Linux – chown to a user I can sudo to

chownlinuxsudo

One of our users who has sudo privileges to multiple non-root users (role accounts for use with particular projects) would like to be able to change ownership of files among those users: e.g., if sudoers looks like

jane ALL=(widget-dev,releng) ALL
jane ALL=(root) rchown

then the user "jane" could use the hypothetical "rchown" (for "restricted chown") utility on files owned by any of jane, widget-dev, and releng to give them to any of those users.

I haven't been able to find an existing utility that does this. One of our users is asking for it and it seems like a reasonable thing to want, but I figured I would ask here and solicit war stories and dire warnings of security nightmares before I dive into writing (two bad ideas)

  1. yet another config file parser
  2. to be run as root.

Edited to add another worry about the logic: we only really want to do this for cases where the user can run ALL commands as the target user… right? Maybe it's never been implemented because it gets bogged down in such thoroughly site-specific questions.

Best Answer

You could do this directly with sudo. When I first started thinking about how to do that, I quickly realized that the number of chowns you would have to specify for n users would be n^2 if you try to map them directly. But you can cut this down to 2n if you require the user to take ownership of each file before re-assigning it. So, your sudoers file might look like this:

User_Alias CHOWNADMIN1 = jane
Cmnd_Alias CHOWNUSR1 = /bin/chown --from widget-dev jane *, /bin/chown --from jane widget-dev *
Cmnd_Alias CHOWNUSR2 = /bin/chown --from releng jane *, /bin/chown --from releng amy *

CHOWNADMIN1     ALL= NOPASSWD: CHOWNUSR1, CHOWNUSR2

With this setup, Jane can now do a two-step process to change ownership:

chown --from widget-dev jane /tmp/foofile
chown --from jane releng /tmp/foofile

Notice that you must restrict this permission with --from, or you open up the possibility of granting the user "jane" the permission to take ownership of files like /etc/shadow or /root/.ssh/id_rsa (that could be bad).

Of course, you could now write a very simple script to automate the chowns. Perhaps something like the following, but with some error checking:

#!/bin/bash
FROM=$1
shift
TO=$1
shift

sudo chown --from $FROM $USER $*
sudo chown --from $USER $TO $*

And now Jane can run "rchown releng widget-dev /tmp/foofile" or similar.

Related Topic