[Tfug] website file ownership problem

Brian Murphy murphy+tfug at email.arizona.edu
Tue Apr 3 01:59:10 MST 2007


Quoting Paul Scott <waterhorse at ultrasw.com>:
> A website I maintain - http://www.susanartemis.com/ recently it has
> become inaccessible because it's main control file has had it's
> owner/group changed to "root/wheel" and there is no read permission.
> They are suggesting that I upload a new "script" without security flaws
> but how can I upload/replace a file that their admin now owns?
>
> The hosting company - 1hourhosting.com claims that the site has been
> hacked because of a security flaw in my code.  It is certainly possible
> that my simple code PHP code might have security flaws but could that
> have allowed a file's ownership to be changed to root?
>


If you have ownership on the directory you should be able to delete a
root owned file.

A non-root user should never be able to chown a file to root.  Most
unixes don't allow nonroot any chown privileges.  Your provider has
bigger problems if these things really happened.

At the risk of being flamed, I run a shared web hosting business that
uses suexec to run all php and cgi files as the user who owns the file,
not the general apache user.  Email me off the list if you would like
more information. (brian at dormhost.com)

Brian

The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.






More information about the tfug mailing list