We are tried to count how many files belong to certain group. Our system administrator told us "non-owner" can easy change file group name to another. I have been tried several combination and never successful (only ROOT can change file group to other name).
Does anyone know how "no-owner" can change file group name?
Thanks.
______________________________________________________________________________________________________ 付費才容量無上限?Yahoo!奇摩電子信箱2.0免費給你,信件永遠不必刪! http://tw.mg0.mail.yahoo.com/dc/landing
2009/5/12 mcclnx mcc mcclnx@yahoo.com.tw:
Does anyone know how "no-owner" can change file group name?
I believe that is not possible.
What exactly are you trying to accomplish?
Filipe
mcclnx mcc wrote:
We are tried to count how many files belong to certain group. Our system administrator told us "non-owner" can easy change file group name to another. I have been tried several combination and never successful (only ROOT can change file group to other name).
Does anyone know how "no-owner" can change file group name?
If the "no-owner" user has write access to the file they could copy the file to a new file name(thus getting ownership of the file), and overwriting the original file with the new file.
e.g.
[natea@us-cfe002:~]$ ls -l hosts -rw-r--r-- 1 root root 50 May 12 12:17 hosts [natea@us-cfe002:~]$ cp hosts hosts_new [natea@us-cfe002:~]$ ls -l hosts_new -rw-r--r-- 1 natea natea 50 May 12 12:18 hosts_new [natea@us-cfe002:~]$ mv hosts_new hosts mv: overwrite `hosts', overriding mode 0644? y [natea@us-cfe002:~]$ ls -l hosts -rw-r--r-- 1 natea natea 50 May 12 12:18 hosts [natea@us-cfe002:~]$
nate
nate wrote:
mcclnx mcc wrote:
We are tried to count how many files belong to certain group. Our system administrator told us "non-owner" can easy change file group name to another. I have been tried several combination and never successful (only ROOT can change file group to other name).
Does anyone know how "no-owner" can change file group name?
If the "no-owner" user has write access to the file they could copy the file to a new file name(thus getting ownership of the file), and overwriting the original file with the new file.
You need write access in the directory, but only read access to the original file to do this.
on 5-12-2009 12:38 PM Les Mikesell spake the following:
nate wrote:
mcclnx mcc wrote:
We are tried to count how many files belong to certain group. Our system administrator told us "non-owner" can easy change file group name to another. I have been tried several combination and never successful (only ROOT can change file group to other name).
Does anyone know how "no-owner" can change file group name?
If the "no-owner" user has write access to the file they could copy the file to a new file name(thus getting ownership of the file), and overwriting the original file with the new file.
You need write access in the directory, but only read access to the original file to do this.
But if you only have read access to the original file, can you overwrite it?
nate wrote:
Scott Silva wrote:
But if you only have read access to the original file, can you overwrite it?
If you have write access to the directory yes you should be able to, if you only have read access to the directory I would expect not.
Technically, that's not overwriting. That's removing the original and replacing it with another file with the same name. That difference would be significant if there where other hard links to the original file.
On Tue, 2009-05-12 at 17:50 -0500, Robert Nichols wrote:
nate wrote:
Scott Silva wrote:
But if you only have read access to the original file, can you overwrite it?
If you have write access to the directory yes you should be able to, if you only have read access to the directory I would expect not.
Technically, that's not overwriting. That's removing the original and replacing it with another file with the same name. That difference would be significant if there where other hard links to the original file.
Yes. When moving the new file to the old, you are really doing an unlink and link sequence. With write permission in the directory, this is valid. You are controlled by the directory's user/group and permissions, not the target file's.
When we migrated from HPUX to Redhat we noticed this. I opened a case and we determined that you could not do this with the standard chgrp or chown commands if you are not root. The reason I was given is to keep people from getting around the disk quota stuff.
A listing in one of the redhat forums stated that there was an option in one of the .h files that determined if this was allowed. You had to recompile your kernel to get this to work.
We did some workarounds with sudo to get the necessary functionality.
_____________________________________ "He's no failure. He's not dead yet." William Lloyd George -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Robert Nichols Sent: Tuesday, May 12, 2009 6:51 PM To: centos@centos.org Subject: Re: [CentOS] can non-owner change file group setup?
nate wrote:
Scott Silva wrote:
But if you only have read access to the original file, can you
overwrite it?
If you have write access to the directory yes you should be able to, if you only have read access to the directory I would expect not.
Technically, that's not overwriting. That's removing the original and replacing it with another file with the same name. That difference would be significant if there where other hard links to the original file.
nate wrote:
Scott Silva wrote:
But if you only have read access to the original file, can you overwrite it?
If you have write access to the directory yes you should be able to, if you only have read access to the directory I would expect not.
nope.
[pierce@xxxx test]$ grep pierce /etc/group postgres:x:26:pierce pierce:x:503: [pierce@xxxx test]$ touch x [pierce@xxxx test]$ ls -la total 8 drwxrwxr-x 2 pierce pierce 4096 May 13 07:58 . drwxr-xr-x 37 pierce root 4096 May 13 07:57 .. -rw-rw-r-- 1 pierce pierce 0 May 13 07:58 x [pierce@xxxx test]$ chgrp postgres x chgrp: changing group of `x': Operation not permitted
Hi,
On Wed, May 13, 2009 at 11:01, John R Pierce pierce@hogranch.com wrote:
nope.
[pierce@xxxx test]$ grep pierce /etc/group postgres:x:26:pierce pierce:x:503: [pierce@xxxx test]$ touch x [pierce@xxxx test]$ ls -la total 8 drwxrwxr-x 2 pierce pierce 4096 May 13 07:58 . drwxr-xr-x 37 pierce root 4096 May 13 07:57 .. -rw-rw-r-- 1 pierce pierce 0 May 13 07:58 x [pierce@xxxx test]$ chgrp postgres x chgrp: changing group of `x': Operation not permitted
It would work if user "pierce" belonged to group "postgres".
But it only works if you are the owner of the file. If you belong to the group the file belongs to, it does not work.
I would say the best way to handle group ownership in Linux (and Unix) is to make sure files are originally created with the correct groups (possibly by using setgid directories).
HTH, Filipe
Filipe Brandenburger wrote:
Hi,
On Wed, May 13, 2009 at 11:01, John R Pierce pierce@hogranch.com wrote:
nope.
[pierce@xxxx test]$ grep pierce /etc/group postgres:x:26:pierce pierce:x:503: [pierce@xxxx test]$ touch x [pierce@xxxx test]$ ls -la total 8 drwxrwxr-x 2 pierce pierce 4096 May 13 07:58 . drwxr-xr-x 37 pierce root 4096 May 13 07:57 .. -rw-rw-r-- 1 pierce pierce 0 May 13 07:58 x [pierce@xxxx test]$ chgrp postgres x chgrp: changing group of `x': Operation not permitted
It would work if user "pierce" belonged to group "postgres".
Um, I do, I showed that up there.
But it only works if you are the owner of the file. If you belong to the group the file belongs to, it does not work.
I was both owner of file AND member of both from and to groups, AND had write access to the directory. still doesn't allow it. CentOS 5.3, btw.
I would say the best way to handle group ownership in Linux (and Unix) is to make sure files are originally created with the correct groups (possibly by using setgid directories).
I concur.
On Wed, May 13, 2009 at 11:18, John R Pierce pierce@hogranch.com wrote:
Filipe Brandenburger wrote:
[pierce@xxxx test]$ grep pierce /etc/group postgres:x:26:pierce pierce:x:503:
It would work if user "pierce" belonged to group "postgres".
Um, I do, I showed that up there.
I was both owner of file AND member of both from and to groups, AND had write access to the directory. still doesn't allow it. CentOS 5.3, btw.
Did you just add yourself to that group? The processes you run will not know you are a member of that group until you logout and login again (open new SSH session, etc.).
When you issue the "id" command (with no parameters), does it include the "postgres" group?
HTH, Filipe
Filipe Brandenburger wrote:
Did you just add yourself to that group? The processes you run will not know you are a member of that group until you logout and login again (open new SSH session, etc.).
When you issue the "id" command (with no parameters), does it include the "postgres" group?
ah, yes, I had just added that in another root shell. you're right, I logged out and back and and yes, it -does- work...
[pierce@xxxx test]$ id uid=503(pierce) gid=503(pierce) groups=26(postgres),503(pierce) [pierce@xxxx test]$ ls -la total 8 drwxrwxr-x 2 pierce pierce 4096 May 13 07:58 . drwxr-xr-x 37 pierce root 4096 May 13 07:57 .. -rw-rw-r-- 1 pierce pierce 0 May 13 07:58 x [pierce@xxxx test]$ chgrp postgres x [pierce@xxxx test]$ ls -la total 8 drwxrwxr-x 2 pierce pierce 4096 May 13 07:58 . drwxr-xr-x 37 pierce root 4096 May 13 07:57 .. -rw-rw-r-- 1 pierce postgres 0 May 13 07:58 x
2009/5/12 mcclnx mcc mcclnx@yahoo.com.tw:
We are tried to count how many files belong to certain group. Our system administrator told us "non-owner" can easy change file group name to another. I have been tried several combination and never successful (only ROOT can change file group to other name).
Does anyone know how "no-owner" can change file group name?
In general this is disallowed!
The reason is that in a system with quotas the common abuse tactic was to give files away to someone else yet hide them down inside your own directory. By giving files away you might never go over quota. Worse the poor other guy cannot find out why he is over quota. Some things may be possible with very open directory permissions.
If directory permissions are wide open (777) is possible to take ownership of a file indirectly by making a copy then deleting the original. This is not possible on dirs where the T bit is set. $ ls -ld /tmp drwxrwxrwt 39 root root 4096 2009-05-15 21:48 /tmp
Also if you are in a multi group situation you can move files between groups that you are a member of. This multi group case makes sense from the accounting point of view.
-
Blackburn, Marvin -
Filipe Brandenburger -
John R Pierce -
Les Mikesell -
mcclnx mcc -
nate -
NiftyCluster Tom Mitchell -
Robert Nichols -
Scott Silva -
William L. Maltby