APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/05/24 restrict_chown, rstchown (restricting users from changing ownership)

Way back when, chown could be run by everyone. Berkeley Unix saw that as a bad idea and made it root only. Nowadays POSIX says it's up to you.

The default for Unix systems is that users can't change the ownership of files. That's probably the way it should be left, as the ability to do so opens up very bad security issues. Nevertheless, some systems allow this. It may be from a setting in /etc/system:


set rstchown=1
 

Or, it may be "sysctl" that controls this:

sysctl -a | grep chown
fs.xfs.restrict_chown = 1
 

For these, a setting of 0 would allow non-root users to use chown.

On other systems, this sort of thing is a "privilege": HP-UX setprivgrp lets you control this (and other things) at the group level. Of course this can be allowed through sudo or similar privilege escalation



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> 2005/05/24 restrict_chown, rstchown (restricting users from changing ownership)

1 comment



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence







Wed May 25 04:56:15 2005: 568   bela


"Berkeley Unix saw that as a bad idea and made it root only."

That's correct but incomplete. Berkeley introduced per-user filesystem quotas to Unix. The quota system worked by keeping track of how many blocks were owned by each UID on a filesystem. It was necessary to restrict chown() so that users couldn't beat the quota system by giving away their large files to another user with more free quota (or e.g. root, with unlimited quota).

Without restricted chown(), you could make a directory with mode 700 and create world-read/write files in it owned by someone else. You would have full access (including the right to delete the files -- granted by ownership of the parent directory), no quota charge, and nobody else could access the files.

So chown() became a privilege to be won.

>Bela<

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





If we define Futurism as an exploration beyond accepted limits, then the nature of limiting systems becomes the first object of exploration. (Frank Herbert)





This post tagged: