DigitalOcean image uses www-data:www-data instead of nobody:nogroup

gilles

Active Member
#1
I have noticed the DigitalOcean OLS image uses www-data:www-data instead of the recommended nobody:nobody (or nobody:nogroup).

Could you clarify why there is a discrepancy?

I am also wondering if it is possible to run multiple sites using the same virtual host template with different users/groups.
 

lsqtwrk

Administrator
#2
Hi,

I am not sure if nobody is really recommended , it maybe for static files, but definitely not for PHP scripts

imagine you have 10 sites on "nobody" , 1 site compromise will endanger other 9 , attacker will be able to read the files , that includes like wp-config.php that contains database info.

and if you have 10 sites on 10 different users , then 1 compromised , other 9 will be remain inaccessible to that compromised user , ideally , if you have permission correctly set up.


refer: https://forums.cpanel.net/threads/nobody-ownership-and-security-problems.74670/


you mean use template to create multiple vhosts on different users ?

you can set vhost name as the user name , then use $VH_NAME in suEXEC User/Group in security tab or external app tab "Run as "
 

gilles

Active Member
#3
The recommendation is written in the help bubble for "Running As" in OLS webadmin panel. It says at the end: "A user/group of nobody is generally a good choice."

Screen Shot 2020-10-02 at 8.23.16 PM.png

>> you mean use template to create multiple vhosts on different users ?

Yes

>> you can set vhost name as the user name , then use $VH_NAME in suEXEC User/Group in security tab or external app tab "Run as "

Thanks for this tip.
 

lsqtwrk

Administrator
#4
yes, that's exactly what I meant nobody is good for static files.

Ideally, you make static files readable by nobody, but php script only on specific user like www-data



When you have multiple sites, like a shared hosting, better to set up that way.


But OLS image was designed as single site server, so www-data for its files and process
 
Top