder and used this script to access
> sendmail
> > > > executable (I wonder those file/folder ownership, root? www-data?).
> > >
> > > Directory's owner is www-data, accordin
mla?) theme folder and used this script to access sendmail
> > > executable (I wonder those file/folder ownership, root? www-data?).
> >
> > Directory's owner is www-data, according to OP's mail. See:
> >
> > http://lists.debian.org/debian-user/2013/12/msg00
folder ownership, root? www-data?).
>
> Directory's owner is www-data, according to OP's mail. See:
>
> http://lists.debian.org/debian-user/2013/12/msg00806.html
>
> And note that attacker could rewrite any php file where just as well.
>
So ownership to root does matte
On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli wrote:
> The main point was that an attacker wrote a php script in the OP
> (wordpress? joomla?) theme folder and used this script to access sendmail
> executable (I wonder those file/folder ownership, root? www-data?).
Directory&#
tem security rules,
> let's
> >> say that: MY best practice is to have www-data or any other NON-root
> user
> >> as the scripts owner.
> >
> > So, basically you're allowing any php script to rewrite any php script
> > with an arbitrary contents. A
On 12/24/2013 04:34 AM, Reco wrote:
> Hi.
>
snip
>
> I'm not Paul, but that's simple.
> Setuid bit is ignored for scripts.
>
> The reason for it is - the only thing that's able to spawn a process is
> an executable, which has certain format (ELF for Linux, possibly a.out
> - that depends on a
On 12/24/2013 04:37 AM, Reco wrote:
> Hi.
>
> On Tue, 24 Dec 2013 09:59:39 +0100
> Raffaele Morelli wrote:
>> Yes, I missed this point.
>>
>> BTW, as I don't want to rewrite someone else system security rules, let's
>> say that: MY best practice
2013/12/24 Reco
> Hi.
>
> On Tue, 24 Dec 2013 09:59:39 +0100
> Raffaele Morelli wrote:
> > Yes, I missed this point.
> >
> > BTW, as I don't want to rewrite someone else system security rules, let's
> > say that: MY best practice is to have
Hi.
On Tue, 24 Dec 2013 09:59:39 +0100
Raffaele Morelli wrote:
> Yes, I missed this point.
>
> BTW, as I don't want to rewrite someone else system security rules, let's
> say that: MY best practice is to have www-data or any other NON-root user
> as the scripts own
Hi.
On Tue, 24 Dec 2013 10:03:15 +0100
"Hans-J. Ullrich" wrote:
> Hi Paul,
> I do not intend to hijack this discussion but I think I have got the same
> problem!
>
> Fist thank you for your explanation. I am following this discussion and I
> have
> a similar problem. I made a script, which
On 12/24/2013 02:57 AM Raffaele Morelli wrote:
Read apache webserver documentation.
This is a good idea in general, but a more specific reference would
actually be practical.
There is no problem whatsoever with files being owned by root. This
is done all of the time. It is okay.
>
> No, php script *RUN* by root -> full system access
>
> php script run by www-data -> access to what www-data has access to.
>
> Owner/Group/Other permissions only affect who has access to the
> file/folder, not the kind of access the file (process) itself has whe
he is a bad thing for security?
> >
> >
> > php script is owned by root -> full system access
>
> No, php script *RUN* by root -> full system access
>
> php script run by www-data -> access to what www-data has access to.
>
Yes, I missed this point.
BTW
No, php script *RUN* by root -> full system access
php script run by www-data -> access to what www-data has access to.
Owner/Group/Other permissions only affect who has access to the
file/folder, not the kind of access the file (process) itself has when
run. Two very different concepts.
T
Hi.
On Tue, 24 Dec 2013 09:00:59 +0100
Raffaele Morelli wrote:
> php script is owned by root -> full system access
>
> now, try `su - www-data` and have a look at the shell you are in.
> there you are if you can get it.
# apt-get install apache2 php5-cli
…
# cat > /var/w
Hi.
On Tue, 24 Dec 2013 08:57:36 +0100
Raffaele Morelli wrote:
> Keep in mind that if a php script is owned by root user and there's a
> security hole in it, an attacker can easily access every block of your file
> system.
Executing root-owned php script by www-data user w
> apache is a bad thing for security?
>
php script is owned by root -> full system access
now, try `su - www-data` and have a look at the shell you are in.
there you are if you can get it.
>
> Reco
"wordpress" to upload a theme using the site UI", I think you
> might
> > > be forced to have the www-data own and being able to write to theme
> folder.
> > > If you don't you would have to sftp the theme there and unzip it
> manually.
> >
>
Hi.
On Tue, 24 Dec 2013 08:47:17 +0100
Raffaele Morelli wrote:
> I think you should read man pages on shells and privileges first and what a
> user can do.
Can you elaborate please how exactly serving root-owned file with
apache is a bad thing for security?
Reco
--
To UNSUBSCRIBE, email to
2013/12/23 Gilles Mocellin
> Le 23/12/2013 15:30, Raffaele Morelli a écrit :
>
> 2013/12/14 Lukasz Szybalski
>
>>
>>> [...]
>>
>
> root should not own files served by apache for any reason, that's
> really "dangerous"!
> you should never do that...
>
>
> Excuse-me, but I think you're wro
UI", I think you might
> > be forced to have the www-data own and being able to write to theme folder.
> > If you don't you would have to sftp the theme there and unzip it manually.
>
> root should not own files served by apache for any reason, that's really
time will produce that "another user" that is preferred..
Making purpose-specific users is cheap, much cheaper than cleaning up.
> For the directories and files that have to be modified by the application
> and so by the web server, I use a group membership (www-data) with write
&g
For the directories and files that have to be modified by the
application and so by the web server, I use a group membership
(www-data) with write privileges for the group.
Like this, if someone find a hole in the web app, it can make it execute
something with the user running the web serve
2013/12/14 Lukasz Szybalski
>
>> Thanks for the feedback. I did check with other production sites I run,
> and most of them are owned by root. I have to test to see "if you want to
> use the "wordpress" to upload a theme using the site UI", I think you might
&
On Thu, Dec 12, 2013 at 12:12:57AM -0500, Bob Bernstein wrote:
> On Wed, Dec 11, 2013 at 08:57:57PM -0600, Lukasz Szybalski wrote:
>
> >I run my own site, and I do have postfix, apache, wordpress,
> >and moinmoin installed. www-data is sending 100s of emails a
> >
On Wed, Dec 11, 2013 at 08:57:57PM -0600, Lukasz Szybalski wrote:
>I run my own site, and I do have postfix, apache, wordpress,
>and moinmoin installed. www-data is sending 100s of emails a
>minute.
I hope you have by hook or crook pulled the plug on this system by
now.
On Wed, Dec 11, 2013 at 07:07:42PM -0800, David Christensen wrote:
> On 12/11/2013 06:57 PM, Lukasz Szybalski wrote:
> >I run my own site, and I do have postfix, apache, wordpress, and moinmoin
> >installed. www-data is sending 100s of emails a minute. Either wordpress or
On 12/11/2013 06:57 PM, Lukasz Szybalski wrote:
I run my own site, and I do have postfix, apache, wordpress, and moinmoin
installed. www-data is sending 100s of emails a minute. Either wordpress or
moinmoin is compromised? How do I debug to find out where is the problem?
I suggest that you
Hello,
I run my own site, and I do have postfix, apache, wordpress, and moinmoin
installed. www-data is sending 100s of emails a minute. Either wordpress or
moinmoin is compromised? How do I debug to find out where is the problem?
I'm watching the mail.log and I see a lot of "emails&q
>> Why can't the binary execute "amarok -t" when it is confirmed that it
>> is indeed running as user "tommy"?
>
> X doesn't authenticate connections based on uid. (For one thing, connections
> need not be from the local machine. But uid is not used even on the same
> machine.) Read the manpage
On Tuesday 02 February 2010 17:14:31 Thomas Anderson wrote:
> Why can't the binary execute "amarok -t" when it is confirmed that it
> is indeed running as user "tommy"?
X doesn't authenticate connections based on uid. (For one thing, connections
need not be from the local machine. But uid is no
1 - 100 of 119 matches
Mail list logo
