Linux – Bash Way for Unprivileged User to Take Ownership of Directory Contents

chownpermissionssudo

I want a particular user to recursively change owner and group of all the contents of a particular directory, and only that directory. The directory is a kind of "inbox", where a service writes files, and subdirectories.

Currently, I have an administrator sudo chown, but I would prefer the destination owner to do it themselves, without that user having any more permissions then required. Let's say the original owner is "headsman", and the final owner should be "audience". Neither user is in the same group.

sudo chown -R audience:watchers /usr/files/pathofdir
Is not quite right, because I don’t want audience to have unlimited authority to use chown. My first guess was to try to add "audience" to /etc/ sudoers with permission to /usr/bin/chown and /usr/bin/chgrp. But that is too much authority.

I thought of writing a script exclusively for audience, but I don’t know how to make that script have the correct permissions and no more.

What is a good way to do this?

Best Answer

You can specify a full command in sudoers, with arguments and all, in which case the user will have authority to run the specified command only with the specified arguments. So this sudoers entry should solve your problem:

audience  ALL=/usr/bin/chown -R audience\:watchers /usr/files/pathofdir

However, I think you should check out ACLs, as I suspect your problem can be more easily handled with the use of a default ACL on the directory. See this post for an example.

Related Solutions

Security – sudo chown – prevent ../

sudo introduces inherent security risks and it is generally ill advised to give to users that don't have high levels of trust.

Why not limit simply to recursive chown for the parent directory?

sudoers primarily uses globbing. According to the manpage, it doesn't match / on wildcards. More details in the manpage.

As far as a more advanced solution, a script should do the trick.

[root@server wmoore]# egrep '^wmoore' /etc/sudoers
wmoore ALL= NOPASSWD: /bin/chown -[RPfchv] wmoore\:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo -l
User wmoore may run the following commands on this host:
    (root) NOPASSWD: /bin/chown -[RPfchv] wmoore:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo chown -R wmoore:wmoore /home/wmoore/../../tmp/test
Sorry, user wmoore is not allowed to execute '/bin/chown -R wmoore:wmoore /home/wmoore/../../tmp/test' as root on server.

Oh, right. sudo package:

Name        : sudo                         Relocations: (not relocatable)
Version     : 1.6.9p17                          Vendor: CentOS
Release     : 3.el5_3.1                     Build Date: Tue 24 Mar 2009 07:55:42 PM EDT

CentOS5.

Linux – Bash Script To Repair Directory and File Ownership

I think the way you are asking is kind of backwards. You don't want to take each folder and then find the user, rather you want to take the user and find their home folder.

#!/bin/bash
while IFS=':' read -r login pass uid gid uname homedir comment; do 
    echo chown $uid:$gid "$homedir"; 
done < /etc/passwd

You will need to remove the echo of course and you will need to run this with root permissions. I also always recommend a while loop instead of a for loop over ls myself. You can save this loop for doing anything with /etc/passwd.

Best Answer

Related Solutions

Security – sudo chown – prevent ../

Linux – Bash Script To Repair Directory and File Ownership

Related Topic