[ale] Allow non-root user to chown file to other user?

Jeff Lightner jlightner at water.com
Thu Nov 15 14:45:43 EST 2007


OK the responses so far did what I was asking not to do - that is they
are either telling me how to engineer a solution around it or they are
saying it is a bad idea.

Also one post mentioned "capabilities" which I had broached in my
original post.  My read of that is it is something set for programs or
at kernel level not something that is enabled for users.   If the chown
capability is not on in the kernel then even root couldn't do chown.
It doesn't seem to really relate to my question - I had gone down that
path before posting.

Again I am asking if there is a way to allow non-root users to simply
use the "real" chown command directly.  It just doesn't seem to me that
this shouldn't be something that is configurable somehow especially
given that it is configurable on at least two UNIX variants I'm familiar
with.     

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
Thomas Stromberg
Sent: Thursday, November 15, 2007 2:18 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Allow non-root user to chown file to other user?

Thanks for mentioning this. sudoers allows you to specify exactly what
chown's would be allowed in this case. I've used this in the past
where I wanted to allow chown to work on a single file with a single
destination user.

On 11/15/07, Brian Pitts <brian at polibyte.com> wrote:
> Thomas Stromberg wrote:
> > If you really wanted to implement this, you could do so with the
> > following script. While I know you are not a fan of the sudo
approach,
> > combined with this script, it would be invisible to your users, and
> > add a syslog entry each time this extended-functionality is used.
This
> > way you can audit any ownership changes you might have.
> >
> > -- 8< ---------------------
> > #!/bin/sh
> > # This assumes you have configured the "admin" group in sudoers for
> > # password-less chown.
> > #
> > # It's recommended you place this somewhere in path such as
/usr/local/bin
> > # rathern than overwriting /usr/sbin/chown, but both will work.
> >
> > CHOWN_GROUP="admin"
> > REAL_CHOWN="/usr/sbin/chown"
> > chown_cmd=$REAL_CHOWN
> >
> > for group in `groups`
> > do
> >   if [ $group = $CHOWN_GROUP ]; then
> >     chown_cmd="sudo $REAL_CHOWN"
> >   fi
> > done
> >
> > $chown_cmd $*
> > -- 8< ---------------------
> >
>
> Until they chown syslog and remove those entries. There's a thread
about
> this issue here.
>
> http://lists.debian.org/debian-security/2001/07/msg00160.html
>
> THe best advice I see is "VERY CAREFULLY construct a wrapper that
> validates input (i.e. requires absolute paths under a given directory
> (i.e. /home) w/o symlinks, matches argument against a list of valid
> files, etc.) and then executes the chown itself, and give the user
sudo
> permission to run the wrapper."
>
> -Brian
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------



More information about the Ale mailing list