Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 5.6 Device FilesChapter 5
The UNIX Filesystem
Next: 5.8 chgrp: Changing a File's Group
 

5.7 chown: Changing a File's Owner

The chown command lets you change the owner of a file. Only the superuser can change the owner of a file under most modern versions of UNIX.

The chown command has the form:

chown [ -fRh ] owner filelist

The -f and -R options are interpreted exactly as they are for the chmod and chgrp commands, if supported. The -h option is a bit different from that of chmod. Under chown, the option specifies that the owner of the link itself is changed and not what the link points to.

Other entries have the following meanings:

owner

The file's new owner; specify the owner by name or by decimal UID.

filelist

The list of files whose owner you are changing.

In earlier versions of UNIX, all users could run the chown command to change the ownership of a file that they owned to that of any other user on the system. This let them "give away" a file. The feature made sharing files back and forth possible, and allowed a user to turn over project directories to someone else.

Allowing users to give away files can be a security problem because it makes a miscreant's job of hiding his tracks much easier. If someone has acquired stolen information or is running programs that are trying to break computer security, that person can simply change the ownership of the files to that of another user. If he sets the permissions correctly, he can still read the results. Permitting file give-aways also makes file quotas useless: a user who runs out of quota simply changes the ownership of his larger files to another user. Worse, perhaps, he can create a huge file and change its ownership to someone else, exceeding the user's quota instantly. If the file is in a directory to which the victim does not have access, he or she is stuck.

The BSD development group saw these problems and changed the behavior of chown so that only the superuser could change ownership of files. This change has led to an interesting situation. When the POSIX group working on a standard was faced with the hard choice of which behavior to pick as standard, they bravely took a stand and said "both." Thus, depending on the setting of a system configuration parameter, your system can use either the old AT&T behavior, or the BSD-derived behavior. We strongly urge you to choose the BSD-derived behavior. Not only does it allow you to use file quotas and keep mischievous users from framing other users, but many software packages you might download from the net or buy from vendors will not work properly if run under the old AT&T-style environment.

NOTE: If your system came to you with the old chown behavior, then ensure that the software was written with that in mind. Be extra careful as you read some of our advice in this book, because a few things we might recommend won't work for you on such a system. Also, be especially cautious about software you might download from the net or buy from a vendor. Most of this software has been developed under BSD-derived systems that limit use of chown to the superuser. Thus, the software might have vulnerabilities when run under your environment.

Do not mix the two types of systems when you are using some form of network filesystem or removable, user-mountable media. The result can be a compromise of your system. Files created using one paradigm may possibly be exploited using another.

Under some versions of UNIX (particularly those that let nonsuperusers chown files), chown will clear the SUID, SGID, and sticky bits. This is a security measure, so that SUID programs are not accidentally created. If your version of UNIX does not clear these bits when using chown, check with an ls -l after you have done a chown to make sure that you have not suddenly created a SUID program that will allow your system's security to be compromised. (Actually, this process is a good habit to get into even if your system does do the right thing.) Other versions of UNIX will clear the execute, SUID, and SGID bits when the file is written or modified. You should determine how your system behaves under these circumstances and be alert to combinations of actions that might accidentally create a SUID or SGID file. POSIX specifies that when chown is executed on a symbolic link, the ownership of the target of the link is changed instead of the ownership of the link itself. POSIX further specifies that the -R option does not follow symbolic links if they point to directories (but nevertheless changes the ownership of these directories). On most modern systems of UNIX, there is a -h option to chown (and chgrp and chmod) that instructs the command to not follow the link and to instead change the permissions on the link itself - or to ignore the symbolic link and change nothing. You should understand how this behaves on your system and use it if appropriate.


Previous: 5.6 Device FilesPractical UNIX & Internet SecurityNext: 5.8 chgrp: Changing a File's Group
5.6 Device FilesBook Index5.8 chgrp: Changing a File's Group