Chown: Not owner

Coolmar · ‎10-14-2005

Hi,

I need my users to be able to chown their files. The reason being is that via samba, files are copied from windows to unix and on the unix system the files are owned by their winbind id...therefore, when logged into unix with their unix id,they can access their own files.

I have tried setting up the /etc/privgroup file:

group CHOWN

I then ran /etc/setprivgrp -f /etc/privgroup
and getprivgrp -v group showed CHOWN, but still could not use it.

Is there anyway, users can use chown with HPUX?

Geoff Wild · ‎10-14-2005

Better yet - why not force user and group on the samba share?

force user = unixuser1
force group = unixgroup1

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

James R. Ferguson · ‎10-14-2005

Hi Sally:

Create '/etc/logingroup' in the same format as '/etc/group' (see the 'group(4)' manpages.

Create a link between the two files:

# ln -s /etc/group /etc/logingroup

The 'setprivgrp' simply restricts (or not) a user's or group's ability to use 'chown'.

Regards!

...JRF...

Coolmar · ‎10-14-2005

Geoff,

I force the group name but not the user name because there are many users (in the same group) who write to these shares.

James,

I am not really sure what you mean...create a file called /etc/logingroup with only the group name who can chown; then link that group to /etc/group? But wouldn't that clobber /etc/group?

Sally

Geoff Wild · ‎10-14-2005

Well - as long as the files are rw by group - and all the users are in that group - then you don't need to worry about chowning....you can use samba to set the permissions as well...in the global section add:

create mask = 0775
force create mode = 0775
directory mask = 0775

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Coolmar · ‎10-14-2005

Geoff,

Yeah I have all that in too...the problem is that with ArcGIS (which is the application they use) the files have to be owned by their unix ID...not the winbind name. They can do everything they need but chown the files. Delete/mv/write all work..but they have to chown.

Ken Grabowski · ‎10-14-2005

In your samba config directory set up a usermap.txt file. In that file map your windows id's to unix, for example:
mywinid = myunixid

In your smb.conf file define the user name map file, for example:

username map = /usr/local/samba/lib/usermap.txt

When a user saves a file to the Samba share on the UNIX system the file ownership will equal their UNIX id.

James R. Ferguson · ‎10-14-2005

Hi Sally:

From the manpages for 'group(4)' :

/* Begin Quote */

There are two files of this form in the system, /etc/group and /etc/logingroup. The file /etc/group exists to supply names for each group, and to support changing groups by means of the newgrp utility (see newgrp(1)). /etc/logingroup provides a default group access list for each user via login and initgroups() (see login(1) and initgroups(3C)).

...If /etc/logingroup is empty, the default group access list is empty. If /etc/logingroup and /etc/group are links to the same file, the default access list includes the entire set of groups associated with the user.

/* end quote */

Regards!

...JRF...

Coolmar · ‎10-14-2005

Ken,

I tried what you suggested but it didn't work. When I copied the file from windows to the share it still had my winbind name as the owner. Then when I logged into unix as my unix ID, I could not chown the file to my unix id.

S.

Geoff Wild · ‎10-14-2005

you can't have a usermap with winbind - defeats the purpose of winbind - so - it is ignored.

Best solution - ensure the users have the same username for Windows and Unix.

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Coolmar · ‎10-14-2005

Unfortunately, that won't even work because the Windows IDs (and there are around 2000 of them) are longer than 8 characters. HP-UX only allows 8.

Ken Grabowski · ‎10-14-2005

Geoff is correct about winbind. I'm obviously using a different Samba configuration. However, the CIFS documentation (http://docs.hp.com/en/B8725-90079/index.html) does say that there is a user map file winbind_idmap.tdb for winbind, though depending on your configuration, it may not be used.

If you have the ability to align user ID's between Windows and UNIX thats great. I've never been able to get the Network guys to follow my HP-UX requirements though, so I use map files.

James R. Ferguson · ‎10-14-2005

Hi Sally:

I've one a poor job of suggesting a workaround and I apologize. While only root, or the owner of a file can 'chown', the suggestion I made above was an attempt to circumvent the need. That is, you can grant access in an easier fashion with the 'logingroup' file. Perhaps this helps you and perhaps it doesn't.

Regards!

/* no points please */

...JRF...

Ken Grabowski · ‎10-14-2005

Just FYI, I'm running Samba 3.0.0. This is the download from samba.org and not the HP-UX CIFS product (it was this way when I got here).

The server is set up with server security using the Win 2K domain controlers to resolve user login. The username map file is used to map Windows account names that don't match the HP-UX login ID. Which means for us names that are longer than 8 charaters.

While this is more labor than winbind, we do get the correct user id and group when users create files.

After looking at the documentation on winbind, I'm not sure you can do the same kind of mapping. If that is so, you best bet might be to look at chapter 15 of "http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/" and go to the "Interaction with the Standard Samba â create maskâ Parameters" section. This should help you setup some file ownership and group values for the files as their transfered in through Samba. Individual user files would not be protected from each other, but they could modify the file owners ship after the initial creation.

Hope thats of some value to you.

Coolmar · ‎10-17-2005

Thanks for the input. I basically have Samba working how I want it, or the best that I think it is going to work. If I could just give access to users to use CHOWN, that would solve all my problems. Does anyone know of a way of doing this?

Ken Grabowski · ‎10-17-2005

Well, this would be a real hack... but you could use sudo, or if you're on 11.23 AccessControl, to give your users ability to run a root owned script as a root user.

Write a script that the users run, and inside the script execute the sudo call to run your chown script. Something like:
/usr/local/bin/sudo mychown.sh $FILEPATH

Make sure the mychown.sh will only operate on the predefined Samba directories that you want them to be able change permissions on.

It would be a good idea to put an audit feature in the script that told you who changed what. You'll probably need that to meet SOX requirements.

Like I said, it's a real hack, but I have used this approach before.

Howard Marshall · ‎10-17-2005

Sorry to tell you this but what you are asking is how to defeat unix permissions security on a full system basis. The chown command will allow a user to run it, it will however, only allow them to give a file away, not take ownership of it. Otherwise whats to stop them from taking ownership of roots crontab file or something else that would quickly give them root access to the machine?

I don't have any experience with samba file system exports but if its saving files on the HP box in an hp file system then the file will have to have a uid and gid. Perhaps all you have to do is find out what the uids are for your users and give them the same uid in the password file. Then HP-UX would see the files as owned by them and so would samba.

Another possibility is to find out if the application its self has any sort of user name user id mapping capability in it.

Thirdly, and least desirable is write a script that goes out and changes any windows id file to the correct unix id, based on your own uid map. Then run it every 5 min from roots cron or something.

I know that doesn't help you much but barring a real unix security kludge I don't think you are going to be able to allow users to take ownership of files without opening a huge security hole.

Wish I had a more positive post

H

Coolmar · ‎10-17-2005

Well I resorted to SUDO for that group to change ownership of their files. Not the securest thing in the world, but it works for now. HP will try and put a fix for this into their next release of CIFS.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Chown: Not owner

Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner

Re: Chown: Not owner