can't change ownership on files

Rick Stevens rstevens at vitalstream.com
Mon Apr 25 16:54:27 UTC 2005 

Waldher, Travis R wrote:
> 
>>-----Original Message-----
>>From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>Sent: Friday, April 22, 2005 4:36 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: can't change ownership on files
>>
>>>
>>>Ew...
>>>
>>>Beyond that there is not hack/tweak I can make?
>>>
>>>Sudo would basically open up chown/chgrp for any file on local disk,
> 
> and
> 
>>>any filesystem that is mounted with root level access.  Correct?
>>
>>Yup.  You still haven't said why they need to chown a file.  There is
>>virtually never a good reason to allow that.
>>
>>If people need to share a file, make them all part of the same group
> 
> and
> 
>>grant rwx group to each file or, alternately, allow the users to join
>>other groups by putting their usernames in /etc/group or allowing the
>>"newgrp" command.
> 
> 
> Well, lets just say that's the way it's always been.  I'm picking other
> battles at the moment and am not ready to attack something like this.

That doesn't make it right and it's dangerous to boot.  "that's the way
we've always done it" is a totally invalid argument when it comes to
security.

> But one example where at least some people need this.  Is version
> control  When a piece of software is "locked" down, they change the user
> and group from whomever was working it, to a control user and group name
> consisting of the Configuration Management person.

That is what CVS, bitkeeper, SourceSafe (windows) and several other
version control systems are designed to do, Travis.  You know, "check
in", "check out", etc. Works flawlessly, tracks changes permitting
regression, controlled releases, the works.  There is no need to change
ownership of files or anything of the nature.  In fact, I prefer using
a remote CVS machine (you know, a "cvs :pserver:") to archive the code.

> I as an admin do not care to get in the middle of that process, or grant
> them the ability to change ownership of files at a root leval through
> sudo.

Then they're stuck.  You, as the admin, are ultimately responsible for
the security and management of the system and the users' files.  As
such, YOU set the rules.  chowning files is NOT a solution.  You must
enforce the use of a true versioning system.  I mean, geeze.  RCS
(revision control system--the predecessor to CVS) was written in the
1970s, for gawd's sake.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-        God is real...........unless declared integer or long       -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list