create new tag
, view all tags


I installed TWiki 2003-02-01 in sourceforge. All new Files are created with user: nfsnobody and group nfsnobody. Its not possible for me to chmod or to delete the files (permission denied)

in contrary to the user/group output of ls -la, the testenv cgi script tells: User: nobody
Group(s): nogroup nogroup
but the unix groups command tells something completely different.

Is this a bug??? or is there a workaround?
The TWikiOnSourceForge tells to set user: nobody but chown is not allowed because of user nfsnobody

  • TWiki version: 2003-02-01
  • Perl version: 5.6.1 built for i386-linux
  • Web server & version: apache 1.3.27
  • Server OS: linux
  • Web browser & version:
  • Client OS:

-- AlexGreif - 11 Mar 2003


Sounds like the SourceForge setup is rather odd, and perhaps has changed since that page was written. If files are created by TWiki as nfsnobody I think that's the userid to use - testenv is probably getting confused. Please provide a link to testenv or attachment of HTML output. Also, your TWiki.cfg would be of interest.

-- RichardDonkin - 12 Mar 2003

What do you mean by SourceForge Setup? What I did ist to unzip the TWiki release and adjust TWiki.cfg, set file permissions ... But I did not execute any install script. I found no hint to any in the Installation scripts
the url to testenv: testenv.cgi
the url to TWiki.cfg TWiki.cfg

When I log in with telnet then im user: "agreif" and group: "flow4j"
the command "groups" returns "users nice flow4j nice flow4j"
So I dont understand how testenv can return user: "nobody" and group: "nogroup nogroup"

Another point: If I change the user in the ,v files with
=perl -pi.bak -e 's/nobody:/nfsnobody:/' /,v=
then after the next save the user is again "nobody"

-- AlexGreif - 12 Mar 2003

SourceForge setup just means the way SF have configured their Linux servers. There is no working TWikiInstaller AFAIK.

Apache runs as a different user to your login user, typically 'nobody' - see Apache and CGI info on the web for details, e.g. Google:apache+cgi+nobody+tutorial.

The 'id' or 'groups' command returns the right group info for 'nobody'. not sure how/why some files were getting created as 'nfsnobody' - you would need to do something like chgrp -R nogroup data and then chmod -R ug+rw data to make all files writeable by the nogroup group. This is quite a big security hole, since SourceForge is not using a suexec-style SecureSetup, so I'd strongly recommend nightly backups of your SF.net files onto another server - any other CGI program on that server could write to your TWiki files.

Also, see if you can do grep nobody /etc/group and post results - it may be that nfsnobody is also in the nogroup group, which would make actual userid used by Apache less important.

It's worth knowing that the shell servers that you Telnet/SSH into are completely separate from the web servers that run the TWiki CGI scripts - NFS is used to store files accessible by both types of server, but this obviously creates some additional complexity.

-- RichardDonkin - 15 Mar 2003

I found the following statement on nfsnobody:

On 2002-11-30, world-writable and web server-owned files (i.e.
those that were writable by the nfsnobody user) were removed for
all projects.  The SourceForge.net project web services are
provided in a shared environment; all CGI scripts and PHP scripts
run as the nfsnobody user.  Thus, in order for files to be
writable by the web server, the nfsnobody user (or other, in the
case where user and group ownership is not nfsnobody) must be
able to write to that file.  This is a known limitation of the
project web services offered by SourceForge.net.
It seems that apache runs always with user nfsnobody.

grep nobody /etc/group tells: nobody:x:99: nfsnobody:x:65534:

all new files by twiki are created as nfsnobody flow4j rw-r-r

but I had also files that were created as =nfsnobody nfsnobody rw-r-r=
unfortunately I cannot change these files. Am I right?

Its still strange that cgi-bin/testenv tells user:nobody and group: nogroup

-- AlexGreif - 17 Mar 2003

Sounds to me like sourceforge is a well-run system.

First, any well run system will have httpd running as the least possibly privileged user, say nobody/nogroup. However, it is also possible to perform uid/gid mapping on particular filesystem mounts, so nobody/nogroup on whatever system your twiki is running on will map to nfsnobody/nfsnobody on the fileserver (i.e. client nobody/nogroup are not necessarily the same as server nobody/nogroup).

Editting the twiki/data/*/*,v locks to nfsnobody may work.

But I'll think that sourceforge is an even better run system if it does not.

You're basically running into UNIX security issues. Q: can you chmod the scripts that you are running? Do you have a group of your own? Can you chmod them g+xs yourgroup? That might do the trick... Also sourceforge's might have forbidden that, too.

Better: see if sourceforge runs cgiwrap or suexec, or some other facility that allows a relative safe execution of a setuid or setgid program.

See my notes in DifferentSecurityLevelsInSameTWikiInstallation. Don't be scared by the "Different Security Levels" stuff... you really should be setgid'ed even if just one user. I always prefer to setgid cgi programs to a group that (1) doesn't have too much access, but (2) of which I am a member. {And I don't think ordinary users should be a member of group "nobody", nor do I think that user "nobody" should be a member of any group other than "nobody".}

There might be an easier fix, though. If the system is not so well configured, setting the group sticky bit on the twiki/data/* directories will propagate the group ownership, if nobody/nobody is allowed to do that.

Finally, as for dealing with the already created files with funky ownerships: I had the same problem. Lacking root, I juist created a cgi program that did what I wanted, placed that in my cgi directory, and typed in the URL. Take care to delete it afterwards.

-- AndyGlew - 18 Apr 2003

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2003-07-27 - PeterThoeny
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.