LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-13-2007, 10:57 AM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Rep: Reputation: 39
Question Can you make any files and folders created within a directory owned by another user??


Hi,
All i'm trying to do is regardless of what user creates a file or folder inside a specific directory, for it to not be owned by that user but a user i specify.

Is this possible, almost like umask but obviously with owner UID instead

Cheers
 
Old 12-13-2007, 11:18 AM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
I think you just have to setuid on the directory and all files will be created as if it were made by that user/group of the directory.
 
Old 12-13-2007, 11:50 AM   #3
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
To create a file in a directory, you need to be able to read, write and execute the directory itself.

Permissions are split into three groups of users:
  1. owner (or user) - the person who owns the file/directory
  2. group - members of the group setting for the file/directory
  3. others - anyone else on the system

The easiest way for user B to allow user A to create, modify or delete files in their home directory is to say that others (i.e. anyone on the system) should have read, write and execute permission on their home directory. However, this not good practise - as a general rule you should try give away permissions to the minimum number of users possible.

A better approach is to have the system administrator create a new group on the system, and to add this group to the supplemental groups list for both your users (any any other user which whom you want to share the files).

When create a sub-directory in the home directory of the user, and set the permissions and group setting of this new directory such that members of this new group can write there.

Lets say the two user names are bob and dobb. These commands should be executed. In this example commands pre-fixed with # are to be run by the root user. Commands prefixed by bob$ are to be executed by user bob, and those prefixed with dobb$ are to be run by user dobb:
Code:
# groupadd bobdobb
# usermod -aG bobdobb dobb
# usermod -aG bobdobb bob

Then log in as dobb... if you were already logged in, log out 
and log back in for the new setting to take effect.

dobb$ mkdir $HOME/shared
dobb$ chgrp bobdobb $HOME/shared
dobb$ chmod ug+rwx $HOME/shared
dobb$ chmod o-rwx $HOME/shared
Now user bob can create and modify files in the shared sub-directory in dobb's home directory.

It is unwise to give write permission to the HOME directory because there is potential for bob to accidentally mess up dobb's log in files if this is done, and that could be annoying.

Note that the chmod command is the one which sets the permissions. The ug+rwx means "for the user (u) and group (g) add (+) the permission to read (r), write (w) and execute (x)". The o-rwx in the last command says, "for other users (o), deny (-) permission to read, write and execute".

There is an alternative way to use chmod using a different notation. This is a little harder to work out, but can often save time. The two chmod commands above can be re-written into one chmod command like this:
Code:
chmod 770 $HOME/shared
Please see the chmod manual page for more information.
 
Old 12-13-2007, 12:01 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by pljvaldez View Post
I think you just have to setuid on the directory and all files will be created as if it were made by that user/group of the directory.
That only works for groups, not users. I guess the rationale
behind this is two-fold:
a) On systems with quotas a user can't cheat by making files
owned by someone else.
b) If a file is executable and malicious, you have an "audit
trail", kind of, as to how the file got there. It's either
the owner or root who did it.


Cheers,
Tink
 
Old 12-13-2007, 12:08 PM   #5
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Quote:
Originally Posted by Tinkster View Post
That only works for groups, not users. I guess the rationale
behind this is two-fold:
a) On systems with quotas a user can't cheat by making files
owned by someone else.
b) If a file is executable and malicious, you have an "audit
trail", kind of, as to how the file got there. It's either
the owner or root who did it.


Cheers,
Tink
I stand corrected. Apparently FreeBSD can be setup to allow setuid on directories, but Unix and Linux ignore it.
 
Old 12-13-2007, 12:46 PM   #6
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Thanks for the replies, i already knew about SGID works for groups but SUID bit unfortunetly doesn't do the same. PLUS SUID can be not great for security if mistakes are made, play with SUID very carefully especially executable binaries!!

Its a pain that linux and unix just this once isn't doing the same as BSD then on this occasion, would have made things simple. As i don't want to have to write a script that performs chown -R user:group /folder and then to cron it or similar this is out of the question.

But in answer to my question i guess its not possible to have any user within a directory creating files/folders??? and for the owner to be over riden as the first thing i did look into was of course SUID.

Is it possible to do this by partition and fstab, can you have a partition created where everything must be owned and automatically is owned by a specific user, then i could just create a partition for that directory and mount it correctly, although to be honest i know a little about most options of mount and i'm pretty sure there is nothing there that will help in my case (i would have tried it already otherwise)
????????????????????????
Cheers

Last edited by helptonewbie; 12-13-2007 at 12:52 PM.
 
Old 12-13-2007, 01:09 PM   #7
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Hi,

out of mere curiosity: Why would you need all files owned by the same user?
 
Old 12-13-2007, 03:17 PM   #8
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Having files owned by a different user, stops the possibilities of several things:-
No user is able to change permissions of those files and folders as only the owner is able to do so, meaning only the owner and root could edit the permissions which is fine. Group would still be able to create/delete files etc so sticky bit is useless, but group couldn't edit permissions which is important, it means stupid people can't make a mistake on something they don't understand. Also because the ftp clients are able to change permissions on files as they are uploaded and people can have these set incorrectly therefore constantly permissions are being set differently and icorrectly all over and it would be much simple if the permissions all together no matter what ftp client was used or how the files/folders are uploaded that they are of the same owner group and permission bits. Therefore making sure all people in group always have rwx therefore anyone in the group can delete edit or what ever, but are unable to change the octal permissions on the files and folders.
 
Old 12-13-2007, 04:02 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by helptonewbie View Post
Thanks for the replies, i already knew about SGID works for groups but SUID bit unfortunetly doesn't do the same. PLUS SUID can be not great for security if mistakes are made, play with SUID very carefully especially executable binaries!!

Its a pain that linux and unix just this once isn't doing the same as BSD then on this occasion, would have made things simple. As i don't want to have to write a script that performs chown -R user:group /folder and then to cron it or similar this is out of the question.

But in answer to my question i guess its not possible to have any user within a directory creating files/folders??? and for the owner to be over riden as the first thing i did look into was of course SUID.

Is it possible to do this by partition and fstab, can you have a partition created where everything must be owned and automatically is owned by a specific user, then i could just create a partition for that directory and mount it correctly, although to be honest i know a little about most options of mount and i'm pretty sure there is nothing there that will help in my case (i would have tried it already otherwise)
????????????????????????
Cheers
I still don't understand why you're hung-up on the user.
If you make a directory owned by a group that all users
are in, and make it g=srwX all users will have permission
to read, write and delete stuff, and things inside that
dir will be owned by the same group with the same perms
(I think - haven't tested that). The next best thing would
be to create a samba share and mount it locally.




Cheers,
Tink
 
Old 12-13-2007, 04:25 PM   #10
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Quote:
I still don't understand why you're hung-up on the user.
If you make a directory owned by a group that all users
are in, and make it g=srwX all users will have permission
to read, write and delete stuff, and things inside that
dir will be owned by the same group with the same perms
(I think - haven't tested that). The next best thing would
be to create a samba share and mount it locally.
Is Absolutely Correct... however users inside that directory adding files and folders inside that directory are able to change permissions to the files and folders because they will own them, therefore accidentally or on purpose can remove write permission to group or the ftp client will edit permissions in such a way that the file will end up with incorrect permissions and that means extra administration work because it would require me to go in on the server and change everything to what it needs to be.

Samba is ok but its a web server and there isn't a need for samba just for a job like this, plus its then one extra service that requires setting up and configuring and securing like normal.

What about another idea, to have users login but at the OS level have them logged in actually as a different user (say xxx), which would be this other user (xxx) that i want to own all the files. This is no privileged user (xxx) so doing this won't grant any ridiculous access rights so thats ok. And hopefully the logging of changes will take place as normal and it will be logged as the actual user logged in and recording what they do files changed deleted etc and not show up as the user (xxx) thats making the changes. That would get me the logging i require for each individual user, the files created are all owned by this (xxx) user and the group is of course set via SGID. Basically along the lines of a virtual user system, would that work and how would you set that up? (Can you have virtual users inside basically local users area if that makes any sense)

Regards
 
Old 12-13-2007, 06:01 PM   #11
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by helptonewbie View Post
What about another idea, to have users login but at the OS level have them logged in actually as a different user (say xxx), which would be this other user (xxx) that i want to own all the files. This is no privileged user (xxx) so doing this won't grant any ridiculous access rights so thats ok. And hopefully the logging of changes will take place as normal and it will be logged as the actual user logged in and recording what they do files changed deleted etc and not show up as the user (xxx) thats making the changes. That would get me the logging i require for each individual user, the files created are all owned by this (xxx) user and the group is of course set via SGID. Basically along the lines of a virtual user system, would that work and how would you set that up? (Can you have virtual users inside basically local users area if that makes any sense)

Regards
That would certainly work, and many ftp daemons support authentication
e.g. for users defined in some database. All the files would be actually
owned by the daemons owner, and you'd have a nice audit-trail in the
database as to who did what when :}




Cheers,
Tink
 
Old 12-14-2007, 06:45 AM   #12
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Hey Tink,
On actual second thoughts and half way through setting it up this wouldn't get me what i desire, if the virtual users were logging in and became the same user as the owner of the files, this is no good as the user is still able to edit permissions etc as they will have effective owner user rights over all the files putting me in a worse off position compared to before. What about acl's is there anything there which can force ably override the owners of files inside a directory??

I'm running out of ideas here
Cheers
 
Old 12-14-2007, 12:22 PM   #13
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
How about we tackle this the other way round. You tell us which ftp
daemons you're comfortable with, and then look at their capabilities.

I haven't personally used ftp in a long time, but I recall that various
daemons will allow you to restrict what the user can do, e.g. the
process (still using virtual users) can stop them from modifying perms.


Cheers,
Tink
 
Old 12-14-2007, 04:21 PM   #14
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
I'd be comfortable with any ftp daemons, i'd download it and just start mucking arround with to learn it so i'm not bothered what i use, i am currently on vsftpd which seems quite resonable and has some cool little tricks. And yes i found that earlier today, i started looking for work arrounds found out that i could set like no chmod or something, and then it was a matter of setting the umask which was never working properly with vsftpd very weird behaviour until setting another parameter that makes it behave as it should which is a little weird way of doing it and difficult to unravel to know what the issue was when just using a umask on its own bt got there in the end. I think i may have come up with another method now therefore possibly not requiring changing of the owner per file. Thanks for the help and if this idea i haven't tested yet doest work I'll Be Back

Cheers!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smbmount- everything is owned by root? can I make it another user? Rotwang Linux - Networking 2 10-02-2007 11:42 PM
user access to files owned by root jonfa Linux - General 2 07-09-2007 11:58 AM
Mounted hard drive's files/folders are invisible when created jay_rod101 Linux - Newbie 6 06-16-2006 01:57 AM
List files owned by user/group guideweb Linux - General 1 09-18-2004 08:18 PM
Make a file owned by root owned by a user sharpie Linux - Newbie 2 02-26-2004 01:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration