Re: chown problem

[Bob Proulx]

> From HP-UX unix system I am used to, that I can donate a file to another

It used to be that other systems allowed that too.  I think HP-UX is
one of the last that still allow that by default.  And HP-UX can
optionally be configured to behave "normally" with /etc/privgroup to
disallow chown like other modern operating systems.  So it is still
possible for the sysadmin to fix this.  IMNHO it should come that way
by default, the other way around, instead of the way it does.  That is
the way I configure my HP-UX systems and I recommend it.

> user. That file is then out of my control of course. That makes sense,
> when I want to share a file with someone privately and both can work on
> it. I link it hard and give the "copy" away.

Hard links all point to the same actual file and a single file can
only have one owner.  If you change it or the mode then all links to
it will reflect that change.

> When I call chown as normal user, I get the error message that this
> operation is not allowed. It only works as user root.

That is the modern policy.  Allowing chown by anyone is the old System
V way of thinking from when everyone was experts, were completely
friendly and had superuser on the system anyway so why not?

> I think that chown is not working correctly. It should be that way, that
> user root can change the owner ships of files with out limitation as it is
> now and users should be able to give files to others away only.

Actually, the GNU chown command does not know if this is the policy of
the system or not.  It calls the kernel chown command.  If the OS
allows it then it will change the ownership of the file.  Different
systems handle this differently.  Traditional System V UNIX systems
allow anyone to give a file away to other owners.  On those systems
GNU chown does change the ownership of files.

On most modern systems BSD symantics are followed and only root can
change the ownership of the file.  The problem for documenting this is
that GNU chown does not know which it will be running on.  And in fact
the policy can be different for different users and can change
dynamically as the system runs.  This is really an OS policy decision
and it is hard to track documentation to be different on different
systems.

The reason to restrict ownership is mostly threefold.  One is that
people have used this to avoid quota restrictions.  Give the file to
someone (like root) with disk quota to spare.  Two is that you can
deny someone service by using all of their quota.  Give files to a
user until you fill up their quota.  Now they don't even know where
those files are and are denied service.  Three is that a user can
create files that cannot be removed except by the owner and then
change the owner.  That puts them into a state that only the superuser
can fix.  Because of these reasosn and others most systems today have
changed the policy to disallow giving file ownership away.  But it has
not always been that way.

> Suggestions I got from the news group people to use the s-bit are not
> acceptable due to security reasons.

Good thinking.  That would open a HUGE hole.  Besides, it would only
be partially effective anyway.  Setting chown suid would not help tar,
for example, from being able to call chown(2) to give files away when
tarballs are unpacked.

Bob