When you use chown
in a manner that changes only the group, then it acts the same as chgrp
. The owner of a file or directory can change the group to any group he is a member of.
It works like that because both the chown
and chgrp
commands use the same underlying chown
syscall, which allows changing both owner and group. The syscall is what applies the permission check. The only difference between the chown
and chgrp
commands is the syntax you use to specify the change you want to make.
Mark can't change the group back to SK001778 because he isn't a member of group SK001778 (and he isn't root, which isn't restricted by group membership).
Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN
capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN
is global, once granted, it applies to any file in a local file system.
Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN
is the way to go.
CAUTION CAP_CHOWN
has severe security implications, a user with a shell that has capability CAP_CHOWN
could get root privileges. (For instance, chown
libc to yourself, patch in your Trojan Horses, chown
it back and wait for a root process to pick it up.)
Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown
that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN
e.g.
setcap cap_chown+ep /usr/local/bin/my_chown
CAUTION
Your program will probably mimic the genuine chown
, e.g. my_chown
user:group filename(s)
. Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.
If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown
to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo
with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown
.
Best Answer
Use the recursive switch on chown:
And that should do it.
More to why you have an error: if the find command doesn't find any files, then chown will be executed without an operand at the end, which generates this error.
If you are really intent on sticking with your original command format, you can add the -r switch to xargs and it should get rid of the error when no files are found.