Allow users to change file ownership of a specific file without sudo
Solution 1
You'll have to write a script that checks for the conditions, and then give your users sudo
access to that script alone. Something like:
#! /bin/bash
set -e
die()
{
printf "%s\n" "$@"
exit 1
}
if [[ $EUID != 0 ]]
then
die "This script must be run with sudo."
fi
DEFAULT_USER=nobody
SOURCE_DIR=/some/dir
cd "$SOURCE_DIR"
# Get path of file relative to the source directory
# Then we can check if it is actually in the directory.
FILE=$(realpath -e --relative-base="$SOURCE_DIR" "${1?}")
if [[ $FILE == /* ]]
then
die "$1 is outside $SOURCE_DIR."
fi
FILE_OWNER=$(stat -c %U "$FILE")
case $FILE_OWNER in
$DEFAULT_USER)
# checkout
echo "Checking out $FILE..."
chown "$SUDO_USER" "$FILE"
;;
$SUDO_USER)
# checkin
echo "Checking in $FILE..."
chown nobody "$FILE"
;;
*)
die "Sorry, this file is checked out by $FILE_OWNER."
;;
esac
Save this as, say, /usr/local/bin/check
, add the following sudoers
rule:
%dev ALL = (root) /usr/local/bin/check
That's assuming:
- The developers are all in the
dev
group (if not, use usernames or groups accordingly). - The files are in
/some/dir
. Modify$SOURCE_DIR
accordingly. - The default user is
nobody
, and unchecked files are owned by the default user. - Nobody has write permissions on the source directory except root.
Then the devs can do:
sudo check some/file
to checkout /some/dir/some/file
, and run it again to check it in.
Solution 2
You can do this, although I think there's probably a more practical solution designed for this kind of collaboration.
Anyway, here's what to do:
Create a group, add the users to the group, and give the group write permission on the parent directory. Then they will be able to chown
and chmod
the file without using sudo
Demonstration:
sudo addgroup devs
sudo adduser zanna devs
sudo adduser pixie devs
mkdir development
chmod g+w development
sudo chown root:devs development
touch development/testfile
cd development
sudo chown root:devs testfile
That's the setup done. Let's test it:
zanna@xubi:~/development$ chown $USER testfile
$ stat -C "%U %G" testfile
zanna devs
$ chmod 600 testfile
$ stat -c %a testfile
600
$ su pixie
[enter password...]
pixie@xubi:/home/zanna/development$ chown $USER testfile
$ stat -c %U testfile
pixie
and so on... but this will only work at all if people check permissions or try to write to the file before they start running chown
and chmod
, which probably isn't intuitive... And if they have write permission on the parent directory, they will always be able to force write to the file, though they should get some warning, depending on the editor they use.
Solution 3
If a user has the ability to run the following sudo
command:
sudo bash
He will be able to execute any command as root, including chown
on any file.
You can configure /etc/sudoers
to allow a specific user to run specific commands
e.g. you can set the following line in /etc/sudoers
:
user2 ALL=(ALL) NOPASSWD: /bin/chown
user2 ALL=(ALL) NOPASSWD: /bin/chmod
Note: If someone has the ability to run
chown
andchmod
asroot
they can easily get fullroot
access (e.g. by editing/etc/passwd)
Solution 4
I agree that an sccs (Source Code Control System) including the original one from the early '70s might be a good solution for checking in an out shared files since it maintains version control as well as documentation of changes.
As an add-on to Zanna's proposal, a short script that checks if the user is the owner, then, if not, checks if the group has write permission. That would mean it was checked in. If available, it would chown then change permissions to 600 (file is busy). To release it, it would change permissions back to 660. Thus owner name would indicate who has it locked or who last locked it and group permission would indicate if it were available or still in use.
Related videos on Youtube
Elias
Updated on September 18, 2022Comments
-
Elias almost 2 years
Let's say that we have this situation:
-rwxrwx-r- 1 user1 mygroup 0 Sep 12 16:53 testfile
A group of developers are working on the same VM (Linux). I need to simulate the concept of checkout/checkin. If a user checks out a file no one should be able to write in it until he checks it in.
I tried changing file owner; each time a user wants to checkout he becomes the file owner and prevents other from writing to it and then checks in by changing the file owner to the default and sets back permissions on the file to the default. This means I'll need
chown
andchmod
but these commands requiresudo
and I can't givesudo
permission to developers.Can I give a user the possibility to
chown
andchmod
only a specific file?-
Zanna almost 7 yearswould it be practical in this situation to give the user write permission on the parent directory? Allowing a user to use
sudo chown
andsudo chmod
is effectively allowing them to modify any file however they want, because afterchown
ing it andchmod
ding it, they could do anything at all to it, such as turning it into an executable script containing arbitrary code -
Elias almost 7 yearsi edited my Post to describe the real problem
-
Rinzwind almost 7 years"If a user checks out a file no one should be able to write in it until he checks it in." That is what groups is for. Edit: Zanna got it correct.
-
Elias almost 7 yearsbut that's exactly the point Zaana's missing if a user didn't pat attention he could checkout an already checked out file
-
Zanna almost 7 yearsI told you how to do what you asked for, but I as said in my answer it will only work if users check before they start - but it would be the same if they were using
sudo
too, there's not much point to it But I think muru's answer gives a proper solution -
Elias almost 7 years@Zanna yes exactly they need to check but you know the human nature so we need to eliminate that possibility
-
WinEunuuchs2Unix almost 7 yearsI would write a background
cron
job that runs under sudo privileges anyway. It would watch for user requests and change ownership. Bonus crown can automatically email developer group as files are checked out or in.
-
-
Elias almost 7 yearsthere's an edit at my post , actually i don't want him to run all commands i just want him to have the privilege on chown and chmod
-
Yaron almost 7 years@Ilyasse - having those two commands give the user the ability to get full
root
access ... -
Zanna almost 7 yearsyeah I was going to comment that this is inherently insecure but your last edit somewhat fixed it
-
Yaron almost 7 years@Ilyasse - my answer provide example how to limit
sudo
access to specific command(s), If you really want to limit your friend, without giving fullroot
access, you can describe thereal
problem you are facing, and we'll try to find a good solution for your specific needs -
Elias almost 7 yearsi edited the post to describe the real problem i'm facing
-
vidarlo almost 7 yearsWhat I'm wondering is what the user is trying to achieve. If it's a development machine, why does it matter if developers have root? And why not use some kind of source control system? Or file locking? To me it sounds like a X-Y-problem...
-
Elias almost 7 yearsexactly the problem goes to a file locking problem i'm working with GIT with bitbucket and bitbucket doesn't support GIT LFS locking files :/
-
Elias almost 7 yearsThis solves part of the issue (chown) but if anyone could checkout at anytime means we've done nothing since if i checkout no one should checkout until i checkin
-
Elias almost 7 yearswith %dev ALL = (root) /usr/local/bin/check can i add an argument to make him only execute file ( prevent write ) , so he can't be able to modify the script
-
muru almost 7 years@Ilyasse the file should be owned by root, and not have any write permissions at all.
-
WinEunuuchs2Unix almost 7 years+1 mostly because it's elegantly written yet succinct and partly because I don't have to write an answer so I can focus on my shopping bot project :D