I may have misunderstood. But you can recursively use chmod and chown eg.
chown -R username:username /path/directory
To recursively apply permission 700 you can use:
chmod -r 700 /path/directory
Of course the above is for Linux so not sure if mac osx is the same.
EDIT: Yea sorry forgot to mention you need to be root to chown something, I just assumed u knew this...my bad.
Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN
capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN
is global, once granted, it applies to any file in a local file system.
Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN
is the way to go.
CAUTION CAP_CHOWN
has severe security implications, a user with a shell that has capability CAP_CHOWN
could get root privileges. (For instance, chown
libc to yourself, patch in your Trojan Horses, chown
it back and wait for a root process to pick it up.)
Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown
that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN
e.g.
setcap cap_chown+ep /usr/local/bin/my_chown
CAUTION
Your program will probably mimic the genuine chown
, e.g. my_chown
user:group filename(s)
. Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.
If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown
to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo
with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown
.
Best Answer
sudo
does not have a built-in way to do this. The basic approach is to write some helper program that makes various checks (does user X own this directory? Is it in the expected path? Are the permission bits sane? Etc.) and then does thechown
.You then allow user X to run the helper, as root, via either sudo or filesystem permissions (make the helper suid root, executable only two the daemon's group, or even the daemon's user with ACLs).
The helper, of course, needs to be written with security in mind.