Linux – Change file ownership during write operation

linuxpermissions

By default the umask is 0022:

usera@cmp$ touch somefile; ls -l
total 0
-rw-r--r-- 1 usera usera 0 2009-09-22 22:30 somefile

The directory /home/shared/ is meant for shared files and should be owned by root and the shared group. Files created here by usern (any user) are automatically owned by the shared group. There is a cron-job taking care of changing owning user and owning group (of any moved files) once per day:

usera@cmp$ cat /etc/cron.daily/sharedscript

#!/bin/bash

chown -R root:shared /home/shared/
chmod -R 770 /home/shared/

I was writing a really large file to the shared directory. It had me (usera) as owning user and the shared group as group owner. During the write operation the cron job was run, and I still had no problem completing the write process.

You see. I thought this would happen:

I am writing the file. The file permissions and ownership data for the file looks like this: -rw-r--r-- usera shared
The cron job kicks in! The chown line is processed and now the file is owned by the root user and the shared group.
As the owning group only has read access to the file I get a file write error! Boom! End of story.

Why did the operation succeed? A link to some kind of reference documentation to back up the reason would be very welcome (as I could use it to study more details).

Best Answer

Afaik, POSIX 1003.1 requires only fopen to return an [EACCES] error on insufficient privileges. Subsequent operations like fputc might return a [EBADF] bad file descriptor error, but i don't think that is meant to cover permission changes while the file is open.

Years ago, i worked in a company where we had our AIX servers set up so that they used that property to make logfiles more secure. When a service started, root would touch /var/log/service.log, then chown it to serveruser:servergroup, su - start the service (it would open the file in append mode), and then chown the file back to root. Consequently, the service could append to its own logfile, but not delete or overwrite it, so if an attacker managed to compromise the service he couldn't tamper with past log entries.

A similar trick can be used for temporary files: open the file, then remove it. The directory entry is gone and the file is invisible, but since the file handle is still open, the inode is still there. Once you close the file, the link count goes to zero, and the OS reclaims the disk space.

Related Solutions

File permissions and group ownership using sftp

There is such thing as a subsystem in (Open)SSH: it is a program which gets lauched when you request something other than interactive shell. Technically it is just an executable on remote host which is exec'd by sshd child after authenticating you and calling setuid.

You can locate a standard subsystem definition for sftp in your SSH config:

Subsystem sftp /usr/lib/openssh/sftp-server

As it is just a plain executable, not a SUID one or special in any other way, you can write a shell script that will change any attributes you need and then just launch original subsystem handler.

Place the following script into /usr/lib/openssh folder as e.g. sftp-fperm-server (this is not required, just to keep things in one place):

#!/bin/sh
umask 026
exec /usr/lib/openssh/sftp-server

Then add a line in the end of /etc/ssh/sshd_config:

Subsystem sftp-fperm /usr/lib/openssh/sftp-fperm-server

And then restart sshd (it does not kill sessions on restart) and launch sftp with a -s sftp-fperm option. Voila! files get the new specified umask.

If you do not want to specify that option each time, just change the standard subsystem definition. Interactive sessions won't be affected by it, so there are no chances of breaking somthing.

If you want to use the newgrp command, things will be a bit trickier. newgrp always launches a new interactive shell while stupidly don't allowing to pass any parameters to it, so you can't use it as the umask in previous example. But you can replace the last line in script with:

SHELL=/usr/lib/openssh/sftp-server newgrp git

Actually calling the newgrp for some group I belong to emits a password request, so I was unable to check this solution (I mean only the newgrp one), but it works when I pass the /bin/id on my laptop (without SSH), so if you got newgrp working for user no problems should arise.

Linux – How to setup nfs share for users with write permissions

I found simple workaround at this article.

If we use a separate primary group for each user, we can use umask = 002. Then the group permissions will not be cut off by umask. And we can set permissions using setgid or acl.

But the proposed solution complicates management of users, namely the creation and deletion. Being LDAP administartor you need to create a primary group for all ldap users. Delete primary user's group, when when delete unnecessary user.

In addition, I would note that:

I have due to migration from zentyal on openldap uses the same core group (USERS) for all newly created users.

On the one hand, it simplifies the management of users, on the other hand did not solve the problem with a shared folder for them.

Best Answer

Related Solutions

File permissions and group ownership using sftp

Linux – How to setup nfs share for users with write permissions

Related Question