On Fri, Jan 19, 2007 at 03:44:02PM +0000, cl@isbd.net wrote:

I mostly understand why there is a user 'nobody' who owns all the HTML and CGI stuff in the /var/www hierarchy.

However it's a bit of a pain maintaining the 'nobody' file ownership permissions there, how do other people manage this? At present I tend to do things as root and then 'chown -R nobody' which is a bit clumsy really.

General rule of thumb: the nobody user should only have *read* access on those files. It shouldn't own them. The reason you serve as nobody (or in debian as www-data) is that it protects you from holes in the webserver that could otherwise be exploited and used to overwrite your carefully laid out website.

With CGI there's the whole other issue of making sure that your code is secure and can't be exploited to get privilege escalation (that's bad, k) - sometimes you do need to have some files owned by the nobody user - but it's best to keep those outside of the webroot, where the cgi can read and write them but nothing else.

The problem is that one has to be root to manipulate the files owned by nobody as one can't actually become nobody. Ooh, just tried and one *can* become nobody via root, I suppose that's one way to deal with it.

So, is that what others do when doing things to files in the /var/www area, su to root and then to nobody?

Generally I have a /var/www/websitename directory, with websitename being the primary hostname of the website - then I set that to be owned by the user that is most going to update it. If there are a group using it then you setgid the directory and give the group write access to it.

Cheers,