[SOLVED] Is my caching solution solution secure?

Issue

I'm running Rails 3.1 on Ubuntu 10.04 on Nginx and Passenger.

In my logs I could see much of the following:

cache error: Permission denied - /var/www/redmeetsblue/releases/20120221032538/tmp/cache/B27

I solved the problem by changing the name of the user (from google advice) but I'm unsure of the security implications. Who is nobody? and is this secure?

/var/www/redmeetsblue/current/tmp/cache
    total 16K
    drwxr-xr-x  4 www-data root 4.0K 2012-02-20 22:27 .
    drwxr-xr-x  3 root     root 4.0K 2012-02-20 22:26 ..
    drwxr-xr-x 54 www-data root 4.0K 2012-02-20 22:27 assets
    drwxr-xr-x  3 www-data root 4.0K 2012-02-20 22:27 sass
    root@y:/var/www/redmeetsblue/current/tmp# cd b27
    -bash: cd: b27: No such file or directory
    root@y:/var/www/redmeetsblue/current/tmp# cd B27
    -bash: cd: B27: No such file or directory
    root@y:/var/www/redmeetsblue/current/tmp# chown -R nobody cache
    root@y:/var/www/redmeetsblue/current/tmp# ls -alh /var/www/redmeetsblue/current/tmp/cache
    total 16K
    drwxr-xr-x  4 nobody root 4.0K 2012-02-20 22:27 .
    drwxr-xr-x  3 root   root 4.0K 2012-02-20 22:26 ..
    drwxr-xr-x 54 nobody root 4.0K 2012-02-20 22:27 assets
    drwxr-xr-x  3 nobody root 4.0K 2012-02-20 22:27 sass

after changing the user, my cache is working, but I'm not sure if its safe. See working cache..

cache: [GET /assets/grid.png] stale, valid, store
cache: [GET /dashboards] miss
cache: [GET /assets/grid.png] stale, valid, store

Solution

The nobody user in commonly used as unix daemons owners so that they have enough permissions to do their job, but not too many as to do potentially destructive naughtiness. Running the daemon under a user account, it wouldn't be able to for example write to the syslogs. Running it under a privileged account such as root gives the process permissions to do that, but also for everything else. So if your daemon's process is compromised, an attacker would have far more freedom to own your server. The server may also start as root (necessary for example to bind to TCP port 80) and then give up its rights to user nobody.

Answered By - hgmnz

Answer Checked By - David Marino (WPSolving Volunteer)