0

I have some files that nobody needs read access to and apache needs read and write access to.

Should I do

chown nobody.apache file
chmod 460 file

or

chown apache.nobody file
chmod 640 file

or perhaps something else?

Sandra
  • 10,303
  • 38
  • 112
  • 165
  • 2
    Be careful when giving access to `nobody`. I assume you're doing that because a process is running as nobody, but that is a general-purpose restricted access user and you might be granting access to more than you think. Take a look to see how many processes are running as `nobody` before using it for permissions. – Kyle Smith Feb 20 '12 at 14:24
  • Yes, that is exactly the case. openvpn is running as `nobody` so somehow `nobody` needs read permission to the secret certificates. `nobody` needs read access to the secret `index.txt` file and `apache` needs both read and write to this file also. – Sandra Feb 20 '12 at 14:34
  • No! No, no, no, no! **No!!** You should drop privileges instead using the user and group configuration directives, and restrict the keys to whoever will be launching it (preferably root). If you create such a travesty everyone who has a shell will also have access to your VPN. – Falcon Momot Oct 10 '13 at 06:56

2 Answers2

3

Based on your comment about secret certificates, you should definitely create a separate user to run OpenVPN (one called "openvpn" might be a good choice). The nobody user is (like Kyle Smith said) used as a general-purpose restricted access user, and you might be unwittingly giving access to your OpenVPN certificates to, say, anonymous FTP users.

I'd be inclined to solve the index.txt problem by adding the apache user to the openvpn group and make the file group-readable.

So:

  1. create an openvpn user
  2. run OpenVPN as that user
  3. usermod --append --groups openvpn apache
  4. chown openvpn:openvpn /path/to/certificates /path/to/index.txt
  5. chmod 600 /path/to/certificates
  6. chmod 640 /path/to/index.txt
nickgrim
  • 4,466
  • 1
  • 19
  • 28
2

The first one does not make much sense, as usually the user should be the one with more rights, and the user can still change the rights of its own files (this is not what you want).

So, expecting nobody is the only user of the nobody group, you should go for your 2nd solution:

chown apache:nobody file
chmod 640 file
Ouki
  • 1,417
  • 1
  • 12
  • 16