Background: I remember at my old place of employment how the web server admin would always make me change the httpd-accessible file upload directories so that they were owned by apache:apache or nobody:nobody.
He said this was for security reasons.
Question: Can you tell me what specifically were the security implications of this? Also is there a way to get apache to run as nobody:nobody, and are there security implications for that as well?
TIA
Several applications use the user nobody as a default. For example you probably never really want say the apache service to be overwriting files that belong to bind. Having a per-service account tends to be a very good idea.
Getting apache to run as nobody:nobody is pretty easy, just update the User and Group. settings. But as I mentioned above I don't really recommend that particular user/group. It is entirely possible that you may be tempted to add a service to the system at some time in the future that also runs as nobody, and you will forget that have given write access on the filesystem to the user nobody.
As for why you needed to do that for an upload directory. You really shouldn't need to change the owner of the directory for uploads. I would only change the group, and then setup permissions to 2775. Of course if you setting up a system where many different users share the same web server getting the permissions setup for the best security can be a lot more complex
I think the main point is that if the web server can't write to the files through owner og group access, then they would have to be world writeable.
Now, a file or directory owned by apache or nobody sounds preferrable to a file writable by anyone, including other services.
I don't see any huge security implications by changing the effective user for apache to "nobody", unless you have other services also running as that user. On the other hand, I don't really see any good reason for why it shouldn't just be left as "apache".
