I have a Redhat 6.0 system (SELinux enabled), with a NFS volume mounted at /myvolume.
The command ls -la /myvolume says it has owner “nobody” and group “nobody”.
On this system I have Apache running as “apache” user and “apache” group.
Apache runs a python script through mod_wsgi. This script creates a temporary directory (using tempfile.mkdtemp), creates some files in it and then moves the whole directory inside /myvolume.
After the script has done its thing, the files it created have owner “nodody” and group “nobody” and permission mask is “rwx——” for all of them.
I’ve verified that my own user can’t access those files unless I use “sudo”, while apache user can access them.
Why does this happens? Is something related to SELinux, Unix permissions, NFS volumes or nodoby user?
Why trying to “chown” any file in /myvolume gives an “invalid argument” error?
It’s related to nfs.
http://tldp.org/HOWTO/NFS-HOWTO/server.html states the following :
“no_root_squash: By default, any file request made by user root on the client machine is treated as if it is made by user nobody on the server. (Excatly which UID the request is mapped to depends on the UID of user “nobody” on the server, not the client.) If no_root_squash is selected, then root on the client machine will have the same level of access to the files on the system as root on the server. This can have serious security implications, although it may be necessary if you want to perform any administrative work on the client machine that involves the exported directories. You should not specify this option without a good reason. “
Activating no_root_squash on the nfs server is not recommended. I quoted this option for documentation purpose only.
One solution is to create a user and a group, both on the nfs client and the nfs server with the same uid and gid. Then configure apache to execute your script with this user.
Check more discussion of this question.