1

PHP may be executing as a "privileged" group and user, which could be a serious security vulnerability

view story
linux-howto

http://askubuntu.com – I ran some security tests on a Ubuntu 12.04 server, and i've got theses warnings : PHP may be executing as a "privileged" group, which could be a serious security vulnerability. PHP may be executing as a "privileged" user, which could be a serious security vulnerability. In /etc/apache2/envvars i have this : export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data And all files in /var/www are having theses user / group: www-data:www-data Am i setting this correctly? What should i do to fix this problem? Thank you in avance for your help! (HowTos)

Danial's picture
Submitted by Danial on 09/28/2012

Stories similar to PHP may be executing as a "privileged" group and user, which could be a serious security vulnerability

A new report from security expert Bernard Marienfeldt illustrates a fairly big security hole in the way the iPhone secures user data. When plugged into a Windows or OSX box, and iPhone will only display the DCIM pictures folder.

It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

Security of /var/www is left as-is.

Security of the directories and subdirectories under /var/www have the following perm/user/group: drwxrws--- martijn www

Security of files in those directories (recursive) is: -rw-rw---- martijn www

martijn is the owner.

Written by: Stuart Corner | Published in: StrategyThe Cloud Security Alliance (CSA) and Fujitsu Laboratories of America have formed the Big Data Working Group to "address the need for collaborative research and solutions to today's big data security challenges."

USN-845-1: Pan vulnerability 3 years 32 weeks ago

Referenced CVEs: 

CVE-2008-2363

Description: 

=========================================================== Ubuntu Security Notice USN-845-1 October 08, 2009 pan vulnerability CVE-2008-2363 ===========================================================

A security issue affect

I wanted to ask about connecting EC2 to RDP in AWS.

I have added my EC2 Security Group (that contains the EC2 instances) into the Default RDP Group and Data is flowing - the connection works.

The EC2 Security group has Port 80 to 0.0.0.0/0 and SSH to my IP enabled.

On November 8, Canonical published in a security notice details about a Qt vulnerability for its Ubuntu 12.10 (Quantal Quetzal), Ubuntu 11.10 (Oneiric Ocelot) and Ubuntu 10.04 LTS (Lucid Lynx) operating systems. According to Canonical, Qt applications could be made to expose sensitive information over the network.

What I really want to do is allow the 'www-data' user to have the ability to launch php-cgi as another user. I just want to make sure that I fully understand the security implications.

The server should support a shared hosting environment where various (possibly untrusted) users have chroot'ed FTP access to the server to store their HTML and PHP files.

According to VLC site, they are urging everyone to update to 2.0.4. http://www.videolan.org/news.html (security advisory 1203)

Will the ubuntu update soon? I'm uneasy using it with a serious security vulnerability. I'm surprised the ubuntu hasn't already updated itself.

Nginx is not able to write to log file even if its user has write group access. Here are some details:

www-data user is in ubuntu group:

$ id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data),1000(ubuntu)

/opt/logs/ is group writable:

$ ls -ld /opt/logs/ drwxrwxr-x 2 ubuntu ubuntu 4096 2012-07-27 02:47 /opt/logs/

www-data user can create /opt/logs/1 as expected:

$ su www-data