HPE Community
Operating System - HP-UX
1753460 Members
4589 Online
108794 Solutions
New Discussion юеВ

Chown: Not owner

 
Coolmar
Esteemed Contributor

тАО10-14-2005 08:55 AM

тАО10-14-2005 08:55 AM

Re: Chown: Not owner

Unfortunately, that won't even work because the Windows IDs (and there are around 2000 of them) are longer than 8 characters. HP-UX only allows 8.
0 Kudos
Ken Grabowski
Respected Contributor

тАО10-14-2005 08:58 AM

тАО10-14-2005 08:58 AM

Re: Chown: Not owner

Geoff is correct about winbind. I'm obviously using a different Samba configuration. However, the CIFS documentation (http://docs.hp.com/en/B8725-90079/index.html) does say that there is a user map file winbind_idmap.tdb for winbind, though depending on your configuration, it may not be used.

If you have the ability to align user ID's between Windows and UNIX thats great. I've never been able to get the Network guys to follow my HP-UX requirements though, so I use map files.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО10-14-2005 09:55 AM

тАО10-14-2005 09:55 AM

Re: Chown: Not owner

Hi Sally:

I've one a poor job of suggesting a workaround and I apologize. While only root, or the owner of a file can 'chown', the suggestion I made above was an attempt to circumvent the need. That is, you can grant access in an easier fashion with the 'logingroup' file. Perhaps this helps you and perhaps it doesn't.

Regards!

/* no points please */

...JRF...
0 Kudos
Ken Grabowski
Respected Contributor

тАО10-14-2005 09:58 AM

тАО10-14-2005 09:58 AM

Re: Chown: Not owner

Just FYI, I'm running Samba 3.0.0. This is the download from samba.org and not the HP-UX CIFS product (it was this way when I got here).

The server is set up with server security using the Win 2K domain controlers to resolve user login. The username map file is used to map Windows account names that don't match the HP-UX login ID. Which means for us names that are longer than 8 charaters.

While this is more labor than winbind, we do get the correct user id and group when users create files.

After looking at the documentation on winbind, I'm not sure you can do the same kind of mapping. If that is so, you best bet might be to look at chapter 15 of "http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/" and go to the "Interaction with the Standard Samba ├в create mask├в Parameters" section. This should help you setup some file ownership and group values for the files as their transfered in through Samba. Individual user files would not be protected from each other, but they could modify the file owners ship after the initial creation.

Hope thats of some value to you.
0 Kudos
Coolmar
Esteemed Contributor

тАО10-17-2005 05:40 AM

тАО10-17-2005 05:40 AM

Re: Chown: Not owner

Thanks for the input. I basically have Samba working how I want it, or the best that I think it is going to work. If I could just give access to users to use CHOWN, that would solve all my problems. Does anyone know of a way of doing this?
0 Kudos
Ken Grabowski
Respected Contributor

тАО10-17-2005 06:54 AM

тАО10-17-2005 06:54 AM

Re: Chown: Not owner

Well, this would be a real hack... but you could use sudo, or if you're on 11.23 AccessControl, to give your users ability to run a root owned script as a root user.

Write a script that the users run, and inside the script execute the sudo call to run your chown script. Something like:
/usr/local/bin/sudo mychown.sh $FILEPATH

Make sure the mychown.sh will only operate on the predefined Samba directories that you want them to be able change permissions on.

It would be a good idea to put an audit feature in the script that told you who changed what. You'll probably need that to meet SOX requirements.

Like I said, it's a real hack, but I have used this approach before.
0 Kudos
Howard Marshall
Regular Advisor

тАО10-17-2005 07:27 AM

тАО10-17-2005 07:27 AM

Re: Chown: Not owner

Sorry to tell you this but what you are asking is how to defeat unix permissions security on a full system basis. The chown command will allow a user to run it, it will however, only allow them to give a file away, not take ownership of it. Otherwise whats to stop them from taking ownership of roots crontab file or something else that would quickly give them root access to the machine?

I don't have any experience with samba file system exports but if its saving files on the HP box in an hp file system then the file will have to have a uid and gid. Perhaps all you have to do is find out what the uids are for your users and give them the same uid in the password file. Then HP-UX would see the files as owned by them and so would samba.

Another possibility is to find out if the application its self has any sort of user name user id mapping capability in it.

Thirdly, and least desirable is write a script that goes out and changes any windows id file to the correct unix id, based on your own uid map. Then run it every 5 min from roots cron or something.

I know that doesn't help you much but barring a real unix security kludge I don't think you are going to be able to allow users to take ownership of files without opening a huge security hole.

Wish I had a more positive post

H
0 Kudos
Coolmar
Esteemed Contributor

тАО10-17-2005 08:12 AM

тАО10-17-2005 08:12 AM

Re: Chown: Not owner

Well I resorted to SUDO for that group to change ownership of their files. Not the securest thing in the world, but it works for now. HP will try and put a fix for this into their next release of CIFS.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.