Web App Privilege Escalation via www-data

TL;DR

If an attacker gains access to a web application running with www-data privileges, they can potentially escalate those privileges to root. This guide outlines common methods and how to mitigate the risks.

Understanding the Risk

The www-data user typically has limited permissions but is essential for serving web content. However, misconfigurations or vulnerabilities in the application or system can allow an attacker to exploit this access and gain higher privileges. The most common attack vectors involve exploiting writable files/directories accessible by www-data, vulnerable cron jobs, or weaknesses in setuid binaries.

Steps to Prevent Privilege Escalation

1. Least Privilege Principle: Ensure www-data has the *minimum* necessary permissions. Avoid granting write access to system directories.
   • Check file and directory ownership/permissions regularly.
2. Secure File Uploads: Implement robust validation and sanitisation for all file uploads.
   • Prevent uploading of executable files (e.g., PHP, Python scripts).
   • Store uploaded files outside the web root or with restricted permissions.
   • Rename uploaded files to prevent execution.
3. Cron Job Security: Carefully review all cron jobs associated with the web application.
   • Ensure cron jobs are owned by a dedicated user, not www-data if possible.
   • Validate input to cron job scripts.
   • Avoid running cron jobs as root unless absolutely necessary.
   • Use full paths for all commands in cron jobs.
4. Setuid/Setgid Binaries: Avoid using setuid/setgid binaries within the web application’s scope.
   • If unavoidable, thoroughly audit their code and permissions.
   • Ensure they are not writable by www-data or any other user with lower privileges.
5. Input Validation: Implement strict input validation on all application inputs.
   • Prevent command injection, SQL injection, and cross-site scripting (XSS) attacks.
   • Use prepared statements for database queries.
6. Regular Security Audits: Conduct regular security audits of the web application and its underlying infrastructure.
   • Perform penetration testing to identify vulnerabilities.
   • Scan for misconfigurations and outdated software.
7. Keep Software Updated: Regularly update all software components, including the operating system, web server, database, and application frameworks.
   • Apply security patches promptly.
8. Chroot Jails (Advanced): Consider using chroot jails to isolate the web application’s environment.

   This limits the attacker’s access even if they gain root privileges within the jail.

9. AppArmor/SELinux (Advanced): Implement AppArmor or SELinux profiles to restrict the capabilities of the www-data user and web application processes.

   This provides an additional layer of security by enforcing mandatory access control policies.

Checking for Common Vulnerabilities

1. Writable Files/Directories: Identify files or directories writable by www-data that are accessible via the web.

   find /var/www -user www-data -writable -type f -print0 | xargs -0 ls -l

2. Cron Job Listing: List cron jobs associated with www-data.

   crontab -u www-data -l

3. Setuid/Setgid Binaries: Find setuid/setgid binaries in the web application’s directory.

   find /var/www -perm +4000 -type f -print0 | xargs -0 ls -l