Linux – How to have multiple users access to chmod() the same file

chmodgnulinuxposixsetfacl

I have a system where multiple users are running an application that chmod the same file. I've tried using setacl to add both users as user owners of the file to do this, but it doesn't work. The application errors out because the chmod system call fails.

See example:

[jacob@macbook-debian ~/Projects/test] getfacl bin/testfile
# file: bin/testfile
# owner: root
# group: root
user::rwx
user:jacob:rwx
user:jason:rwx
group::r-x
group:www-data:rwx
mask::rwx
other::r-x


[jacob@macbook-debian ~/Projects/test] chmod 0755 bin/testfile
chmod: changing permissions of 'bin/testfile': Operation not permitted

Best Answer

With Linux ACLs when adding users, you do not add them as owners of the file. It's just the privilege to open/modify and write to that file.
When invoking chown or chmod the effective user ID will be e.g. jacob and that one will be matched against the value in owner. If that does not match, your command will fail.

From man 2 chmod.

The effective UID of the calling process must match the owner of the file, or the process must be privileged (Linux: it must have the CAP_FOWNER capability).

An alternative would be to set the capability as described to the calling process/binary chmod. But this would open up a big security issue, as everybody could use this command to change permissions.
Here is a thread about more fine-grained to capabilities access for users, but it seems not very straight forward.

Depending on the constraints of your use case, you might want to add sudo rules for the users to make use of chmod or you evaluate why the users have to run chmod on files they don't own. Maybe using umask during file creation is sufficient.

If your users belong to a group that has write permissions on the directory, you also could copy the file in question, remove the original and move the copy to the original name. This would result in that the user will own the copied file and can do chmod.

[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:49 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 root user    5 Jul 14 11:41 testfile
[user@localhost testdir]$ getfacl testfile 
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

[user@localhost testdir]$ chmod 777 testfile
chmod: changing permissions of 'testfile': Operation not permitted
[user@localhost testdir]$ cp -a testfile testfile.copy
[user@localhost testdir]$ getfacl *
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

# file: testfile.copy
# owner: user
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

[user@localhost testdir]$ mv testfile.copy testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 user user    5 Jul 14 11:41 testfile

[user@localhost testdir]$ chmod 777 testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rwxrwxrwx+ 1 user user    5 Jul 14 11:41 testfile
Related Topic