Why can't a normal user `chown` a file?
Solution 1
Most unix systems prevent users from “giving away” files, that is, users may only run chown
if they have the target user and group privileges. Since using chown
requires owning the file or being root (users can never appropriate other users' files), only root can run chown
to change a file's owner to another user.
The reason for this restriction is that giving away a file to another user can allow bad things to happen in uncommon, but still important situations. For example:
- If a system has disk quotas enabled, Alice could create a world-writable file under a directory accessible only by her (so no one else could access that world-writable file), and then run
chown
to make that file owned by another user Bill. The file would then count under Bill's disk quota even though only Alice can use the file. - If Alice gives away a file to Bill, there is no trace that Bill didn't create that file. This can be a problem if the file contains illegal or otherwise compromising data.
- Some programs require that their input file belongs to a particular user in order to authenticate a request (for example, the file contains some instructions that the program will perform on behalf of that user). This is usually not a secure design, because even if Bill created a file containing syntactically correct instructions, he might not have intended to execute them at this particular time. Nonetheless, allowing Alice to create a file with arbitrary content and have it taken as input from Bill can only make things worse.
Solution 2
On Linux, you need the CAP_CHOWN capability to chown. root is granted such. Refer to: http://vouters.dyndns.org/tima/Linux-OpenVMS-C-Implementing_chown.html for explanations. If you intend to give the CAP_CHOWN capability, build your code with libcap-ng or libcap as demonstrated by: http://vouters.dyndns.org/tima/Linux-PAM-C-Pluggable_Authentication_Modules_programming_example.html where you have to simple replace CAP_AUDIT_WRITE with CAP_CHOWN.
Solution 3
You can launch the command but it will not work if you are not root. It is easy : imagine a user which can change a software to root user. It can add the setuid bit and, voilà, the guy is root ! So, the use can add the bit with chmod, but no chance to change the owner of files.
Related videos on Youtube
phleg
Updated on September 18, 2022Comments
-
phleg almost 2 years
Why is the
chown
command root-only? Why can't non-root users use chown to give away files they own?-
Remon over 12 yearscant understand your question chown command can be used by non root user also
-
phleg over 12 yearsMaybe i put it wrong. Well the exact question of my proffesor was: "Why the move of rights from a normal user isn't allowed in UNIX systems?"...
-
Keith Thompson over 12 yearsI think the real question is: why can't non-root users use
chown
to give away files they own. (I've seen systems where, depending on the filesystem configuration, you can.) -
Ciro Santilli Путлер Капут 六四事 about 5 yearsrelated: askubuntu.com/questions/95985/…
-
-
Gilles 'SO- stop being evil' over 12 yearsYou can't add the setuid bit on a file you don't own, and implementations that allow giving away files clear the setuid bit.
-
Keith Thompson over 12 yearsAt a previous job, I built a software system that depended on the inability to give away files. It used file ownership to verify that a request had been submitted by a particular user. It checked, during installation, whether giving away files was permitted, and if so it refused to proceed.
-
phemmer over 11 yearsAnother more critical issue is that a user could copy
/bin/bash
, setuid it, and thenchown
it to whoever they want. Now they have shell access as that person. -
Gilles 'SO- stop being evil' over 11 years@Patrick
chown
always clears the setuid and setgid bits. -
hanetzer over 9 years@Gilles and for good reason... if you could copy a shell binary somewhere you can access it, set the setuid/gid bits on it, and chown it to root (or any order thereof that gets you 6755/0:0 perms/ownership) you can obtain root on that system. Oh missed Patrick's comment, exactly.
-
ctrl-alt-delor over 9 years+1 for you don't have to be root. Because you don't have to be root any more.
-
Déjà vu over 8 yearsOk, but if I own the dir (
drwxr-xr-x ring0 ring0 .
) in which root has a regular file (-rw-r--r-- root root file
),why can't I dochown ring0 file
since it is anyway allowed to do, asring0
,cp file x ; rm file ; mv x file
(and some optionaltouch sometime file
...) ? -
Gilles 'SO- stop being evil' over 8 years@ringø You didn't check all the required preconditions. For example, it shouldn't be allowed if the file has a hard link in another directory where you aren't allowed to delete it. It also shouldn't be allowed if the file is currently open, since the permissions on the file guarantee that root wrote its content. Even if you manage to find a set of conditions that ensure that it doesn't violate any security guarantee, that would be a hard-to-implement special case, and pointless since there's an easy workaround.
-
Mike S over 6 yearsI think the point of Dom's answer is this: Imagine if you could. Then there would be trouble. Your point, that you can't, is correct. But the OP is asking "why?" Clearing the setuid bit is another security feature that again begs the question "why?" Which I would then refer to Dom's answer: IF a user could chown, and IF a user could setuid, then that combo would be disastrous. I think he makes a fine point, even if he's missing a little bit.
-
Mike S over 6 yearsSometimes, you don't even need CAP_CHOWN: unix.stackexchange.com/questions/399975/… From my read of the kernel source, each filesystem implementation is tasked with checking permissions for chown. And it appears that with NFS, the permissions are checked on the server side. And if the server is... strange... then it's possible.
-
flow2k over 5 yearsDigressing a little, it's interesting to note that while one can't
chown
a file one owns without sudo, one canchgrp
a file one owns without sudo, provided the new group has one as a member. -
MSalters over 4 years@MikeS: It makes perfect sense; each filesystem has its own idea how users are identified. Windows user identities for instance combine a machine-ID and a relative user-ID. And on network systems like NFS, your local UID is often equally meaningless. Anyone can be root locally.
CAP_CHOWN
is necessary but not sufficient.