changing ownership

Blackburn, Marvin Marvin.Blackburn at glenraven.com
Mon Dec 20 15:13:07 UTC 2004 

Ed,
Thanks for your reply.
I agree that the design is flawed; however, its something that
is difficult to change.

The work around is something similar to what I was thinking, but your's
is simpler.

Thanks for the response. 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Ed Wilts
> Sent: Monday, December 20, 2004 9:54 AM
> To: General Red Hat Linux discussion list
> Subject: Re: changing ownership
> 
> On Mon, Dec 20, 2004 at 09:21:37AM -0500, Blackburn, Marvin wrote:
> > I have the need to have a non-priveleged user change the 
> ownership of a
> > file or files that he owns, to another non-privelged user.
> > 
> > Redhat does not permit this. 
> 
> Nor should it.  Think about the cases where you have disk quotas in
> effect.  If you allow user x to change ownership of a large 
> file to user
> y, you could potentially block user y from creating any more files on
> the volume and that user may not even be able to find or 
> change the file
> that x changed.
> 
> Think also about the case of a non-privileged user changing the
> ownership of /etc/shadow to himself and then making that file world
> readable or writable.  Your system is now totally compromised.
> 
> > We thought about using sudo, however this could be dangerous.
> > Is there a secure way to do this.
> 
> You'll have to ensure that the script you write is secure.  You must
> have sudo invoke a script of your creation and not allow any 
> user to run
> chown as root (or you could really, really set your system up for
> serious grief).  
> 
> In general, I do not believe you need to change ownership of 
> one file to
> another.  Your application design is busted. 
> 
> A simple workaround is for x to move the file that needs the ownership
> changed to a temporary directory and grant y access to the 
> file.  Then,
> y can take ownership of that file and move it to the place it 
> should be.
> 
> -- 
> Ed Wilts, RHCE
> Mounds View, MN, USA
> mailto:ewilts at ewilts.org
> Member #1, Red Hat Community Ambassador Program
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list