[ale] Allow non-root user to chown file to other user?

Michael Still stillwaxin at gmail.com
Thu Nov 15 15:01:12 EST 2007


Well you asked for it:
[root at host /]# chmod u+s /bin/chown


On Nov 15, 2007 2:44 PM, Jeff Lightner <jlightner at water.com> wrote:
> OK the responses so far did what I was asking not to do - that is they
> are either telling me how to engineer a solution around it or they are
> saying it is a bad idea.
>
> Also one post mentioned "capabilities" which I had broached in my
> original post.  My read of that is it is something set for programs or
> at kernel level not something that is enabled for users.   If the chown
> capability is not on in the kernel then even root couldn't do chown.
> It doesn't seem to really relate to my question - I had gone down that
> path before posting.
>
> Again I am asking if there is a way to allow non-root users to simply
> use the "real" chown command directly.  It just doesn't seem to me that
> this shouldn't be something that is configurable somehow especially
> given that it is configurable on at least two UNIX variants I'm familiar
> with.
>
>
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Thomas Stromberg
> Sent: Thursday, November 15, 2007 2:18 PM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] Allow non-root user to chown file to other user?
>
> Thanks for mentioning this. sudoers allows you to specify exactly what
> chown's would be allowed in this case. I've used this in the past
> where I wanted to allow chown to work on a single file with a single
> destination user.
>
> On 11/15/07, Brian Pitts <brian at polibyte.com> wrote:
> > Thomas Stromberg wrote:
> > > If you really wanted to implement this, you could do so with the
> > > following script. While I know you are not a fan of the sudo
> approach,
> > > combined with this script, it would be invisible to your users, and
> > > add a syslog entry each time this extended-functionality is used.
> This
> > > way you can audit any ownership changes you might have.
> > >
> > > -- 8< ---------------------
> > > #!/bin/sh
> > > # This assumes you have configured the "admin" group in sudoers for
> > > # password-less chown.
> > > #
> > > # It's recommended you place this somewhere in path such as
> /usr/local/bin
> > > # rathern than overwriting /usr/sbin/chown, but both will work.
> > >
> > > CHOWN_GROUP="admin"
> > > REAL_CHOWN="/usr/sbin/chown"
> > > chown_cmd=$REAL_CHOWN
> > >
> > > for group in `groups`
> > > do
> > >   if [ $group = $CHOWN_GROUP ]; then
> > >     chown_cmd="sudo $REAL_CHOWN"
> > >   fi
> > > done
> > >
> > > $chown_cmd $*
> > > -- 8< ---------------------
> > >
> >
> > Until they chown syslog and remove those entries. There's a thread
> about
> > this issue here.
> >
> > http://lists.debian.org/debian-security/2001/07/msg00160.html
> >
> > THe best advice I see is "VERY CAREFULLY construct a wrapper that
> > validates input (i.e. requires absolute paths under a given directory
> > (i.e. /home) w/o symlinks, matches argument against a list of valid
> > files, etc.) and then executes the chown itself, and give the user
> sudo
> > permission to run the wrapper."
> >
> > -Brian
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
> ----------------------------------
> _______________________________________________
>
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



-- 
[stillwaxin at gmail.com ~]$ cat .signature
cat: .signature: No such file or directory
[stillwaxin at gmail.com ~]$



More information about the Ale mailing list