Announcement

**mallowman** · 26 August 2003, 08:11

Unix (and Linux) don't let you change the ownership of a file to someone other than yourself unless you are root. You also can only change the group owner of a file to a group that you belong to. It's just one of those things. What are you trying to do that you need to change the owner of a file? There may be a better (or at least different) way to accomplish it?

**Kooldino** · 26 August 2003, 09:22

But on my solaris box at work, i can chown anyone to anyone else.

Whatever I was originally trying to do when I found this out I worked around. But it annoyed me. :-(

**TnT** · 26 August 2003, 10:13

You would be able to chown anyone to anyone if everyone had the same user id. You would practically be all the same users but with different aliases.

If solaris lets you do it even as different users that would seem kinda insecure to me.

**Kooldino** · 26 August 2003, 10:36

Originally posted by TnT
You would be able to chown anyone to anyone if everyone had the same user id. You would practically be all the same users but with different aliases.

Right, but that would be pointless.

If solaris lets you do it even as different users that would seem kinda insecure to me.

?? You can only chown to someone if YOU are the owner.

example: file name = myself, owner=kooldino

as kooldino, i can "chown TnT myself" and have it complete successfully.

If I'm logged in as "bob" and I do a "chown TnT myself", I'll get an error because I don't own the file.

So how is that insecure?

**mallowman** · 26 August 2003, 11:36

It seems that the standard Unix semantics are as in Linux, but Solaris has a configurable policy to let users change the owner of their own files.

The Solaris manpage for the chown system call includes the following paragraph:

The operating system provides a configuration option, {_POSIX_CHOWN_RESTRICTED}, to restrict ownership changes for the chown(), lchown(), and fchown() functions. When {_POSIX_CHOWN_RESTRICTED} is not in effect, either the effective user ID of the process must match the owner of the file or the process must be the super-user to change the ownership of a file. When {_POSIX_CHOWN_RESTRICTED} is in effect (the default behavior), the chown(), lchown(), and fchown() functions, for users other than super-user, prevent the owner of the file from changing the owner ID of the file and restrict the change of the group of the file to the list of supplementary group IDs.

The reason cited for not allowing a normal user to change the owner of a file is that you could do kind of a denial of service to another user by creating large files and changing the owner thus putting the target user over their quota. Or you could put some sort of illegal file on a server and change the owner to someone and get them in trouble for the file.

**Kooldino** · 26 August 2003, 12:03

Originally posted by mallowman
It seems that the standard Unix semantics are as in Linux, but Solaris has a configurable policy to let users change the owner of their own files.

The Solaris manpage for the chown system call includes the following paragraph:

The reason cited for not allowing a normal user to change the owner of a file is that you could do kind of a denial of service to another user by creating large files and changing the owner thus putting the target user over their quota. Or you could put some sort of illegal file on a server and change the owner to someone and get them in trouble for the file.

AHh, i see. To combat that there should be I log of all chowns, and there should be a way to auto accept/reject ownership from certain people/groups.

**Zao** · 28 August 2003, 04:49

If you are on Solaris, you can use the nice commands setfacl and getfacl to apply ACL (Access Control Lists).
They are sweet...

Code:

giraff:~> getfacl edu

# file: edu
# owner: c03lvd
# group: c03
user::rwx
group::---              #effective:---
group:tdb:r-x           #effective:r-x
mask:r-x
other:r-x
default:user::rwx
default:group::---
default:group:tdb:r-x
default:mask:rwx
default:other:---
giraff:~>

This make my dir full access to me, none to my group, none to others and rx for tdb, which are my labteachers who has to check my results.

Announcement

Chown: Rh9

Chown: Rh9

Comment

Comment

Comment

Comment

Comment

Comment

Comment