Linux – Change owner of own directory

chownlinuxnot-root-user

I am fully aware that a non-root user cannot change the owner of a folder to another user even if the user owns it unless they use sudo or have the CAP_CHOWN capability.

Is there a way to grant a specific non-root user permissions to change the owner of a directory which it owns via sudo or some other command but not allow the user to arbitrarily change the owner of directories it does not own?

I have a server (running as the non-root "myserver" user) and want it to be able to create specific directories for local users, and when its done with a directory change the owner of it to the desired user.

Best Answer

sudo does not have a built-in way to do this. The basic approach is to write some helper program that makes various checks (does user X own this directory? Is it in the expected path? Are the permission bits sane? Etc.) and then does the chown.

You then allow user X to run the helper, as root, via either sudo or filesystem permissions (make the helper suid root, executable only two the daemon's group, or even the daemon's user with ACLs).

The helper, of course, needs to be written with security in mind.

Related Solutions

How to Change Owner of a Directory

I may have misunderstood. But you can recursively use chmod and chown eg.

chown -R username:username /path/directory

To recursively apply permission 700 you can use:

chmod -r 700 /path/directory

Of course the above is for Linux so not sure if mac osx is the same.

EDIT: Yea sorry forgot to mention you need to be root to chown something, I just assumed u knew this...my bad.

How to grant a user rights to change ownership of files/directories in a directory

Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN is global, once granted, it applies to any file in a local file system.

Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN is the way to go.

CAUTION CAP_CHOWN has severe security implications, a user with a shell that has capability CAP_CHOWN could get root privileges. (For instance, chown libc to yourself, patch in your Trojan Horses, chown it back and wait for a root process to pick it up.)

Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN e.g.

setcap cap_chown+ep /usr/local/bin/my_chown

CAUTION Your program will probably mimic the genuine chown, e.g. my_chownuser:group filename(s). Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.

If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown.

Best Answer

Related Solutions

How to Change Owner of a Directory

How to grant a user rights to change ownership of files/directories in a directory

Related Question