What is nobody user and group?
The nobody user is a pseudo user in many Unixes and Linux distributions. According to the Linux Standard Base, the nobody user and its group are an optional mnemonic user and group. That user is meant to represent the user with the least permissions on the system. In the best case that user and its group are not assigned to any file or directory (as owner). This user is in his corresponding group that is (according to LSB) also called "nobody" and in no other group.
In earlier Unixes and Linux distributions daemon (for example a webserver) were called under the nobody user. If a malicious user gained control over such a daemon, the damage he can perform is limited to what the daemon can. But the problem is, when there are multiple daemons running with the nobody user, this has no sense anymore. That's why today such daemons have their own user.
The nobody user should have no shell assigned to it. Different distributions handle that in different ways: some refer to /sbin/nologin
that prints a message; some refer to /bin/false
that simply exits with 1 (false); or some just disable the user in /etc/shadow
.
According to Linux Standard Base, the nobody user is "Used by NFS". In fact the NFS daemon is one of the few that still needs the nobody user. If the owner of a file or directory in a mounted NFS share doesn't exist at the local system, it is replaced by the nobody user and its group.
You can change the permission of a file owned by the nobody user just simply with the root user and chown
. But at the machine hosting the NFS share, that user might exist, so take care.
I also use a Synology system. They run the apache web-server under the nobody user.
The user who can login as nobody
can change these files, but normally the system is setup so this is not possible. On my debian based system the entry in the /etc/password
file is:
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
and /usr/sbin/nologin
gives:
This account is currently not available.
You can only change this as user root, as normally no one else is member of the group nobody
. However I doubt if you should do so. Normally these files get this ownership on purpose.