Assume there's a website built with some FOSS CMS (like Drupal) and the websites' directory is owned and grouped by root
(instead www-data
as common in Apache in Nginx) and a friend of the site's owner mistakenly sees that and tells the owner:
Beware that if an hacker finds a way to inject shell code through inodes in that sites directory it could destroy your server and this code will run without problem because the inodes are are owned and grouped by root.
I wonder if such "shell scripting injection" attack even possible.
Let's even assume the owner now creates a usual user like (say, by the name of "Boobinio
") and runs:
chown boobinio /var/www/html/mysite -R && chgrp boobinio /var/www/html/mysite
I still can't see how it fully protects the owner because if the hacker knows this user "boobinio" (and I guess there are several ways to discover it) then it could try to inject shell code when it's plausible that the owner is in active sudo, and then, where's the total difference between this case, to a case of shell injection when the owner is in active root?
My question:
If I'm accurate in what I just described, what can anyone do to ensure not to have shell injections on the CMS when either working as active sudo or active root?