[ale] Allow non-root user to chown file to other user?
Björn Gustafsson
bg-ale at bjorng.net
Thu Nov 15 13:24:00 EST 2007
In theory it *should* be possible to do this. Can't say if there's a
utility to manage it, but you basically need to turn on CAP_CHOWN for
all your users. That's managed at the kernel level, so you may need
to recompile the kernel to enable it by default. I presume the
distros you mention use kernels that support capabilities, but I don't
know that for certain.
http://linux.die.net/man/7/capabilities
On Nov 15, 2007 10:03 AM, Jeff Lightner <jlightner at water.com> wrote:
>
> That's the basic question. If a non-root user owns a file and wants to give
> ownership to another user it says "operation not permitted".
>
> I've been looking at a lot of stuff, capabilities, chattr, mount options,
> etc? and see many people ask this question but no real resolution.
>
> There are no ACLs in use.
>
> There are no attributes set on the files shown by lsattr.
>
> Yes it works as root.
>
> The filesystem is ext3 using "defaults" for options.
>
> This is an issue on Fedora 4 and RHEL 5 (and every Linux from RH 7.3 based
> on my Google research).
>
> Solaris has a way to set this globally. HP-UX has a slightly different way
> to allow or deny chown authority. I'm looking for something similar in
> Linux.
>
> Please do NOT tell me it is a bad idea to allow users to do this
>
> I'm asking if it is possible and how to do it - NOT whether it is a good
> idea. (If you know how and want to add a caution about specific issue
> you've seen doing it after telling me how that's fine.)
>
> Please do NOT tell me to give the user access to sudo chown.blah blah blah
>
> Obviously this can be done (and would have to be carefully done to prevent
> exploits). I'm asking whether I can simply give a user the ability to do
> it directly using the chown command alone.
>
> Please do NOT tell me to use Ubuntu or some other distro.
>
> I'm asking how to do it on the distros I'm currently using. (Also my
> Googling seems to suggest this may not be restricted to Fedora/RedHat/CentOS
> anyway.)
>
> Please DO tell me if it is not possible if you have a technical explanation
> as to why (that is please don't just say "Redhat doesn't allow it").
More information about the Ale
mailing list