Can you make any files and folders created within a directory owned by another user??
 

Hi,
All i'm trying to do is regardless of what user creates a file or folder inside a specific directory, for it to not be owned by that user but a user i specify.

Is this possible, almost like umask but obviously with owner UID instead

Cheers

I think you just have to setuid on the directory and all files will be created as if it were made by that user/group of the directory.

To create a file in a directory, you need to be able to read, write and execute the directory itself.

Permissions are split into three groups of users:

1. owner (or user) - the person who owns the file/directory
2. group - members of the group setting for the file/directory
3. others - anyone else on the system

The easiest way for user B to allow user A to create, modify or delete files in their home directory is to say that others (i.e. anyone on the system) should have read, write and execute permission on their home directory. However, this not good practise - as a general rule you should try give away permissions to the minimum number of users possible.

A better approach is to have the system administrator create a new group on the system, and to add this group to the supplemental groups list for both your users (any any other user which whom you want to share the files).

When create a sub-directory in the home directory of the user, and set the permissions and group setting of this new directory such that members of this new group can write there.

Lets say the two user names are bob and dobb. These commands should be executed. In this example commands pre-fixed with # are to be run by the root user. Commands prefixed by bob$ are to be executed by user bob, and those prefixed with dobb$ are to be run by user dobb:
Now user bob can create and modify files in the shared sub-directory in dobb's home directory.

It is unwise to give write permission to the HOME directory because there is potential for bob to accidentally mess up dobb's log in files if this is done, and that could be annoying.

Note that the chmod command is the one which sets the permissions. The ug+rwx means "for the user (u) and group (g) add (+) the permission to read (r), write (w) and execute (x)". The o-rwx in the last command says, "for other users (o), deny (-) permission to read, write and execute".

There is an alternative way to use chmod using a different notation. This is a little harder to work out, but can often save time. The two chmod commands above can be re-written into one chmod command like this:
Please see the chmod manual page for more information.

That only works for groups, not users. I guess the rationale
behind this is two-fold:
a) On systems with quotas a user can't cheat by making files
owned by someone else.
b) If a file is executable and malicious, you have an "audit
trail", kind of, as to how the file got there. It's either
the owner or root who did it.


Cheers,
Tink

I stand corrected. Apparently FreeBSD can be setup to allow setuid on directories, but Unix and Linux ignore it.

Thanks for the replies, i already knew about SGID works for groups but SUID bit unfortunetly doesn't do the same. PLUS SUID can be not great for security if mistakes are made, play with SUID very carefully especially executable binaries!!

Its a pain that linux and unix just this once isn't doing the same as BSD then on this occasion, would have made things simple. As i don't want to have to write a script that performs chown -R user:group /folder and then to cron it or similar this is out of the question.

But in answer to my question i guess its not possible to have any user within a directory creating files/folders??? and for the owner to be over riden as the first thing i did look into was of course SUID.

Is it possible to do this by partition and fstab, can you have a partition created where everything must be owned and automatically is owned by a specific user, then i could just create a partition for that directory and mount it correctly, although to be honest i know a little about most options of mount and i'm pretty sure there is nothing there that will help in my case (i would have tried it already otherwise)
????????????????????????
Cheers

Hi,

out of mere curiosity: Why would you need all files owned by the same user?

Having files owned by a different user, stops the possibilities of several things:-
No user is able to change permissions of those files and folders as only the owner is able to do so, meaning only the owner and root could edit the permissions which is fine. Group would still be able to create/delete files etc so sticky bit is useless, but group couldn't edit permissions which is important, it means stupid people can't make a mistake on something they don't understand. Also because the ftp clients are able to change permissions on files as they are uploaded and people can have these set incorrectly therefore constantly permissions are being set differently and icorrectly all over and it would be much simple if the permissions all together no matter what ftp client was used or how the files/folders are uploaded that they are of the same owner group and permission bits. Therefore making sure all people in group always have rwx therefore anyone in the group can delete edit or what ever, but are unable to change the octal permissions on the files and folders.

I still don't understand why you're hung-up on the user.
If you make a directory owned by a group that all users
are in, and make it g=srwX all users will have permission
to read, write and delete stuff, and things inside that
dir will be owned by the same group with the same perms
(I think - haven't tested that). The next best thing would
be to create a samba share and mount it locally.




Cheers,
Tink

Is Absolutely Correct... however users inside that directory adding files and folders inside that directory are able to change permissions to the files and folders because they will own them, therefore accidentally or on purpose can remove write permission to group or the ftp client will edit permissions in such a way that the file will end up with incorrect permissions and that means extra administration work because it would require me to go in on the server and change everything to what it needs to be.

Samba is ok but its a web server and there isn't a need for samba just for a job like this, plus its then one extra service that requires setting up and configuring and securing like normal.

What about another idea, to have users login but at the OS level have them logged in actually as a different user (say xxx), which would be this other user (xxx) that i want to own all the files. This is no privileged user (xxx) so doing this won't grant any ridiculous access rights so thats ok. And hopefully the logging of changes will take place as normal and it will be logged as the actual user logged in and recording what they do files changed deleted etc and not show up as the user (xxx) thats making the changes. That would get me the logging i require for each individual user, the files created are all owned by this (xxx) user and the group is of course set via SGID. Basically along the lines of a virtual user system, would that work and how would you set that up? (Can you have virtual users inside basically local users area if that makes any sense)

Regards

That would certainly work, and many ftp daemons support authentication
e.g. for users defined in some database. All the files would be actually
owned by the daemons owner, and you'd have a nice audit-trail in the
database as to who did what when :}




Cheers,
Tink

Hey Tink,
On actual second thoughts and half way through setting it up this wouldn't get me what i desire, if the virtual users were logging in and became the same user as the owner of the files, this is no good as the user is still able to edit permissions etc as they will have effective owner user rights over all the files putting me in a worse off position compared to before. What about acl's is there anything there which can force ably override the owners of files inside a directory??

I'm running out of ideas here
Cheers

How about we tackle this the other way round. You tell us which ftp
daemons you're comfortable with, and then look at their capabilities.

I haven't personally used ftp in a long time, but I recall that various
daemons will allow you to restrict what the user can do, e.g. the
process (still using virtual users) can stop them from modifying perms.


Cheers,
Tink

I'd be comfortable with any ftp daemons, i'd download it and just start mucking arround with to learn it so i'm not bothered what i use, i am currently on vsftpd which seems quite resonable and has some cool little tricks. And yes i found that earlier today, i started looking for work arrounds found out that i could set like no chmod or something, and then it was a matter of setting the umask which was never working properly with vsftpd very weird behaviour until setting another parameter that makes it behave as it should which is a little weird way of doing it and difficult to unravel to know what the issue was when just using a umask on its own bt got there in the end. I think i may have come up with another method now therefore possibly not requiring changing of the owner per file. Thanks for the help and if this idea i haven't tested yet doest work I'll Be Back

Cheers!!