Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
Package: coreutils libpam-ldap libnss-ldap Version: 5.2.1-2 Severity: important I have no idea what the source of this. I have a LDAP directory setup for user account management. Everything things work fine including login etc. However, when I want to change the ownership of a file belong to a particular user(under his home directory) when login as that user, I get a operation not permitted, as below : === drwx-- 5 chimp Domain Users 4096 May 6 19:00 Maildir drwx--x--x 2 chimp Domain Users 4096 May 17 15:14 abc drwx--x--x 7 chimp Domain Users 4096 May 16 10:59 bootstrap -rw--- 1 chimp Domain Users 119569602 May 16 10:48 bootstrap.dump.bz2 -rw-r--r-- 1 chimp Domain Users 4282564 May 15 16:20 kernel-image-2.4.31-pre2-xbox-chimpanzee_1_i386.deb -rw-r--r-- 1 chimp Domain Users 5544312 May 15 00:38 kernel-image-2.6.11.9-xbox-chimpanzee_1_i386.deb drwxr-xr-x 4 chimp Domain Users 4096 Feb 18 04:14 kernel-patches drwx--x--x 16 chimp Domain Users 4096 May 15 17:11 linux-2.4-xbox drwx--x--x 5 chimp Domain Users 4096 May 16 15:31 mm -rwx-- 1 chimp Domain Users 8573 May 17 12:04 mod_auth_userdir.c drwxr-xr-x 3 chimp Domain Users 4096 May 17 14:40 public_html drwxrwxr-x 2 chimp Domain Users 4096 May 12 17:19 share drwxr-xr-x 17 chimp Domain Users 4096 May 13 11:06 xbox-cvs [EMAIL PROTECTED]:~$ chown chimp.www-data abc chown: changing ownership of `abc': Operation not permitted = However, if I login as another user which exist in the /etc/passwd, I have no such problem. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.31-pre2-xbox-chimpanzee Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages coreutils depends on: ii libacl1 2.2.23-1 Access control list shared library ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
ah, but how come another user(non-root) can do it then ? == [EMAIL PROTECTED]:~$ ls -l total 340 -rw-r--r-- 1 svn svn 310332 Mar 21 2004 2.4.25-rmap15l drwx-- 3 svn svn4096 May 1 12:12 Desktop drwx-- 5 svn svn4096 May 6 13:26 Maildir drwx--x--x 2 svn svn4096 May 17 15:53 abc drwxr-xr-x 3 svn svn4096 May 1 11:03 colinux drwxr-xr-x 15 svn svn4096 May 15 12:22 linux-2.4-chimp drwxr-xr-x 2 svn svn4096 May 12 18:37 public_html drwxrwxr-x 7 svn svn4096 Apr 30 11:12 repo drwxr-xr-x 2 svn www-data 4096 May 12 17:20 share [EMAIL PROTECTED]:~$ chown svn.www-data abc [EMAIL PROTECTED]:~$ ls -l total 340 -rw-r--r-- 1 svn svn 310332 Mar 21 2004 2.4.25-rmap15l drwx-- 3 svn svn4096 May 1 12:12 Desktop drwx-- 5 svn svn4096 May 6 13:26 Maildir drwx--x--x 2 svn www-data 4096 May 17 15:53 abc drwxr-xr-x 3 svn svn4096 May 1 11:03 colinux drwxr-xr-x 15 svn svn4096 May 15 12:22 linux-2.4-chimp drwxr-xr-x 2 svn svn4096 May 12 18:37 public_html drwxrwxr-x 7 svn svn4096 Apr 30 11:12 repo drwxr-xr-x 2 svn www-data 4096 May 12 17:20 share == The only difference that I can find so far is that user chimp has its info from LDAP(through libnss/libpam), svn is a local user in /etc/passwd, /etc/group --- Bob Proulx [EMAIL PROTECTED] wrote: gary ng wrote: I have no idea what the source of this. I have a LDAP directory setup for user account management. Everything things work fine including login etc. However, when I want to change the ownership of a file belong to a particular user(under his home directory) when login as that user, I get a operation not permitted, as below : This is not a bug in coreutils. It is a security policy decision of the operating system kernel. Please read the GNU coreutils FAQ. http://www.gnu.org/software/coreutils/faq/ Look for Why can only root chown files? Bob __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
gary ng wrote: I have no idea what the source of this. I have a LDAP directory setup for user account management. Everything things work fine including login etc. However, when I want to change the ownership of a file belong to a particular user(under his home directory) when login as that user, I get a operation not permitted, as below : This is not a bug in coreutils. It is a security policy decision of the operating system kernel. Please read the GNU coreutils FAQ. http://www.gnu.org/software/coreutils/faq/ Look for Why can only root chown files? Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
gary ng wrote: ah, but how come another user(non-root) can do it then ? If you own the file and are also in the group then the linux kernel allows you to change the group. drwx--x--x 2 svn svn4096 May 17 15:53 abc [EMAIL PROTECTED]:~$ chown svn.www-data abc [EMAIL PROTECTED]:~$ ls -l drwx--x--x 2 svn www-data 4096 May 17 15:53 abc What does this say? id svn Does it include the www-data group? If so then the Linux kernel allows this fine. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
gary ng wrote: [EMAIL PROTECTED]:~$ chown chimp.www-data abc chown: changing ownership of `abc': Operation not permitted What does this say? id chimp If it does not include www-data as one of the groups then the Linux kernel will not allow that operation. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
oh, I see it now. So the to that I change to must satisfy 2 conditions : 1. I am only changing the owner to myself 2. I must also be a member of the group owner that I change to I can understand (1) but it is (2) that I don't find mentioned anywhere. Would it be better to mention it somewhere in the faq. Forgive my ignorance and please close the bug. --- Bob Proulx [EMAIL PROTECTED] wrote: gary ng wrote: ah, but how come another user(non-root) can do it then ? If you own the file and are also in the group then the linux kernel allows you to change the group. drwx--x--x 2 svn svn4096 May 17 15:53 abc [EMAIL PROTECTED]:~$ chown svn.www-data abc [EMAIL PROTECTED]:~$ ls -l drwx--x--x 2 svn www-data 4096 May 17 15:53 abc What does this say? id svn Does it include the www-data group? If so then the Linux kernel allows this fine. Bob Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#309430: coreutils: chown/chgrp has problem with LDAP based users ?
gary ng wrote: oh, I see it now. So the to that I change to must satisfy 2 conditions : 1. I am only changing the owner to myself 2. I must also be a member of the group owner that I change to Yes. You have it. I can understand (1) but it is (2) that I don't find mentioned anywhere. Not that people will think this is the most obvious place to look but look in the chown(2) man page. man 2 chown These system calls change the owner and group of the file specified by path or by fd. Only a privileged process (Linux: one with the CAP_CHOWN capability) may change the owner of a file. The owner of a file may change the group of the file to any group of which that owner is a member. A privileged process (Linux: with CAP_CHOWN) may change the group arbitrarily. ... CONFORMING TO The chown call conforms to SVr4, SVID, POSIX, X/OPEN. The 4.4BSD ver- sion can only be used by the superuser (that is, ordinary users cannot give away files). SVr4 documents EINVAL, EINTR, ENOLINK and EMULTIHOP returns, but no ENOMEM. POSIX.1 does not document ENOMEM or ELOOP error conditions. Would it be better to mention it somewhere in the faq. Good suggestion. I will add that to the FAQ. Forgive my ignorance and please close the bug. I am not the package maintainer. http://www.debian.org/Bugs/Developer Normally, the only people that are allowed to close a bug report are the submitter of the bug and the maintainer(s) of the package against which the bug is filed. As the submitter you may close the bug. With the emails received from the bug tracking system, all you need to do to close the bug is to make a Reply in your mail reader program and edit the To field to say [EMAIL PROTECTED] instead of [EMAIL PROTECTED] (nnn-close is provided as an alias for nnn-done). Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]