Allow users to change file ownership of a specific file without sudo

permissions sudo chown

8,076

Solution 1

You'll have to write a script that checks for the conditions, and then give your users sudo access to that script alone. Something like:

#! /bin/bash
set -e
die()
{
    printf "%s\n" "$@"
    exit 1
}

if [[ $EUID != 0 ]]
then
    die "This script must be run with sudo."
fi

DEFAULT_USER=nobody
SOURCE_DIR=/some/dir

cd "$SOURCE_DIR"

# Get path of file relative to the source directory
# Then we can check if it is actually in the directory.
FILE=$(realpath -e --relative-base="$SOURCE_DIR" "${1?}")    
if [[ $FILE == /* ]]
then
    die "$1 is outside $SOURCE_DIR."
fi

FILE_OWNER=$(stat -c %U "$FILE")

case $FILE_OWNER in
    $DEFAULT_USER)
        # checkout
        echo "Checking out $FILE..."
        chown "$SUDO_USER" "$FILE"
        ;;
    $SUDO_USER)
        # checkin
        echo "Checking in $FILE..."
        chown nobody "$FILE"
        ;;
    *)
        die "Sorry, this file is checked out by $FILE_OWNER."
        ;;
esac

Save this as, say, /usr/local/bin/check, add the following sudoers rule:

%dev ALL = (root) /usr/local/bin/check

That's assuming:

The developers are all in the dev group (if not, use usernames or groups accordingly).
The files are in /some/dir. Modify $SOURCE_DIR accordingly.
The default user is nobody, and unchecked files are owned by the default user.
Nobody has write permissions on the source directory except root.

Then the devs can do:

sudo check some/file

to checkout /some/dir/some/file, and run it again to check it in.

Solution 2

You can do this, although I think there's probably a more practical solution designed for this kind of collaboration.

Anyway, here's what to do:

Create a group, add the users to the group, and give the group write permission on the parent directory. Then they will be able to chown and chmod the file without using sudo

Demonstration:

sudo addgroup devs
sudo adduser zanna devs
sudo adduser pixie devs
mkdir development
chmod g+w development 
sudo chown root:devs development 
touch development/testfile
cd development
sudo chown root:devs testfile

That's the setup done. Let's test it:

zanna@xubi:~/development$ chown $USER testfile
$ stat -C "%U %G" testfile
zanna devs
$ chmod 600 testfile
$ stat -c %a testfile
600
$ su pixie
[enter password...]
pixie@xubi:/home/zanna/development$ chown $USER testfile
$ stat -c %U testfile
pixie

and so on... but this will only work at all if people check permissions or try to write to the file before they start running chown and chmod, which probably isn't intuitive... And if they have write permission on the parent directory, they will always be able to force write to the file, though they should get some warning, depending on the editor they use.

Solution 3

If a user has the ability to run the following sudo command:

sudo bash

He will be able to execute any command as root, including chown on any file.

You can configure /etc/sudoers to allow a specific user to run specific commands

e.g. you can set the following line in /etc/sudoers:

user2 ALL=(ALL) NOPASSWD: /bin/chown
user2 ALL=(ALL) NOPASSWD: /bin/chmod

Note: If someone has the ability to run chown and chmod as root they can easily get full root access (e.g. by editing /etc/passwd)

Solution 4

I agree that an sccs (Source Code Control System) including the original one from the early '70s might be a good solution for checking in an out shared files since it maintains version control as well as documentation of changes.

As an add-on to Zanna's proposal, a short script that checks if the user is the owner, then, if not, checks if the group has write permission. That would mean it was checked in. If available, it would chown then change permissions to 600 (file is busy). To release it, it would change permissions back to 660. Thus owner name would indicate who has it locked or who last locked it and group permission would indicate if it were available or still in use.

View more solutions

8,076

Elias

Updated on September 18, 2022

Comments

Elias almost 2 years
Let's say that we have this situation:
```
-rwxrwx-r- 1 user1 mygroup  0 Sep 12 16:53 testfile
```
A group of developers are working on the same VM (Linux). I need to simulate the concept of checkout/checkin. If a user checks out a file no one should be able to write in it until he checks it in.

I tried changing file owner; each time a user wants to checkout he becomes the file owner and prevents other from writing to it and then checks in by changing the file owner to the default and sets back permissions on the file to the default. This means I'll need chown and chmod but these commands require sudo and I can't give sudo permission to developers.

Can I give a user the possibility to chown and chmod only a specific file?
- Zanna almost 7 years
  
  would it be practical in this situation to give the user write permission on the parent directory? Allowing a user to use sudo chown and sudo chmod is effectively allowing them to modify any file however they want, because after chowning it and chmodding it, they could do anything at all to it, such as turning it into an executable script containing arbitrary code
- Elias almost 7 years
  
  i edited my Post to describe the real problem
- Rinzwind almost 7 years
  
  "If a user checks out a file no one should be able to write in it until he checks it in." That is what groups is for. Edit: Zanna got it correct.
- Elias almost 7 years
  
  but that's exactly the point Zaana's missing if a user didn't pat attention he could checkout an already checked out file
- Zanna almost 7 years
  
  I told you how to do what you asked for, but I as said in my answer it will only work if users check before they start - but it would be the same if they were using sudo too, there's not much point to it But I think muru's answer gives a proper solution
- Elias almost 7 years
  
  @Zanna yes exactly they need to check but you know the human nature so we need to eliminate that possibility
- WinEunuuchs2Unix almost 7 years
  
  I would write a background cron job that runs under sudo privileges anyway. It would watch for user requests and change ownership. Bonus crown can automatically email developer group as files are checked out or in.
Elias almost 7 years

there's an edit at my post , actually i don't want him to run all commands i just want him to have the privilege on chown and chmod
Yaron almost 7 years

@Ilyasse - having those two commands give the user the ability to get full root access ...
Zanna almost 7 years

yeah I was going to comment that this is inherently insecure but your last edit somewhat fixed it
Yaron almost 7 years

@Ilyasse - my answer provide example how to limit sudo access to specific command(s), If you really want to limit your friend, without giving full root access, you can describe the real problem you are facing, and we'll try to find a good solution for your specific needs
Elias almost 7 years

i edited the post to describe the real problem i'm facing
vidarlo almost 7 years

What I'm wondering is what the user is trying to achieve. If it's a development machine, why does it matter if developers have root? And why not use some kind of source control system? Or file locking? To me it sounds like a X-Y-problem...
Elias almost 7 years

exactly the problem goes to a file locking problem i'm working with GIT with bitbucket and bitbucket doesn't support GIT LFS locking files :/
Elias almost 7 years

This solves part of the issue (chown) but if anyone could checkout at anytime means we've done nothing since if i checkout no one should checkout until i checkin
Elias almost 7 years

with %dev ALL = (root) /usr/local/bin/check can i add an argument to make him only execute file ( prevent write ) , so he can't be able to modify the script
muru almost 7 years

@Ilyasse the file should be owned by root, and not have any write permissions at all.
WinEunuuchs2Unix almost 7 years

+1 mostly because it's elegantly written yet succinct and partly because I don't have to write an answer so I can focus on my shopping bot project :D