How to change Unix permissions when I don't own the file but do have write permission on the directory?

I'm sharing a git repository with a colleague, and because git does not propagate the full panoply of Unix file permissions, we have a "hook" that runs on update which sets the 'other' permissions as they need to be set. The problem? The hook uses chmod, and it turns out that when my colleague commits a file, he owns it, so I can't run chmod on it, and vice versa. The directories are all group writable, sticky, so I believe that either of us has the right to remove any file and replace it with one of the same name, same contents, but different ownership. Presumably then we could chmod it. But this seems like an awfully big hammer, and I'm a bit leery of screwing it up. So, two questions:

1. Can anybody think of another way to do it?

2. If not, what's the best design for a bulletproof shell script that implements "make this file belong to me"? No cross-filesystem moves, etc etc...

For those who may not have realized, write permission does not confer permission to chmod:

% ls -l value.c
-rw-rw---- 1 agallant ta105 133 Feb 10 13:37 value.c
% [ -w value.c ] && echo writeable
writeable
% chmod o+r value.c               
chmod: changing permissions of `value.c': Operation not permitted

We are both in the ta105 group.

---

Notes:

1. We're using git not only to coordinate changes but to publish the repo as a course web site. Publishing the web site is the primary purpose of the repo. The permissions script runs at every update using a git hook, and it ensures that students do not have permission to read solutions that have not yet been unveiled.

2. Please do not suggest that I have the wrong umask. Not all files in the repo should have the same permissions, and whatever umask is chosen, permissions on some files will need to be changed. Not to mention that it would be discourteous for me to impose my umask preferences on my colleagues.

3. UPDATE: I've just learned that in our environment, root is quashed to nobody on all machines we have access to, so that a solution which relies on root privileges won't work.

That's exactly the situation we're in. Write permission is not chmod permission. I don't know if the admins will allow or support sudo, but it's worth looking into.

Sorry, but emacs knows only one umask, and the correct default for my installation is 002. The whole point of the question is how to deal with the few files for which the default umask is not appropriate.

We both need to chmod, and if two of us run this code at once, value.c is hosed.

It's a nice thought. I've edited the question to reflect that the primary purpose of the repo is to be published as a course web site. Setting appropriate permissions for the web site is where we run into trouble.

I'm not sure my sysadmins will go for the suid program---I'll have to ask them. But your suggestion seems the most safe and sane of the ones I've seen so far.

@Norman Ramsey: It may be possible to use SELinux or something similar to give the program very narrow capabilities. I also know there's an effort in Fedora 15 to get rid of setuid programs all together, which indicates there's an alternate mechanism now for accomplishing a similar thing in a more controlled way.

+1 for sudo. Simply wrap your chmod into a bash script and define sudo rules for it.

@Normal Ramsey, Ah! I didn't realize that you only wanted the different permissions for a handful of files; I thought they were all wrong. :)

@Omnifarious, the setuid-root programs are gradually going to be replaced with specific posix draft capabilities(7) to specify which subset of root privileges are going to be granted to the program. You can get started now :) by using the setcap(8) utility to grant e.g. CAP_DAC_OVERRIDE and not allow CAP_NET_BIND or CAP_SYS_ADMIN, etc.

Is your course material published directly as a git repo? I'm not clear on how your permission system would work with such a thing. Git repositories can only be cloned entirely and your students would have access to the whole content no?

Actually, what I said about EXT, does not seem to be true - at least on Debian Squeeze, the g+s seems to do the trick.

students can't get access to the central repo. There's only one replica that students have access to, and that replica can be written only by instructors. So the workflow is that every push to the (private) central repo runs a hook that updates the public repo. Part of that hook sets permissions.

Ah okay. Wouldn't it be possible then to have something like an answered branch which contains only what the students should be allowed to see? That way, you don't have to worry about permissions since even if they clone the whole public repo, they won't get the matter that they're not supposed to.

My publishing hook just does a 'git pull' to the public copy, then runs 'make' to derive files and set permissions. Maybe the solution is to run the deploy script setuid in some way; I don't know.

We have group ownership. The problem is that on Unix, group ownership conveys permission to write, but it does not convey permission to change permissions!

I've marked this answer accepted because (a) I believe a setuid program might help substantially, and (b) it's the answer that gave me the most new ideas to think about. The problem remains unsolved.

@Norman Ramsey: Thanks. I may research the capability thing that @sarnold mentioned, and if I do and I still remember this question, I will come here and update it with a description of how to accomplish the task using them. I think they are an even better idea than the setuid program.

I don't think there's any better chance you'll get all the rules in sudo right than there is you'll get a suid program written in C to do the right thing. In fact, I think there's a worse chance. The way you express rules in sudo is rather arcane.

@Omnifarious. Shit. You didn't get your bounty. User error. I've asked for moderator help.

So you're publishing the working copy directly, rather than actually deploying it somewhere? Your workflow may be improved by making the deploy step put the files elsewhere, even if that just means putting the git repository in a subdirectory with no read access for students and using rsync to copy the files out into the parent, with the right permissions for the students.

@Norman Ramsey: So far, the result of that seems to be the loss of about 300 reputation points. grin But, perhaps there is another reason that happened. I'm not hugely concerned, but thank you!

You're right, sorry. Only the owner can chmod a file. Group permissions aren't enough.

This is roughly the right approach, but the temp name should be generated in a safe manner, and the cmp is probably unnecessary as long as you check exit status (which you need to be doing).