Linux Security – How to Perform Root Actions from Non-Root Account

Although sudo is commonly used together with su command, thinking sudo su is the only way to do is a mistake.

sudo has many options for setting what to execute by who (ether user of group of users) on which host. A fine-grained sudoers file (or LDAP entry, if sudo-ldap is involved) together with a clever mind of a sysadmin can end up in rules which may not compromise system security even the user account has been compromised.

let's see a real-word example:

$ sudo -l
User exampleuser may run the following commands on this host:
    (root) /opt/xmldns/gen.sh
    (root) /usr/bin/make -C /root/admin
    (root) /usr/sbin/xm list, /usr/sbin/xm dmesg
    (root) /usr/sbin/zorpctl stop, /usr/sbin/zorpctl start, /usr/sbin/zorpctl status
    (root) /etc/init.d/apache status, /etc/init.d/apache stop, /etc/init.d/apache start
    (root) /usr/local/bin/protodump.sh httpreq
    (root) /usr/sbin/xm console
$ 

If one does not let user sudo-exec su/bash or other shell neither directly (sudo su) nor indirectly (letting an editor spawn with root, which could be used to spawn shell - in this case, root), sudo is a friend of a system administrator and users too.

Returning to the question in topic, if sudo is disabled and su is the only way becoming root on a system, one would plant a fake su command (for example in ~/.../fakesu) and an alias like alias su='~/.../fakesu' in the rc file of the user's login shell.

In this case a simple su command (raise hands, who uses /bin/su for invoking) would end up calling the fakesu command, which may capture the password.

This is how this works: When you login via FTP/SSH and upload files, they are created with your permissions. Probably your webroot is world writable (0777), that is insecure - every user in system can write something there. PHP runs with different user privileges (They are specified in PHP-FPM config, not nginx config), and as directory is world writable, PHP user (www-data) can also write there. But owner of this file is www-data, not your account. They are 2 distinct accounts in filesystem permission level.

I suggest you to create dedicated user with least possible privileges, which would own webroot directory and would be used for FTP/SSH upload AND would run php. You should change PHP-FPM config, in worker section there are user entry and NGINX config, so you can make your website files not-world-readable and more secure.

Don`t run PHP with privileged (sudo capablities, write privileges outsite docroot) user, that could cause server security compromise.