wwww should be owned by www-data, not root

Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>; Source for apache2 is src:apache2 (PTS, buildd, popcon).

Reported by: Jari Aalto <jari.aalto@poboxes.com>

Date: Wed, 8 Sep 2004 08:03:03 UTC

Severity: grave

Found in version 2.0.50-12

Done: Thom May <thom@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#270593; Package apache2. (full text, mbox, link).

Acknowledgement sent to Jari Aalto <jari.aalto@poboxes.com>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: apache2
Version: 2.0.50-12
Severity: grave
Justification: user security hole


I'm not sure which process is responsible of creating /var/www, but
I'm resuming that apache2, whcih is the only web server installed
in this system.

The permissions look like this now:

    host:~# ls -la /var/www
    drwxr-xr-x   3 root root 4096 Sep  6 23:53 .

But wouldn't it bemore secure to to use:

    chown -R www-data.www-data /var/www

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-12  Traditional model for Apache2

-- no debconf information

Reply sent to Thom May <thom@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Jari Aalto <jari.aalto@poboxes.com>:
Bug acknowledged by developer. (full text, mbox, link).

Message #10 received at 270593-done@bugs.debian.org (full text, mbox, reply):

Hi,
I'm not sure how your thought processes worked on this one. But let's think
about this for a second:
web server runs as www-data. /var/www is owned by www-data. All your cgi
scripts run as www-data. 
You have a script with an exploit. Unchecked input or whatever. attacker
runs 'rm -rf /var/www/*'. With /var/www owned by anything !www-data, this
isn't a problem. With /var/www owned by www-data, all your web pages are now
in the deep blue void.
So no, it would not be more secure. (And no, we will not be doing this)
-Thom

Message #11 received at 270593-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, Sep 08, 2004 at 10:41:41AM +0300, Jari Aalto wrote:
> Package: apache2
> Version: 2.0.50-12
> Severity: grave
> Justification: user security hole
> 
> 
> I'm not sure which process is responsible of creating /var/www, but
> I'm resuming that apache2, whcih is the only web server installed
> in this system.
> 
> The permissions look like this now:
> 
>     host:~# ls -la /var/www
>     drwxr-xr-x   3 root root 4096 Sep  6 23:53 .
> 
> But wouldn't it bemore secure to to use:
> 
>     chown -R www-data.www-data /var/www

No, it would actually be less secure.

-- 
Daniel Stone                                                <daniels@debian.org>
Debian: the universal operating system                     http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 5 09:28:55 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #270593 apache2: /var/wwww should be owned by www-data, not root

Debian Bug report logs - #270593
apache2: /var/wwww should be owned by www-data, not root