Get APLawrence.com by RSS(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > Misc. Words > 2005/05/24 restrict_chown, rstchown (restricting users from changing ownership)
Printer Friendly Version
restrict_chown, rstchown (restricting users from changing ownership)
Way back when, chown could be run by everyone. Berkeley Unix saw that as a bad idea and made it root only. Nowadays POSIX says it's up to you.
The default for Unix systems is that users can't change the ownership of files. That's probably the way it should be left, as the ability to do so opens up very bad security issues. Nevertheless, some systems allow this. It may be from a setting in /etc/system:
set rstchown=1
Or, it may be "sysctl" that controls this:
sysctl -a | grep chown fs.xfs.restrict_chown = 1
For these, a setting of 0 would allow non-root users to use chown.
On other systems, this sort of thing is a "privilege": HP-UX setprivgrp lets you control this (and other things) at the group level. Of course this can be allowed through sudo or similar privilege escalation
If this page was useful to you, please click to help others find it:
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
Inexpensive and informative Apple related e-books:
Customizing Microsoft Office
Take Control of PDFPen-5
Fonts in Leopard
What's New in Word 2004
Apple Mail in Tiger (Leopard version also available)
More Articles by Tony Lawrence - Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Wed May 25 04:56:15 2005: bela
"Berkeley Unix saw that as a bad idea and made it root only."
That's correct but incomplete. Berkeley introduced per-user filesystem quotas to Unix. The quota system worked by keeping track of how many blocks were owned by each UID on a filesystem. It was necessary to restrict chown() so that users couldn't beat the quota system by giving away their large files to another user with more free quota (or e.g. root, with unlimited quota).
Without restricted chown(), you could make a directory with mode 700 and create world-read/write files in it owned by someone else. You would have full access (including the right to delete the files -- granted by ownership of the parent directory), no quota charge, and nobody else could access the files.
So chown() became a privilege to be won.
>Bela<
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar