7

I have created a group called "devs". All our coders are grouped under "devs" so that they can access our websites which are all under public_html folder.

I changed the group of public_hml to "devs", however, the server seem to override this, now the folder group is set to "nobody".

I am thinking of grouping our coders under "nobody", but is it a good idea? Or are there security risks?

usermod -a -G nobody coder-username

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Bibokid
  • 195
  • 2
  • 6
  • I was also thinking of grouping "nobody" user under "devs" group, and then `chgrp devs public_html`. Will this stop the server from overriding the group of `public_html` folder, now that nobody is under "devs" group and that he can now access the folder?? – Bibokid Mar 11 '13 at 12:52
  • Weird, *my* Active Directory environment doesn't even have a `nobody` group. (I added a couple tags to your question to make it more clear what you're asking about, but you may wish to add more or give some details about your environment, for best results.) – HopelessN00b Mar 11 '13 at 13:03
  • Thanks @HopelessN00b do you think it is strange that the folder has changed group to "nobody" and that I should investigate more? – Bibokid Mar 11 '13 at 13:10
  • Yes, that seems strange to me, and I'd certainly investigate more. Could be nothing, could be your server being hacked... or anything in between. Which it is seems worth knowing, to me. – HopelessN00b Mar 11 '13 at 13:18
  • Were you referring to the "nobody" group as being strange? or that public_html is being overriden by that group? Because as far as I know, "nobody" is a group normally set up by servers. – Bibokid Mar 11 '13 at 17:04
  • The permissions change. They tend not to do that on their own, for no reason. – HopelessN00b Mar 11 '13 at 17:49

1 Answers1

4

The intention of the nobody group is to denote a group with the lowest rights in a unix system.

This implies that you don't compromise your system by adding a supplementary group nobody to any user.

caveat:

This solution is a little bit smelling. Take a cup of coffee and think again if this is the way you want to go.

Generally should the group nobody doesn't have write access to any content below public_html.

H.-Dirk Schmitt
  • 644
  • 4
  • 9
  • Thanks. I am not really sure why the `public_html`'s group became "nobody", must be the server automated it or some other admin did it. But the group permission is only `rx`, and there are no other file or folders under it that belongs to "nobody". So I think there is nothing smelly after all. Do you agree? – Bibokid Mar 11 '13 at 13:07
  • @Bibokid If the content doesn't need authentication, it is o.k. But if the content is restricted via the web server, it should be also have a similar constraint in the filesystem. That is the reason why apache is normally using a `www-data` group. – H.-Dirk Schmitt Mar 11 '13 at 13:10