Installing Joomla with nobody:nobody user/group (CentOS/cPanel)

Question

If you are installing Joomla via cPanel's File Manager to your mywebsite.com (user mywebsite) account, you will upload the package to your server and extract the archive. All files will have the user and group according to your account mywebsite:mywebsite. You will have to change around three dozen directories and files and make them writable: http://goo.gl/EYjIPW and you can go ahead with the installation. All files created during the installation and later, using the Joomla platform will have the user and group nobody:nobody.

If you chown all extracted files to nobody:nobody, prior to installation, you won't have to bother about making the above-mentioned directories writable plus more than likely you will not run into any "Permission denied" errors later (changing the owner can be done after the installation as well).

The question, do you know any drawbacks of having the files owned by nobody:nobody? What are the pros and cons? And what about the files that are created by Joomla during and after the installation, these are by default owned by nobody:nobody.

Answer 1

Some daemons traditionally use nobody, so that if they are comprimised, the access they have is limited. If you start assigning files to the nobody user, then if you do have a daemon running as that user, and it was comprimised in some way, then the attacker could potentially gain access to the files. Given that the files are a website, and Joomla configuration files contain the database details in plaintext, this could be pretty disastrous for you.

It doesn't seem like a good idea to me, even if daemons that run as nobody are rarer nowadays - the idea of user per daemon allows for greater security against daemons communicating with each other spuriously.