Way in Linux to have one non root user check if another non root user has permissions to a folder / file

filespermissions

The scenario is this – I have a command line program that might not run as root, part of the requirements is to warn if another user has write permissions to some folder / file

e.g.

I'm running as non root user A
I would like to get the answer to the question: "does user B has write permissions to folder F"

So my questions are

Is it even possible to do as a root user? if so how?
Is there any way to do it as a non root user?

Best Answer

In general, the only way to know if user B can write to directory D is for user B to attempt to write to directory D.

So, as root, you can su to the user and try it. Though that may not be 100% accurate as the user logging in and entering his password may change things (e.g., a pam module might set up crypto keys based on the user's password).

Almost as accurate, again as root, you can su to the user and use the access(2) syscall or similar. Probably, this is what the shell does if you use test -w, and also be what /usr/bin/test does. Though as the manpage warns, on NFSv2, the actual check is done by the server, but the test for the access syscall is done locally, so it may be wrong. Similarly, FUSE filesystems may do the same.

(The access(2) manpage also mentions a race condition which is fundamental to what you're doing: B's permissions on D might change between when you check and when B actually tries to write to D.)

Other than that, you have to decide how accurate you are willing to accept:

You could stat the directory, and check the users & groups (as several of the other answers show)
You could additionally check the ACLs on the directory.

But even if you do that, the following will trip you up:

With NFS and various other network filesystems, the server decides if access is permitted. It can make that decision based on, well, whatever it likes. Consider e.g., the various squash NFS export options.
Permissions checks are actually done by the filesystem; non-Unix filesystems may give unexpected answers (how is the Unix user mapped to a SID for NTFS?). All bets are off with e.g., FUSE filesystems.

Related Solutions

Freebsd – Read files owned by another user as non-root

Use sudo.

If your sudoers file lists an exact and specific command then the command must be called exactly as listed in the sudoers or it will be denied.

E.g.:

backupuser  ALL=(root) /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

In this example the user backup can execute the command exactly as shown:

sudo /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

If they call sudo rsync... instead of sudo /usr/bin/rsync the command fails, or if the flags or paths are different the command fails.

If you're doing this in a script then you want to enable passwordless use of those commands:

backupuser  ALL=(root) NOPASSWD: /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

For more see the sudoers(5) man page under Cmnd_list.

Why does chmod succeed on a file when the user does not have write permission on parent directory

When you change a file's metadata (permissions, ownership, timestamps, …), you aren't changing the directory, you're changing the file's inode. This requires the x permission on the directory (to access the file), and ownership of the file (only the user who owns the file can change its permissions).

I think this is intuitive if you remember that files can have hard links in multiple directories. The directory contains a table that maps file names to inodes. If a file is linked under multiple names in multiple directories, that's still one inode with one set of permissions, ownership, etc., which shows that the file's metadata is in the inode, not in the directory.

Creating, renaming, moving or deleting a file involves modifying the directory, so it requires write permission on the directory.

Best Answer

Related Solutions

Freebsd – Read files owned by another user as non-root

Why does chmod succeed on a file when the user does not have write permission on parent directory

Related Question