when should I use “apache:apache” or “nobody:nobody” on my web server files?

apache-2.2 security chown

7,954

Several applications use the user nobody as a default. For example you probably never really want say the apache service to be overwriting files that belong to bind. Having a per-service account tends to be a very good idea.

Getting apache to run as nobody:nobody is pretty easy, just update the User and Group. settings. But as I mentioned above I don't really recommend that particular user/group. It is entirely possible that you may be tempted to add a service to the system at some time in the future that also runs as nobody, and you will forget that have given write access on the filesystem to the user nobody.

As for why you needed to do that for an upload directory. You really shouldn't need to change the owner of the directory for uploads. I would only change the group, and then setup permissions to 2775. Of course if you setting up a system where many different users share the same web server getting the permissions setup for the best security can be a lot more complex

7,954

Jocelyn

Greetings! Ask and answer. Share alike.

Updated on September 17, 2022

Comments

Jocelyn almost 2 years

Background: I remember at my old place of employment how the web server admin would always make me change the httpd-accessible file upload directories so that they were owned by apache:apache or nobody:nobody.

He said this was for security reasons.

Question: Can you tell me what specifically were the security implications of this? Also is there a way to get apache to run as nobody:nobody, and are there security implications for that as well?

TIA
thomasrutter about 14 years

Reason for having Apache run as a user other than "nobody" is that if someone compromises Apache (through a bad PHP script, for instance) they are stuck in a user account that's only used for Apache and nothing else. Other services use the "nobody" account.