Observing the old Unix wisdom, I always have been cautious using sudo
and avoided to use when not really necessary. Here I'm describing a
trick how to replace sudo chown
with a sudoless command (in some
cases).
It's really annoying when a group of users want to use a shared
computing environment in a way old Unixers indented to use it: sharing
files by giving file permissions to each other for collaboration. The
base tooling for this is admittedly not that complete, so over time
several application-level solutions emerged to help users collaborate
(VCS, shared drives, "cloud" drives, etc). Simultaneously the mandatory
owner, group owner, file permission bit were lessened in prominence and
were even more handled like "just be careful no other system user can
access the file except its owner (who is most likely the only human user
of the system) otherwise it may be leaked by a compromised system
service" while creating or copying the user's files. Thus default
g-w,o-rwx
permission bits and ignored SGID folders are common
nowadays, and people armed with fresh knowledge of "the Unix way" of
shared environment file management are just upset why it is not working right.
Let's see my tool which helps in such situations.
It's not a 0-day or other sudo vulnerability, just a well known behavior
of the POSIX filesystem semantics. You know you are enough to have
directory write permission to rename/delete files which are not yours?
And rename + directory write is enough to take ownership on a file? The
takeown
tool does it for you. Someone dropped a file into your g+w
"collaboration" directory but his "cp" preserved the group owner, so
your SGID went ineffective, and the file resulted to be g=r--,o=r--
?
You can not chmod
, because you do not own it, but you can copy then
delete the original, then rename back! This is what takeown
does, and
more of course, because I did not considered this only 3 steps being so
challenging to write a robust script for it, let alone writing a blog
post about it. It can recurse, preserve/ignore (some) attributes, revert
on error too. (If it's g-r,o-r
then you are probably out of luck and
have to coordinate with the other person.)
Check out takeown
in http://git.uucp.hu/sysop/tools.git
!