On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
Setting up a phpmyadmin config file is hardly system
administration. It's configuration affects only itself, not the
entire
On 1/5/2014 6:32 AM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
Setting up a phpmyadmin config file is hardly system
administration. It's
On Sun, Jan 5, 2014 at 8:32 PM, Chris Bannister
cbannis...@slingshot.co.nz wrote:
On Sat, Jan 04, 2014 at 10:13:00PM -0500, Jerry Stuckle wrote:
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
Setting up a phpmyadmin config file is
2014-01-05 15:00 keltezéssel, Joel Rees írta:
Only in Debian is phpMyAdmin owned by root.
Has the Fedora project gone to the trouble to set up phpMyAdmin users?
I know they've been pushing a number of services out to
service-specific users. Would be great if they've gone this far.
(I
On 1/1/2014 10:24 PM, Bob Proulx wrote:
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Bob Proulx wrote:
2) The ownership of the files by root are safe. The default owner is
root. Files owned by root with the default permissions are not
writable by the web process. Files in the default
On 1/1/2014 7:55 PM, Bob Proulx wrote:
Jerry Stuckle wrote:
Bob Proulx wrote:
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by www-data then they would be unsafe.
(If, and this is a hypothetical if, you told me the files were owned
by a
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
On 1/1/2014 10:24 PM, Bob Proulx wrote:
System administration is hardly mundane. It is often misunderstood
(as in this thread) but very important work.
Setting up a phpmyadmin config file is hardly system
administration. It's
On 1/4/2014 9:57 PM, Chris Bannister wrote:
On Sat, Jan 04, 2014 at 08:56:14PM -0500, Jerry Stuckle wrote:
On 1/1/2014 10:24 PM, Bob Proulx wrote:
System administration is hardly mundane. It is often misunderstood
(as in this thread) but very important work.
Setting up a phpmyadmin config
On Fri, Jan 3, 2014 at 1:49 AM, Bob Proulx b...@proulx.com wrote:
[...pointers to linux containers and stow...]
Interesting posting concerning lxc on Debian:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-February/005097.html
The other idea was GNU stow.
On Thu, Jan 2, 2014 at 12:24 PM, Bob Proulx b...@proulx.com wrote:
[...]
For example if you install squirrelmail it will include
/usr/share/squirrelmail/**.php files in the package. Root owns those
files. This is good because that prevents any other account from
being able to modify those
2014/1/2 Bob Proulx b...@proulx.com
Raffaele Morelli wrote:
Bob Proulx wrote:
2) The ownership of the files by root are safe. The default owner is
root. Files owned by root with the default permissions are not
writable by the web process. Files in the default configuration are
Joel Rees wrote:
I wonder whether we could design a set of default update calls for
such a system. It's a project to keep on the back burner, I suppose.
Interesting ideas. When I read your description two different ideas
in different directions came to my mind. One was Linux containers.
On 1/1/2014 2:52 AM, Joel Rees wrote:
Are we going to find ourselves talking around each other again, Jerry?
Only if you insist.
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle jstuc...@attglobal.net wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele
On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle drunkensot9...@gmail.com wrote:
On 1/1/2014 2:52 AM, Joel Rees wrote:
[...]
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle jstuc...@attglobal.net
wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
On 1/1/2014 7:20 AM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle drunkensot9...@gmail.com wrote:
On 1/1/2014 2:52 AM, Joel Rees wrote:
[...]
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle jstuc...@attglobal.net
wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan
Raffaele Morelli wrote:
Bob Proulx wrote:
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by www-data then they would be unsafe.
(If, and this is a hypothetical if, you told me the files were owned
by a special phpmyadmin-data account, then
Jerry Stuckle wrote:
Bob Proulx wrote:
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by www-data then they would be unsafe.
(If, and this is a hypothetical if, you told me the files were owned
by a special phpmyadmin-data account, then I
Raffaele Morelli wrote:
Bob Proulx wrote:
2) The ownership of the files by root are safe. The default owner is
root. Files owned by root with the default permissions are not
writable by the web process. Files in the default configuration are
not exploitable by that vulnerability which
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Bob Proulx wrote:
2) The ownership of the files by root are safe. The default owner is
root. Files owned by root with the default permissions are not
writable by the web process. Files in the default configuration are
not exploitable
On Thu, Jan 2, 2014 at 1:52 AM, Jerry Stuckle jstuc...@attglobal.net wrote:
On 1/1/2014 7:20 AM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 7:30 PM, Jerry Stuckle drunkensot9...@gmail.com
wrote:
On 1/1/2014 2:52 AM, Joel Rees wrote:
[...]
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle
2013/12/30 Bob Proulx b...@proulx.com
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Again, the www-data user can safely be the owner of everything in the
webroot, just think of phpmyadmin, there's nothing unsafe in www-data
The default for phpmyadmin is that the files are owned by root
On 12/31/2013 3:00 AM, Raffaele Morelli wrote:
2013/12/30 Bob Proulx b...@proulx.com mailto:b...@proulx.com
Raffaele Morelli wrote:
Reco wrote:
Raffaele Morelli wrote:
The main point was that an attacker wrote a php script in
the OP
(wordpress? joomla?)
On 12/30/2013 4:30 PM, Bob Proulx wrote:
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Again, the www-data user can safely be the owner of everything in the
webroot, just think of phpmyadmin, there's nothing unsafe in www-data
The default for phpmyadmin is that the files are owned by root
2013-12-31 09:01 keltezéssel, Raffaele Morelli írta:
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Again, the www-data user can safely be the owner of everything
in the
webroot, just think of phpmyadmin, there's nothing unsafe in
www-data
The default for
2013/12/31 Jerry Stuckle jstuc...@attglobal.net
BTW - your quoting style is not consistent, making it difficult to see
which are your comments and which are in the post you are replying to.
Jerry
I broke quoting somewhere in the thread, BTW here is my main points.
1. one should not be
2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:
1. one should not be using root ownership for websites to solve
permissions problems in website document root. On servers where there
are N web developers this is absolutely the wrong way to go (you can't
go IMO).
Webservers where there are
On 12/31/2013 10:58 AM, Raffaele Morelli wrote:
2013/12/31 Jerry Stuckle jstuc...@attglobal.net
mailto:jstuc...@attglobal.net
BTW - your quoting style is not consistent, making it difficult to
see which are your comments and which are in the post you are
replying to.
Jerry
On 12/31/2013 11:29 AM, Nemeth Gyorgy wrote:
2013-12-31 16:58 keltezéssel, Raffaele Morelli írta:
1. one should not be using root ownership for websites to solve
permissions problems in website document root. On servers where there
are N web developers this is absolutely the wrong way to go
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
raffaele.more...@gmail.com wrote:
[...]
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need to
upload in a dir you can tell apache to not execute php scripts in there or
force file type
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
raffaele.more...@gmail.com wrote:
[...]
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need to
upload in a dir you can tell apache to not execute
Are we going to find ourselves talking around each other again, Jerry?
On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle jstuc...@attglobal.net wrote:
On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
raffaele.more...@gmail.com wrote:
[...]
I just want
Raffaele Morelli wrote:
Reco wrote:
Raffaele Morelli wrote:
The main point was that an attacker wrote a php script in the OP
(wordpress? joomla?) theme folder and used this script to access sendmail
executable (I wonder those file/folder ownership, root? www-data?).
Directory's
Jerry Stuckle wrote:
Raffaele Morelli wrote:
Again, the www-data user can safely be the owner of everything in the
webroot, just think of phpmyadmin, there's nothing unsafe in www-data
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by
2013/12/30 Bob Proulx b...@proulx.com
Raffaele Morelli wrote:
Reco wrote:
Raffaele Morelli wrote:
The main point was that an attacker wrote a php script in the OP
(wordpress? joomla?) theme folder and used this script to access
sendmail
executable (I wonder those file/folder
2013/12/25 Reco recovery...@gmail.com
Hi.
On Wed, 25 Dec 2013 12:02:50 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
IMHO your claim is a little bit conceited, it sounds like a
self-styled
web
developer guru talking to his ego.
Have I offended you somehow? Why
On Thu, 26 Dec 2013 11:03:38 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
We are going too deep and too far away and you claims on languages are
generic and personal IMO, bug reports are important but if we judge
packages on a bug number basis we destroy everything.
We have very
2013/12/24 Reco recovery...@gmail.com
On Tue, 24 Dec 2013 17:08:48 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
2013/12/24 Reco recovery...@gmail.com
That's one way of doin' it. Now, to rely on poorly-implemented
'security' features of PHP - that's something
2013/12/24 Jerry Stuckle jstuc...@attglobal.net
On 12/24/2013 10:37 AM, Raffaele Morelli wrote:
snip
Are u kidding? Apache writes and creates everything you want if
directory/files permissions are designed for and that is what you want.
Incorrect. Apache writes or creates NOTHING. The
Hi.
On Wed, 25 Dec 2013 12:02:50 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
IMHO your claim is a little bit conceited, it sounds like a self-styled
web
developer guru talking to his ego.
Have I offended you somehow? Why this personal attack?
Nothing personal, just
On 12/25/2013 6:10 AM, Raffaele Morelli wrote:
2013/12/24 Jerry Stuckle jstuc...@attglobal.net
mailto:jstuc...@attglobal.net
On 12/24/2013 10:37 AM, Raffaele Morelli wrote:
snip
Are u kidding? Apache writes and creates everything you want if
directory/files permissions
2013/12/24 Reco recovery...@gmail.com
Hi.
On Tue, 24 Dec 2013 08:47:17 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
I think you should read man pages on shells and privileges first and
what a
user can do.
Can you elaborate please how exactly serving root-owned file with
Hi.
On Tue, 24 Dec 2013 08:57:36 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
Keep in mind that if a php script is owned by root user and there's a
security hole in it, an attacker can easily access every block of your file
system.
Executing root-owned php script by www-data
Hi.
On Tue, 24 Dec 2013 09:00:59 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
php script is owned by root - full system access
now, try `su - www-data` and have a look at the shell you are in.
there you are if you can get it.
# apt-get install apache2 php5-cli
…
# cat
On 12/24/2013 03:00 AM, Raffaele Morelli wrote:
2013/12/24 Reco recovery...@gmail.com mailto:recovery...@gmail.com
Hi.
On Tue, 24 Dec 2013 08:47:17 +0100
Raffaele Morelli raffaele.more...@gmail.com
mailto:raffaele.more...@gmail.com wrote:
I think you should
2013/12/24 PaulNM deb...@paulscrap.com
On 12/24/2013 03:00 AM, Raffaele Morelli wrote:
2013/12/24 Reco recovery...@gmail.com mailto:recovery...@gmail.com
Hi.
On Tue, 24 Dec 2013 08:47:17 +0100
Raffaele Morelli raffaele.more...@gmail.com
No, php script *RUN* by root - full system access
php script run by www-data - access to what www-data has access to.
Owner/Group/Other permissions only affect who has access to the
file/folder, not the kind of access the file (process) itself has when
run. Two very different concepts.
On 12/24/2013 02:57 AM Raffaele Morelli wrote:
Read apache webserver documentation.
This is a good idea in general, but a more specific reference would
actually be practical.
There is no problem whatsoever with files being owned by root. This
is done all of the time. It is
Hi.
On Tue, 24 Dec 2013 10:03:15 +0100
Hans-J. Ullrich hans.ullr...@loop.de wrote:
Hi Paul,
I do not intend to hijack this discussion but I think I have got the same
problem!
Fist thank you for your explanation. I am following this discussion and I
have
a similar problem. I made a
Hi.
On Tue, 24 Dec 2013 09:59:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
Yes, I missed this point.
BTW, as I don't want to rewrite someone else system security rules, let's
say that: MY best practice is to have www-data or any other NON-root user
as the scripts owner.
So,
2013/12/24 Reco recovery...@gmail.com
Hi.
On Tue, 24 Dec 2013 09:59:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
Yes, I missed this point.
BTW, as I don't want to rewrite someone else system security rules, let's
say that: MY best practice is to have www-data or any
On 12/24/2013 04:37 AM, Reco wrote:
Hi.
On Tue, 24 Dec 2013 09:59:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
Yes, I missed this point.
BTW, as I don't want to rewrite someone else system security rules, let's
say that: MY best practice is to have www-data or any other
On 12/24/2013 04:34 AM, Reco wrote:
Hi.
snip
I'm not Paul, but that's simple.
Setuid bit is ignored for scripts.
The reason for it is - the only thing that's able to spawn a process is
an executable, which has certain format (ELF for Linux, possibly a.out
- that depends on a kernel
2013/12/24 PaulNM deb...@paulscrap.com
On 12/24/2013 04:37 AM, Reco wrote:
Hi.
On Tue, 24 Dec 2013 09:59:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
Yes, I missed this point.
BTW, as I don't want to rewrite someone else system security rules,
let's
say that:
On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
The main point was that an attacker wrote a php script in the OP
(wordpress? joomla?) theme folder and used this script to access sendmail
executable (I wonder those file/folder ownership, root? www-data?).
2013/12/24 Reco recovery...@gmail.com
On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
The main point was that an attacker wrote a php script in the OP
(wordpress? joomla?) theme folder and used this script to access sendmail
executable (I wonder
Hi.
On Tue, 24 Dec 2013 15:40:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
2013/12/24 Reco recovery...@gmail.com
On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
The main point was that an attacker wrote a php script in the OP
2013/12/24 Reco recovery...@gmail.com
Hi.
On Tue, 24 Dec 2013 15:40:39 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
2013/12/24 Reco recovery...@gmail.com
On Tue, 24 Dec 2013 14:32:58 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
The main point was
On Tue, 24 Dec 2013 16:37:45 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
So ownership to root does matter?
Which ownership are you talking about?
Was directory in question was owned by root, the attacker could not
create own files.
Was php files in question was owned by
2013/12/24 Reco recovery...@gmail.com
That's one way of doin' it. Now, to rely on poorly-implemented
'security' features of PHP - that's something really not worth doing.
That's absolutely you point of view, a wise and skilled developer does
everything safe, a poor minded simply
On 12/24/2013 11:08 PM, Raffaele Morelli wrote:
IMHO your claim is a little bit conceited, it sounds like a self-styled web
developer guru talking to his ego.
Hey Raffaele,
You and Reco are talking about root - www-data, chown - chroot...
things, not his personal characteristics.
Your reply
On Tue, 24 Dec 2013 17:08:48 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
2013/12/24 Reco recovery...@gmail.com
That's one way of doin' it. Now, to rely on poorly-implemented
'security' features of PHP - that's something really not worth doing.
That's
On 12/24/2013 10:37 AM, Raffaele Morelli wrote:
snip
Are u kidding? Apache writes and creates everything you want if
directory/files permissions are designed for and that is what you want.
Incorrect. Apache writes or creates NOTHING. The web server user can
create and write files from a
On Mon, 23 Dec 2013 18:42:24 +0100, Gilles Mocellin wrote:
Le 23/12/2013 15:30, Raffaele Morelli a écrit :
2013/12/14 Lukasz Szybalski szybal...@gmail.com
mailto:szybal...@gmail.com
[...]
root should not own files served by apache for any reason, that's
really dangerous!
you should
2013/12/14 Lukasz Szybalski szybal...@gmail.com
Thanks for the feedback. I did check with other production sites I run,
and most of them are owned by root. I have to test to see if you want to
use the wordpress to upload a theme using the site UI, I think you might
be forced to have the
Le 23/12/2013 15:30, Raffaele Morelli a écrit :
2013/12/14 Lukasz Szybalski szybal...@gmail.com
mailto:szybal...@gmail.com
[...]
root should not own files served by apache for any reason, that's
really dangerous!
you should never do that...
Excuse-me, but I think you're wrong.
The
On Tue, Dec 24, 2013 at 2:42 AM, Gilles Mocellin
gilles.mocel...@nuagelibre.org wrote:
Le 23/12/2013 15:30, Raffaele Morelli a écrit :
2013/12/14 Lukasz Szybalski szybal...@gmail.com
[...]
root should not own files served by apache for any reason, that's really
dangerous!
you should
Raffaele Morelli wrote:
Lukasz Szybalski wrote:
Thanks for the feedback. I did check with other production sites I run,
and most of them are owned by root. I have to test to see if you want to
use the wordpress to upload a theme using the site UI, I think you might
be forced to have the
2013/12/23 Gilles Mocellin gilles.mocel...@nuagelibre.org
Le 23/12/2013 15:30, Raffaele Morelli a écrit :
2013/12/14 Lukasz Szybalski szybal...@gmail.com
[...]
root should not own files served by apache for any reason, that's
really dangerous!
you should never do that...
Hi.
On Tue, 24 Dec 2013 08:47:17 +0100
Raffaele Morelli raffaele.more...@gmail.com wrote:
I think you should read man pages on shells and privileges first and what a
user can do.
Can you elaborate please how exactly serving root-owned file with
apache is a bad thing for security?
Reco
--
2013/12/24 Bob Proulx b...@proulx.com
Raffaele Morelli wrote:
Lukasz Szybalski wrote:
Thanks for the feedback. I did check with other production sites I run,
and most of them are owned by root. I have to test to see if you want
to
use the wordpress to upload a theme using the site
On Thu, Dec 12, 2013 at 12:12:57AM -0500, Bob Bernstein wrote:
On Wed, Dec 11, 2013 at 08:57:57PM -0600, Lukasz Szybalski wrote:
I run my own site, and I do have postfix, apache, wordpress,
and moinmoin installed. www-data is sending 100s of emails a
minute.
I hope you have
Hello,
I run my own site, and I do have postfix, apache, wordpress, and moinmoin
installed. www-data is sending 100s of emails a minute. Either wordpress or
moinmoin is compromised? How do I debug to find out where is the problem?
I'm watching the mail.log and I see a lot of emails being sent
On 12/11/2013 06:57 PM, Lukasz Szybalski wrote:
I run my own site, and I do have postfix, apache, wordpress, and moinmoin
installed. www-data is sending 100s of emails a minute. Either wordpress or
moinmoin is compromised? How do I debug to find out where is the problem?
I suggest that you
On Wed, Dec 11, 2013 at 07:07:42PM -0800, David Christensen wrote:
On 12/11/2013 06:57 PM, Lukasz Szybalski wrote:
I run my own site, and I do have postfix, apache, wordpress, and moinmoin
installed. www-data is sending 100s of emails a minute. Either wordpress or
moinmoin is compromised? How
On Wed, Dec 11, 2013 at 08:57:57PM -0600, Lukasz Szybalski wrote:
I run my own site, and I do have postfix, apache, wordpress,
and moinmoin installed. www-data is sending 100s of emails a
minute.
I hope you have by hook or crook pulled the plug on this system by
now. I believe you
75 matches
Mail list logo