On the surface, I don't think that there is a whole lot of difference in functionality. Upon starting Apache needs root access, but it quickly drops this and assumes the identity of a non privileged user. This user can either be nobody or apache, or www-data which is common on Debian variants.
The difference, I believe, lies in isolation. Nobody can be a commonly used account for the purposes of a non privileged user and can have a fair share of exposure. If somehow, 'nobody' were to become compromised they could potentially have more impact than if an application isolate user, such as Apache. Of course a lot of this will depend on the file and group permissions. Nobody uses the permissions of others, while an application specific user could be configured to allow file read access, but other could still be denied.
|