Why are files created by my website owned by 'nobody'?

Question:

Why are files created by my website owned by 'nobody'?

Answer:

This is due to the fact that Apache by default runs as the user 'nobody'.

Software:

Apache

Detail:

Apache parses and executes all scripts, PHP, and JSP pages utilizing specific modules which are loaded when Apache starts.  As these modules are part of Apache, they run with the same ownership and permissions, which is defined as the user 'nobody' by default.  The reason Apache runs under this 'nobody' user is due to security. When Apache first starts, the initial daemon runs as the user 'root' in order to be able to bind to ports 80 and 443 (which are used for http and https protocols respectively). However, this is a potential security problem which could lead to the ability to run a command as root on the system. To prevent this, the daemons which actually do all of the work run as the user 'nobody'. As 'nobody' should have almost no access rights on the server, if a command is run via Apache it would be able to affect only a limited number of files, with none of them being the core files such as the password file.

Solution:

There are two methods to make this file accessible to users other than through the web.  The first option is to change the permissions on the file to allow the world access to the file.  This is accomplished by a user in the sysadmin group.  This user first connects to the server via a shell client (preferrable SSH, but Telnet will work as well) and then issues the command at the prompt:

    vchmod 777 /path-to-file/file  (for read-write-execute)

or

    vchmod 666 /path-to-file/file  (for read-write)

The second method is to actually change the ownership of the file.  This is also handled by a user in the sysadmin group who runs the command at the prompt:

    vchown <new-user>:<vhost group> /path-to-file/file

This will allow the new-user and any user in the vhost's group to access the file based on it's permissions.

Instead of having a user login to the account and run these commands from the prompt, the preferred method is to modify the script or PHP page to alter the permissions and/or ownership of the file once it is created.  The command you will need to include in the Perl script or PHP page is

    exec("chown <new-user>:<vhost group> /path-to-file/file");

Although this command is being provided in this FAQ, Technical Support will not be able to provide you with assistance modifying or troubleshooting your script or PHP page.  Therefore it is suggested that a backup of the script or PHP page is created prior to altering it.