Seems that chown is allowed to non root user

chowngrouppermissionsroot

We are using LDAP authentication and probably another things that I did not understand well, in our company so maybe the following questions are result of this. I have found strange behavior of chown command, and I do not know if this is normal. Here is my scenario:

GID of user mark is SK001936 and owner grup of home dir of mark is SK001778, as you can see they are not the same.
The group SK001778 is allowed all operations (rwx) with home dir of user mark as owner (mark) has:

[mark@machine ~]$ id
uid=48447(mark) gid=41795(SK001936) groups=40119(SUB_SK001936_PPS),41795(SK001936)
[mark@machine ~]$ ls -lad .
drwxrwxr-x   6 mark SK001778  4096 Oct 10 13:30 .

GID of user michael and mark are both SK001936:

[michael@machine mark]$ id
uid=40570(michael) gid=41795(SK001936) groups=40119(SUB_SK001936_PPS),41795(SK001936)
[mark@machine ~]$ id
uid=48447(mark) gid=41795(SK001936) groups=40119(SUB_SK001936_PPS),41795(SK001936)

user michael cannot create file in home dir of user mark.
It is the matter of that michael do not belongs to group (SK001778) which has the full (rwx) access to mark's home directory:

[michael@machine mark]$ touch michael
touch: cannot touch `michael': Permission denied

Under normal circumstances the user cannot issue the chown even if he is the owner of the file.
However in this example the owner of home directory (mark) is able to change the owner group of his own home directory (and thus allows the users belonging to this group access to his home dir):

[mark@machine ~]$ chown mark:SK001936 .

The group which now has access to mark home dir is thus the same group as GID of michael, hence the michael is now allowed to create/delete files/folders in mark's home dir:

[michael@machine mark]$ touch michael

mark is unable to change back the group ownership of his home dir (remember only root is allowed to issue chown accoring to this: why-cant-a-normal-user-chown-a-file):

[mark@machine ~]$ chown mark:SK001778 .
chown: changing ownership of `.': Operation not permitted

My question is: how is possible that mark was able to change the group ownership of his home dir even when si declared that chown can be issued only by root. The box is RedHat 5.6.

Best Answer

When you use chown in a manner that changes only the group, then it acts the same as chgrp. The owner of a file or directory can change the group to any group he is a member of.

It works like that because both the chown and chgrp commands use the same underlying chown syscall, which allows changing both owner and group. The syscall is what applies the permission check. The only difference between the chown and chgrp commands is the syntax you use to specify the change you want to make.

Mark can't change the group back to SK001778 because he isn't a member of group SK001778 (and he isn't root, which isn't restricted by group membership).

Related Solutions

How to grant a user rights to change ownership of files/directories in a directory

Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN is global, once granted, it applies to any file in a local file system.

Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN is the way to go.

CAUTION CAP_CHOWN has severe security implications, a user with a shell that has capability CAP_CHOWN could get root privileges. (For instance, chown libc to yourself, patch in your Trojan Horses, chown it back and wait for a root process to pick it up.)

Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN e.g.

setcap cap_chown+ep /usr/local/bin/my_chown

CAUTION Your program will probably mimic the genuine chown, e.g. my_chownuser:group filename(s). Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.

If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown.

Best Answer

Related Solutions

How to grant a user rights to change ownership of files/directories in a directory

Related Question