Changing Ownership

Files have two kinds of ownersthe user owner and the group owner. Only root can change a file's user ownership. You cannot "give away" a file.

In order to change a file's group ownership, you must be both the file's user owner and a member of the new group, or you must perform the change as root. Furthermore, when a file's group ownership is changed, the setuid and setgid properties are removed unless the change was made by root. This avoids some potential security problems (see the sidebar "What the setuid and setgid Properties Do" for more on this).

Group ownership can be changed using either the chgrp ( change group ) or chown ( change owner ) command.

To change the group ownership using chgrp:

• chgrp newgroup file
  
  For example,
  
  chgrp www index.html
  
  changes the group ownership of file index.html to www. You must be the file's owner and a member of the new group to perform this. Figure 8.20 shows an example of changing the group ownership of a file using chgrp . Table 8.7 shows the options for the chgrp and chown commands.
  
  

  Figure 8.20. Using chgrp to change the group ownership of a file.

   localhost:~/Sites vanilla$  groups  vanilla appserveradm appserverusr admin www localhost:~/Sites vanilla$  ls -l index.html  -rw-r--r--     1 vanilla   vanilla   5754 Jan 17 14:18 index.html localhost:~/Sites vanilla$  chgrp www index.html  localhost:~/Sites vanilla$  ls -l index.html  -rw-r--r--     1 vanilla   www       6186 Apr 30 2001 index.html  localhost:~/Sites vanilla$ 

  
  

  Table 8.7. Options for the chgrp and chown Commands

  O PTION	M EANING
  -R	Makes changes recursively. Used when changing permissions on a directory and everything it contains. The next three options only work in combination with the -R option. Only one of the following may be used. If more than one is used, the last one on the command line takes precedence.
  -H	If the -R option is specified, symbolic links on the command line are followed. (Symbolic links encountered in the directory traversal are not followed.) See Chapter 5 for more on symbolic links.
  -L	If the -R option is specified, all symbolic links are followed.
  -P	If the -R option is specified, no symbolic links are followed.
  -f	Ignore errors (force silence). This option squelches error messages resulting from inadequate permissionsfor example, if you try to change the group ownership to a group to which you do not belong.

  
  

To change the group ownership using chown:

• chgrp : newgroup file
  
  For example,
  
  chown :web index.html
  
  The only difference between using this and using chgrp is the addition of the colon before the group name . The reason for this funny syntax is that the chown command is designed to change the user ownership and/or the group ownership of a file, and the first argument to chown is in the form
  
  user : group
  
  However, you can leave out the user or group portion to change only one or the other. If you leave out the user portion, you must still use the colon. See the next task for how to use chown to change the user ownership (which may be done only by root).
  
  

As we've mentioned above, a file's user ownership can be changed only by the root user. On Mac OS X the standard way to perform a command as root is to use the sudo command. The following task shows how to change a file's user ownership using sudo and chown . (See Chapter 11 for more on sudo .)

To change the user ownership using chown:

1.

sudo chown newuser file For example, sudo chown whitney index.html changes the user ownership of the file index.html to whitney. The sudo command requires that you enter your password if you haven't used it within the last five minutes. What the setuid and setgid Properties Do If an executable file such as a script has the setuid property turned on, and if the file is executable by users other than the owning user (group or other executable), then when the program is run by someone other than the owning user, the process has the same permission as the owning user. This means you can create a script that alters files on which only you normally have write permission, and you can allow other people to run that script. Obviously this can be both useful and dangerous, like giving out the keys to your house. A similar situation occurs with setgid permission: The process runs with the permission of the owning group. When a user (other than root) changes the group that a file belongs to and setuid and setgid properties are removed, the properties must be reset as a security precaution. This helps avoid accidentally giving too much power to other users. If you truly want the file to have setuid or setgid permission, after changing its group you must reset the setuid and/or setgid permission.

2.

Enter your password if asked. The command is executed after you enter your password and press . Figure 8.21 shows before and after views of using this command line. Figure 8.21. Using chown to change a file's user ownership. localhost:~/Sites ls -l index.html -rw-r--r-- 1 vanilla vanilla 5754 Jan 17 14:18 index.html localhost:~/Sites sudo chown whitney index.html Password: localhost:~/Sites ls -l index.html -rw-r--r-- 1 whitney vanilla 5754 Jan 17 14:18 index.html localhost:~/Sites

To change the user and group ownership simultaneously :

1.

sudo chown newuser : newgroup file For example, sudo chown vanilla:www index.html

2.

Enter your password if asked. The command is executed when you enter your password and press . Figure 8.22 shows the before and after of this command line. Figure 8.22. Using chown to simultaneously change the user and group ownership. localhost:~/Sites ls -l index.html -rw-r--r-- 1 whitney vanilla 5754 Jan 17 14:18 index.html localhost:~/Sites sudo chown vanilla:www index.html Password: localhost:~/Sites ls -l index.html -rw-r--r-- 1 vanilla www 5754 Jan 17 14:18 index.html localhost:~/Sites