E
Eric Hansen
Guest
Similar to chmod, chown is found on every system and has its own uses. While chown works more as a controller for ACL and does best when mixed with chmod, it also has some helpful uses that make it handy for security.
Switches
While most of chmod's switches work for chown as well, there are some different ones as well.
When using the from switch it only modifies objects that are already owned by the provided owner and group.
The following work along side the -R or recursive switch.
When it comes to security chown provides you the ability to allow only specific users and groups to access resources.
You can change just the ownership of the user:
You can also change the user and group:
Lastly you can also change just the group:
This, along with chmod, allows fine grain control over access to folders, files and devices.
Scenario
Lets say you work for a company that has a HQ and 3 satellite offices (S1, S2, S3). S1 has HR, S2 has fianacial and S3 has customer support while HQ has the executives (CFO, CEO, etc...). S1 and S2 both need to access employee payroll, where as S3 has no need for it and only individual people at HQ need to as well.
If the user:group settings for the payroll report is cfo:financial, as the permissions are 660 (read+write for user & group, nothing for others), you can assign everyone at S1 & S2 and the individuals at HQ to the financial group and those users will be able to access the information without jeoporidizing others having access to it as well.
Switches
While most of chmod's switches work for chown as well, there are some different ones as well.
Code:
--from=CURRENT_OWNER:CURRENT_GROUP
The following work along side the -R or recursive switch.
- -H : If the target is a symlink, traverse through it
- -L : Traverses through the symlinks it finds
- -P : Don't traverse through any symbolic links (default on most systems)
When it comes to security chown provides you the ability to allow only specific users and groups to access resources.
You can change just the ownership of the user:
Code:
[ehansen@as-l-001-eric ~]$ touch monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 ehansen ehansen 0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown root monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 root ehansen 0 Nov 20 04:15 monkeys
You can also change the user and group:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 ehansen ehansen 0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown root:root monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 root root 0 Nov 20 04:15 monkeys
Lastly you can also change just the group:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 ehansen ehansen 0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown :root monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r-- 1 ehansen root 0 Nov 20 04:15 monkeys
This, along with chmod, allows fine grain control over access to folders, files and devices.
Scenario
Lets say you work for a company that has a HQ and 3 satellite offices (S1, S2, S3). S1 has HR, S2 has fianacial and S3 has customer support while HQ has the executives (CFO, CEO, etc...). S1 and S2 both need to access employee payroll, where as S3 has no need for it and only individual people at HQ need to as well.
If the user:group settings for the payroll report is cfo:financial, as the permissions are 660 (read+write for user & group, nothing for others), you can assign everyone at S1 & S2 and the individuals at HQ to the financial group and those users will be able to access the information without jeoporidizing others having access to it as well.