I would like to allow users to chmod a file that is owned by root or some user that is not themselves. I have chmod'ed the file to 777 and I get "operation not permitted". I have added the user to the group of the file and get the same. Why can't a user chmod a file they have write access to?
Asked
Active
Viewed 3.6k times
22
2 Answers
11
Unix permissions are designed to be simple. You need the read permission to read from a file, the write permission to write to a file, and the execute permission to execute a file. You need to own a file to modify its metadata¹.
Allowing a user who can read a file to grant others the read permission, or allowing a user who can write a file to grant others the write permission, would not change the security model much. That's because unix permissions are discretionary: a user who can read a file can expose its contents to other users, even if these other users would not otherwise be able to read the file (and similarly for writing, the user could act as a proxy and write on behalf of others).
On the other hand, allowing a user to grant permission that it doesn't have would completely break the permission system: the user could grant all permissions to itself.
It's pretty rare to need to change the permissions of a file that you don't own. Usually you should arrange for the file to have the right permissions as soon as it is created. If you really need that, you might give the user sudo chmod rights for a particular mode and a particular file (e.g. joe: ALL = (ALL) chmod g+r /path/to/file).
¹ Except for the access and modification times, which are particular because reading or writing to the file also sets them.
Gilles 'SO- stop being evil'
- 829,060
-
In my use case there is both a web process (by www-data) and a cli process (by myself), that want to set permissions on a file. I added myself to the www-data group, but this is not sufficient. – donquixote Mar 04 '17 at 23:40
-
Even changing owner/group to myself:www-data does not help. (I have not designed the mechanism that tries to set the permissions, I have no control over it) – donquixote Mar 04 '17 at 23:42
9
Why can't a user chmod a file they have write access to?
For the normal access rights this is a design decision. You need richacls: WRITE_ACL and maybe WRITE_OWNER.
Hauke Laging
- 90,279
-
1
-
@sendmoreinfo The Wikipedia article says that and it obviously has to be read as my answer does not explain what richacls are and how they are used. It's ridiculous to consider a correct answer "not useful" due to this. Especially as there is no equivalent alternative. Next time make an edit if you think such information is necessary. – Hauke Laging May 15 '13 at 12:44
-
-
2You obviously used the feature, so explain it yourself, in your own words. – sendmoreinfo May 15 '13 at 18:23
-
@HaukeLaging - please take a look at my related question that has a bounty here: https://unix.stackexchange.com/questions/627572/how-to-apply-and-use-rich-access-control-lists-with-btrfs – MountainX Jan 12 '21 at 20:03
sudo:http://linux.die.net/man/8/sudo & http://linux.die.net/man/5/sudoers – xx4h May 15 '13 at 09:09