How do I grant a specific user the right to change user and group ownership of files and directories inside a specific directory?
I did a Google search and saw that there is such a thing as setfacl, which allows for granting users specific rights to change permissions for files and directories. From what I read, though, this command does not allow granting chown permissions.
So, say a file has
user1 user1 theFile1
user1 user1 theDirectory1
Issuing the following command would fail.
[user1@THEcomputer]$ chown user2 theFile
I do have root access on the computer. Is there a way to grant a user to issue chown commands inside a directory?
UPDATE: How to add a user to a group.
Here is the article that I used to add datamover to the hts group.
[root@Venus ~]# usermod -a -G datamover hts
[root@Venus ~]# exit
logout
[hts@Venus Receive]$ groups
hts wireshark datamover
[hts@Venus Receive]$
UPDATE (address comment by RuiFRibeiro):
Changing the ownership of the directory to the directory does not work, see screenshot.
[datamover@Venus root]$ ls -la
total 311514624
drwxrwxrwx. 6 datamover datamover 4096 Oct 14 14:05 .
drwxr-xr-x 4 root root 4096 Aug 20 16:52 ..
-rwxrwxrwx. 1 datamover datamover 674 Aug 31 16:47 create_files.zip
drwxrwxrwx 2 datamover datamover 4096 Oct 17 17:07 dudi
-rwxrwxrwx. 1 datamover datamover 318724299315 Oct 13 15:47 Jmr400.mov
-rwxrwxrwx. 1 datamover datamover 182693854 Aug 31 16:47 Jmr_Commercial_WithSubtitles.mov
-rwxrwxrwx. 1 datamover datamover 80607864 Aug 31 16:47 Jmr_DataMover_Final.mov
drwxrwxrwx. 2 datamover datamover 122880 Aug 23 11:54 ManyFiles
drwxrwxrwx. 3 datamover datamover 4096 Oct 25 07:18 Receive
drwxrwxrwx 2 datamover datamover 4096 Oct 14 13:40 sarah
-rwxrwxrwx 1 datamover datamover 3184449 Oct 14 14:05 SourceGrid_4_40_bin.zip
[datamover@Venus root]$ cd ./Receive/
[datamover@Venus Receive]$ ls -la
total 178540
drwxrwxrwx. 3 datamover datamover 4096 Oct 25 07:18 .
drwxrwxrwx. 6 datamover datamover 4096 Oct 14 14:05 ..
-rwxrwxrwx 1 hts hts 182693854 Oct 25 07:18 Jmr_Commercial_WithSubtitles.mov
drwxrwxrwx 2 datamover datamover 122880 Oct 23 13:33 ManyFiles
[datamover@Venus Receive]$ chown datamover:datamover ./Jmr_Commercial_WithSubtitles.mov
chown: changing ownership of './Jmr_Commercial_WithSubtitles.mov': Operation not permitted
Here is an attempt as the owner of the file:
[hts@Venus Receive]$ chown datamover:datamover Jmr_Commercial_WithSubtitles.mov
chown: changing ownership of 'Jmr_Commercial_WithSubtitles.mov': Operation not permitted
So as you can see, neither possibility works.
UPDATE (address countermode's answer)
Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to.
Yes, one does have to log out first. Here is the result of my attempt:
[hts@Venus ~]$ groups hts
hts : hts wireshark datamover
[hts@Venus ~]$ cd /mnt/DataMover/root/Receive/
[hts@Venus Receive]$ ls -la
total 178540
drwxrwxrwx. 3 datamover datamover 4096 Oct 25 07:18 .
drwxrwxrwx. 6 datamover datamover 4096 Oct 14 14:05 ..
-rwxrwxrwx 1 hts hts 182693854 Oct 25 07:18 Jmr_Commercial_WithSubtitles.mov
drwxrwxrwx 2 datamover datamover 122880 Oct 23 13:33 ManyFiles
[hts@Venus Receive]$ chown hts:datamover ./Jmr_Commercial_WithSubtitles.mov
[hts@Venus Receive]$ ls -la
total 178540
drwxrwxrwx. 3 datamover datamover 4096 Oct 25 07:18 .
drwxrwxrwx. 6 datamover datamover 4096 Oct 14 14:05 ..
-rwxrwxrwx 1 hts datamover 182693854 Oct 25 07:18 Jmr_Commercial_WithSubtitles.mov
drwxrwxrwx 2 datamover datamover 122880 Oct 23 13:33 ManyFiles
[hts@Venus Receive]$ chown datamover:datamover ./Jmr_Commercial_WithSubtitles.mov
chown: changing ownership of ‘./Jmr_Commercial_WithSubtitles.mov’: Operation not permitted
[hts@Venus Receive]$
Adding hts to the datamover group does indeed allow me to change the ownership of the group part, so now a partial answer and validation for the statement.
Best Answer
Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the
CAP_CHOWNcapability; a user who has this capability may also change the ownership of arbitrary files.CAP_CHOWNis global, once granted, it applies to any file in a local file system.Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then
CAP_CHOWNis the way to go.CAUTION
CAP_CHOWNhas severe security implications, a user with a shell that has capabilityCAP_CHOWNcould get root privileges. (For instance,chownlibc to yourself, patch in your Trojan Horses,chownit back and wait for a root process to pick it up.)Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of
chownthat takes care of the intended restrictions. This program needs to have capabilityCAP_CHOWNe.g.CAUTION Your program will probably mimic the genuine
chown, e.g.my_chownuser:group filename(s). Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.If you want to restrict access your program to certain users, you may either create a special group, set group ownership of
my_chownto this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may usesudowith suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind intomy_chown.