Comments on: How to delete “nobody” files from a directory I own in FreeBSD?

By: prchecker

prchecker — Tue, 23 Feb 2010 05:06:47 +0000

You can delete files owner by user “nobody” if you are logged in as root.

By: C.J.

C.J. — Thu, 20 Nov 2008 00:43:55 +0000

I had this same issue after running plogger on my Pair Freebsd server. I had about a 100 .jpg’s owned by user nobody in different subdirectories.

I discovered that the Pair machine didn’t like chmod, chown or shell script exec from cgi. So I ssh’d to the server and built a list of the files using find. Something like this:

find / -user ‘nobody’ > nobodylist.txt

Then I wrote a short PHP script that assigned the list to an array, and used a foreach loop to unlink each file. Using find for the recursion was simple, and having the text file gave me something to eyeball before running the script. This way I run the shell command with my username and do the unlinking as user nobody.

By: Kenneth

Kenneth — Thu, 18 Sep 2008 22:00:57 +0000

Is the directory ‘sticky’? See ‘man sticky(8)’.

From ‘man chmod(2)’:

If mode ISTXT (the `sticky bit’) is set on a directory, an unprivileged
user may not delete or rename files of other users in that directory.
The sticky bit may be set by any user on a directory which the user owns
or has appropriate permissions. For more details of the properties of
the sticky bit, see sticky(8).

By: Waldo

Waldo — Tue, 16 Sep 2008 16:14:33 +0000

Fellow Pair user here. There really is no better web host out there, IMO. Yeah, there are hosts that use chrooted jailed environments, Pair doesn’t and they have their reasons, one being scalability.

Check out php-cgiwrap:
http://www.pair.com/support/knowledge_base/authoring_development/system_cgi_php-cgiwrap.html

I’m running WP, Drupal and Gallery with that setup without any problems.

You can tighten down permissions pretty good then too because directories can be set at 701 (or you can just leave them at 755) and any php files can be set to 600.

You can also use cgiwrap for any cgi scripts you have and Pair is also working on testing suEXEC, so hopefully, those of us not on dedicated servers will be able to run pretty much everything under our own user account and not ‘nobody’.

Go ahead and hit http://www.pairusers.com, a community driven site hosted by a Pair user. The username and password are the same as accessing their newsgroups. Just log into your account via SSH and it’s displayed there. Search for ‘security’ and ‘permissions’ and you can read up on all kinds of info about tightening up your account at Pair.

By: whatever

whatever — Tue, 16 Sep 2008 04:25:20 +0000

You can delete files owner by user “nobody” if you are logged in as root.

By: Mike Dammann

Mike Dammann — Mon, 15 Sep 2008 06:41:03 +0000

@ceejayoz
You’re right, I’ve been way behind and just upgraded. The blogs using the WordPress platforms which have been hacked however were not mine and some of those were using this latest version as well.
Wordpress has been and is a step behind when it comes to security.
Switching to Blogger because of it?
Nah, I think I’ll pass.
Matt Mullenweg has admitted to a need to make upgrades easier in a recent interview with me, but downplayed the security issues.
I see major issues coming up knowing that more and more hackers become aware of the fast benefit from hacking authority blogs.
I have also seen some quality blogs get penalized. One example from not too long ago would be the v7n blogs disappearing from the Google index, but there are many more out there which don’t make it into the “SEO headlines”.
This is not just a WordPress issue, it’s also a Google issue as SERPs are getting manipulated and ranking in Google seems to be THE motivator to hack the blogs to begin with.

~ Mike Dammann

By: Matt Cutts

Matt Cutts — Mon, 15 Sep 2008 02:57:56 +0000

Harith, I think WordPress is so popular that it's inevitable that WP is a pretty big target for hackers. What bothers me is the need to upgrade my software whenever there's a new security hole--that plus this annoying "it takes forever to clean up the junk left behind by WP Super Cache" issue had me taking a fresh look at Blogger this past weekend. I store my data in the cloud for most services these days precisely so I don't have to worry about security issues or keeping my software up-to-date. If Blogger had a few more options (ability to do different permalink url vs. title, better WordPress importing ability, more flexibility with comments), it would be pretty tempting. Some of the stuff at Blogger in Draft is looking pretty neat.

By: Maurice

Maurice — Sun, 14 Sep 2008 20:45:12 +0000

its a good idea to remove the version number from any wp inatallation as it makes searches for posible targets harder.

By: ceejayoz

ceejayoz — Sun, 14 Sep 2008 14:51:38 +0000

@Harith 12:33am – The article your link goes to is on a site running WordPress 2.3.3 (see the source code). WordPress is on 2.6.2. Perhaps he’s getting hacked because he’s not upgrading his installation with the latest security patches?

All code has vulnerabilities. WordPress has been good about fixing them, but they can’t force people to update their own installations.

By: Adam

Adam — Sun, 14 Sep 2008 13:52:52 +0000

About saying you can do “unlink(”file*”);” while that is true, using the Directory Iterator class (if you have PHP5) is pretty simple to batch delete files in a foreach loop. Either way you have a solution, just thought I’d deposit my 2 cents.