when should I use “apache:apache” or “nobody:nobody” on my web server files?
Several applications use the user nobody as a default. For example you probably never really want say the apache service to be overwriting files that belong to bind. Having a per-service account tends to be a very good idea.
Getting apache to run as nobody:nobody is pretty easy, just update the User
and Group
. settings. But as I mentioned above I don't really recommend that particular user/group. It is entirely possible that you may be tempted to add a service to the system at some time in the future that also runs as nobody, and you will forget that have given write access on the filesystem to the user nobody.
As for why you needed to do that for an upload directory. You really shouldn't need to change the owner of the directory for uploads. I would only change the group, and then setup permissions to 2775. Of course if you setting up a system where many different users share the same web server getting the permissions setup for the best security can be a lot more complex
Related videos on Youtube
Comments
-
Jocelyn almost 2 years
Background: I remember at my old place of employment how the web server admin would always make me change the httpd-accessible file upload directories so that they were owned by apache:apache or nobody:nobody.
He said this was for security reasons.
Question: Can you tell me what specifically were the security implications of this? Also is there a way to get apache to run as nobody:nobody, and are there security implications for that as well?
TIA
-
thomasrutter about 14 yearsReason for having Apache run as a user other than "nobody" is that if someone compromises Apache (through a bad PHP script, for instance) they are stuck in a user account that's only used for Apache and nothing else. Other services use the "nobody" account.