file ownership

[antisecurityboy]

hello guys how is every one here doing.

I have a simple question here .

Under RH7.1 i want to change the file ownership (files i own) to another user using the chown command.

The Linux documentation says that i have to be root o do that.

Am a normal user and the other person is a normal user.

How will I do hat ??????

Thanx in Advance

Cheers

[Infiltrator]

As a normal user, unless there is something different in RH, you can't change the ownership of a file from yourself to another user of equal level. If you have a file that you want someone else to have access to, use the chmod command and change the permission levels of the file.

Hope this helps.

[the_JinX]

yup..

chown username:group filename

but I'd go with Infiltrator's idea.. use chmod to allow the other user (from same group or even all) access to the file..

[slarty]

It is possible under some Unix rules to "give" files to other users using "chown". This is generally frowned upon now and disabled by default under most Unixs (I think Irix allows it by default, IIRC)

Chown'ing a file to someone adds it to their quota, hence you can effectively bypass quotas by giving away all your files to someone else (they may not be able to access them if they are in a directory owned by you anyway), and DoS their account by filling their quota. It essentially hides who created the file too (if in /tmp for example). It's also quite easy for people to cooperate into creating stupid situations which they can then not access one anothers' files.

Normally a better way to handle things is to create a group for every set of people who need to share files. Even if it isn't their primary group, because users can be in multiple groups, they can chgrp a file or directory to another (secondary) group, and chmod it appropriately, without the need to be root.

Hence I'd normally say, give each team of users a group, and add a user to any groups as necessary. There is a limit, but you can be in quite a few groups.

[antisecurityboy]

Thank you very much for all of u.

I will come back to you if i need more help.

Cheers

[antisecurityboy]

Originally posted here by the_JinX
yup..

chown username:group filename

This dint work.

Any other idea.

Cheers.

[catch]

I am not much of a linux user, so I don't know if an extension like this exists yet, but many higher security systems use a security matrix to determine who has what access to what of the same label of course and then when a subject modifies an object, that subject takes ownership and the object ends up with the lowest common privileges between the original object and the modifying subject. For example, if the object is executable by the web server, but the subject does not have the ability to execute software on the web server, the modified object is owned by the new subject and can no longer be executed by the web server.

This allows for a far more secure environment although the system tends to migrate toward nothing having any permissions at all (as well as everything being the lowest integrity level and highest confidentiality level if these are utilized as well) so extra precautions need to be used. However, you will note that the system migrates to a more secure one in this manner. (Wow a system that gets more secure they less you administer it, whoulda thunk it. hehe)

If your goal is just ease of use Slarty's suggestion of many groups will work fine as well, but keep in mind this will have catastrophic consequences on security. As I discussed in my "How to hack (nearly) any OS" tutorial on this site, read and write permissions are transitive. All of those groups will very likely mean that there is a path between nearly any two objects on the system.

if you really desire you can setup an sudo for chown, but I would highly suggest against this if security is any concern at all.

if you have many users, desire security, and have no clue what i am talking about in the first two paragraphs... you might do well to stick such content into a database, it is easier to set up more finely grained views than UN*X permission bits.

catch

[NeuTron]

try this...its what infiltrator suggested

chmod o+rwx <filename>

[antisecurityboy]

HEY ALL WHAT I WANT TO DO IS TO SEE THE NAME OF THE OTHER USER (THE ONE I WANT TO GIVE MY FILE'S OWNERSHIP TO) WHEN I ISSUE LS -L COMMAND.

I want to give him the ownership of the file not to give him rights to read and right and execute.

Cheers

[embro1001]

Well....you could always boot up as miniroot (using a floppy based linux), alter the /etc/shadow file to wipe out the root password or alter the /etc/passwd file to give yourself a UID and GID of 0, and chown from there, but it's a lot of work, and generally not recommended unless you say *forgot* the root password to your own box....Or you could chmod it, which is the smart way to do it.

If you have read only access, there is a way to give yourself writing access, and even change the file permissions.

Repeat after me:

(doo being the file in question)


%touch doo
%chmod 444 doo
%ls -al doo*
-r--r--r--r 1 me user 0 (date) doo
-rw-rw-rw- 1 me user 233 (date) doo.old

% cp doo.old doo
Cannot create doo - Permission denied

%mv doo.old doo
doo: 444 mode (yes/no)[no]:
%ls -al doo*
-rw-rw-rw- 1 me user 233 (date) doo


Have fun!