Join Log in
Score:1
avatar Ubuntu

Possible weakness in www-data Permission?

in flag
MrAdmin

today I was testing something on my VPS and realized the "www-data" user has read access into Home folders and into System internal folders as well which would give an possible Attacker, the ability to gather Information outside of the /var/www directory e.g. RSA_Keys or batch Files in Home Directory's.

First I thought I faulted my File Permissions or something but I could reproduce this behavior on an fresh installed Virtual Machine.

OS: Ubuntu 20.04 LTS, with all Updates applied Webserver: Apache2 with standard config

How did I test: sudo -u www-data bash --> nano /home/user/stuff.txt or nano /folder/rsa.pem

Is this an expected Behavior? Do I miss something? And how can I deny the www-data User access to specific folders?

Thanks in advance!

35
0 + 0
pLumo avatar
in flag
pLumo
This is by design. You can easily restrict access, check https://askubuntu.com/questions/46501/why-can-other-users-see-the-files-in-my-home-folder. And if you follow Ubuntu Server guide, you [will be told](https://ubuntu.com/server/docs/security-users).
0
Reply
pLumo avatar
in flag
pLumo
Btw: Ubuntu > 21.04 [defaults to private user `$HOME` directories](https://ubuntu.com/blog/private-home-directories-for-ubuntu-21-04).
2
Reply
Score:0
user535733 avatar Ubuntu
cn flag
user535733

Golbally-readable /home directories is expected behavior in Ubuntu 20.10 and earlier releases.

The behavior has been changed in 21.04 and newer releases; /home directories are no longer globally readable.

  • New installs of 21.04 and newer get the new behavior.
  • New installs of 20.04 and older get the old behavior
  • Release upgrades do NOT change the behavior. If you release-upgrade from 20.04 to, say, 22.04, your /home dir will remain globally-readable

Back in the day, you wanted folks to be able to read (not write) to files in your directory. That's one way that you shared information on a multi-user system. Of course, you also knew better than to keep private data on a multi-user system.

From a security standpoint, it's still true: Servers should be treated as multi-user systems. Don't keep sensitive private documents 1) Unencrypted, and 2) On the same filesystem as a public webserver.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.