I suppose most of you must have come across this, but have you given any
thought to it?
Only root can change ownership of a file. Users may change the group of a
file, but not the owner.
$ chown root a.txt
chown: a.txt: Operation not permitted
$ ls -l a.*
-rw-r--r-- 1 philip family 8 May 6 22:31 a.txt
$ su
# chown root a.txt
# ls -l a.*
-rw-r--r-- 1 root family 8 May 6 22:31 a.txt
Now, this fact is not mentioned in chown.1 man page.
chown changes the user and/or group ownership of each
given file, according to its first non-option argument,
which is interpreted as follows. If only a user name (or
numeric user ID) is given, that user is made the owner of
each given file, and the files' group is not changed. If
[snip]
However, if you look at chown.2 man page (for the chown function in C) it
mentions this fact:
Only the super-user may change the owner of a file. The
owner of a file may change the group of the file to any
group of which that owner is a member. The super-user
may change the group arbitrarily.
My first question is, why does neither `man 1 chown' nor `info chown'
document the fact that only the superuser can change file ownership?
Does this qualify as a bug in the docs?
Second question, why are users not allowed to change file ownership?
Most likely answer is if I change ownership of my file, then I can no
longer access it. There may be cases however when I do need to chown a
file, and I no longer need to access it - someone else is going to take
that job - for example, transferring a project to someone else.
Second possibility - security risk.
Follow this sequence:
First, create an executable (a.out) that spawns a shell. Then:
$ chmod +s a.out
$ chown root a.out # you can't do this of course
$ ./a.out
and voila, you should have a shell in root mode right?
Well, not exactly. This fact is documented in chown.2 but not in chown.1
When the owner or group of an executable file are changed
by a non-super-user, the S_ISUID and S_ISGID mode bits are
cleared. POSIX does not specify whether this also should
happen when root does the chown; the Linux behaviour
When you chown a file, the setuid bits get cleared. This is basically to
prevent this kind of security hole. Not just with root, but with any
user. Of course, since only root can chown, this makes the security hole
even bigger.
But that still does not answer the question... why can't a user chown?
If I no longer need access to a file (if I do, I could chmod 666 it), and
since I can't make it setuid for the new owner, why shouldn't I be allowed
to chown?
Third possibility:
I could write some malicious code, and chown it to someone else. Then,
when this program is found, the new owner will be blamed. This again does
not hold much water, because if chown is possible, then blaming the owner
of a file is no longer possible.
So, someone, please tell me why I can't chown.
One last thing... should I report to [EMAIL PROTECTED] the fact that
chown.1 does not document this?
Philip
--
Loose bits sink chips.
To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing list
button and fill the appropriate information
and submit. For any other queries contact the ML maintener
