Operating System - Linux
1748136 Members
3502 Online
108758 Solutions
New Discussion юеВ

Re: Cannot chown as a user

 
SOLVED
Go to solution
Michael Williams_6
Trusted Contributor

Cannot chown as a user

Right, I'm completely stuck here...

I've got several new Linux systems, and I'm unable to chown files as users, even if the user owns the file. We're running SLES8, fully patched. We're running a shoddy ksh compiled from source, with an in-built chown, but the problem also occurs with /bin/chown. It also happens with bash, so something is wrong somewhere.

We're using the reiserfs filesystem, and are in a NIS domain that is served by a SCO system.

Here's an indication of the problem, I'm trying to chown a file I own, in a directory I own to someone else:

michaelw@linpo: pwd
/tmp/miketest
michaelw@linpo: ls -l
total 0
-rw-rw-r-- 1 michaelw alch 0 2004-05-10 10:35 testfile
michaelw@linpo: ls -ld .
drwxrwxr-x 2 michaelw alch 72 2004-05-10 10:35 .
michaelw@linpo: /bin/chown webuser testfile
/bin/chown: changing ownership of `testfile': Operation not permitted
michaelw@linpo: mount
/dev/ida/c0d0p2 on / type reiserfs (rw)
michaelw@linpo: grep c0d0p2 /etc/fstab
/dev/ida/c0d0p2 / reiserfs defaults 1 1
michaelw@linpo: ls -l /bin/chown
-rwxr-xr-x 1 root root 20024 2002-10-16 14:01 /bin/chown
michaelw@linpo: lsattr testfile
--------------- testfile
michaelw@linpo: ypmatch michaelw passwd
michaelw:JCB19sWGJFrMw:456:100:Michael Williams:/homes/michaelw:/bin/ksh
michaelw@linpo: ypmatch webuser passwd
webuser:tpdPZ9BoF33U.:513:202:Web User Account:/homes/webuser:/bin/ksh

Anybody got any ideas? strace's are available, but mean bugger all to me!

Cheers for any help!

Mike
16 REPLIES 16
Alexander Chuzhoy
Honored Contributor

Re: Cannot chown as a user

As far as I remember -root is the only one who can...
Michael Williams_6
Trusted Contributor

Re: Cannot chown as a user

I can't believe that, even on security grounds, I own the file!

If the file is owned by someone else, and I touch it, then I become the owner, so it must be possible!
Alexander Chuzhoy
Honored Contributor

Re: Cannot chown as a user

anyway if you SUID the command:
chmod +s /bin/chown

then it works...
Michael Williams_6
Trusted Contributor

Re: Cannot chown as a user

Cheers, but no:

michaelw@linpo: ls -l /bin/chown
-rwxr-xr-x 1 root root 20024 2002-10-16 14:01 /bin/chown
michaelw@linpo: sudo chmod +s /bin/chown
Password:
michaelw@linpo: ls -l /bin/chown
-rwsr-sr-x 1 root root 20024 2002-10-16 14:01 /bin/chown
michaelw@linpo: chown webuser testfile
-ksh: chown: testfile: cannot change owner [Operation not permitted]
Mark Grant
Honored Contributor

Re: Cannot chown as a user

If you have "capabilities" installed and set up then the entire security paradigm changes. Root does not necessarily have permissions to change a file and neither do you, even if you own it.

If you really have "capabilites" installed and you don't want it, you will need a kernel compile to get rid of it probably.

It's a big subject but you could start here.

http://www.linuxsecurity.com/feature_stories/kernel-24-security.html
Never preceed any demonstration with anything more predictive than "watch this"
Michael Williams_6
Trusted Contributor

Re: Cannot chown as a user

Mark,

I think you're on the right track here, we're running Kernel 2.4.19, which is the unpatched stock default that comes with SLES8, but the behaviour also occurs on patched kernels.

Having used Linux for a couple of months, this is all pretty new to me, doing google on Linux Capabilities pointed me to the /usr/include/linux/capability.h file which does contain this line:

#define CAP_CHOWN 0

It also mentions /proc/sys/kernel/cap-bound, but this is set to -257.

While this is all well and good it's not in english! Does this mean that CAP_CHOWN is in place, or does it mean it's not? If it is in place, how do I re-enable it?!

I don't appear to have lcap on the system, there's no man page and it's not in roots path...
Michael Williams_6
Trusted Contributor

Re: Cannot chown as a user

Ignore my last comment, further searching shows capabilities don't appear to be enabled:

linpo:/tmp/miketest # getcap testfile
Failed to get capabilities for file `testfile'
(Function not implemented)
Mark Grant
Honored Contributor

Re: Cannot chown as a user

I think we are on dodgy ground here because as someone who worked on a C1/B2 secure unix for a year or so, I absolutley loath capabilities and have never set them up. However, my /proc/sys/kernel/cap-bound says the same as yours.

If you are using stock kernels then capabilities should not be in use. Can you confirm that if you create a file now, you can not change it's ownership or is it a file that already exists that you have this problem on?
Never preceed any demonstration with anything more predictive than "watch this"
Michael Williams_6
Trusted Contributor

Re: Cannot chown as a user

Hi Mark, this happens with both new and old files alike...