chown - Security Uses

E

Eric Hansen

Guest
Similar to chmod, chown is found on every system and has its own uses. While chown works more as a controller for ACL and does best when mixed with chmod, it also has some helpful uses that make it handy for security.
Switches
While most of chmod's switches work for chown as well, there are some different ones as well.
Code:
      --from=CURRENT_OWNER:CURRENT_GROUP
When using the from switch it only modifies objects that are already owned by the provided owner and group.

The following work along side the -R or recursive switch.
  • -H : If the target is a symlink, traverse through it
  • -L : Traverses through the symlinks it finds
  • -P : Don't traverse through any symbolic links (default on most systems)
Security Uses
When it comes to security chown provides you the ability to allow only specific users and groups to access resources.

You can change just the ownership of the user:
Code:
[ehansen@as-l-001-eric ~]$ touch monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown root monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 root    ehansen    0 Nov 20 04:15 monkeys

You can also change the user and group:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown root:root monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 root    root       0 Nov 20 04:15 monkeys

Lastly you can also change just the group:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
[ehansen@as-l-001-eric ~]$ sudo chown :root monkeys 
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524558 -rw-r--r--  1 ehansen root       0 Nov 20 04:15 monkeys

This, along with chmod, allows fine grain control over access to folders, files and devices.
Scenario
Lets say you work for a company that has a HQ and 3 satellite offices (S1, S2, S3). S1 has HR, S2 has fianacial and S3 has customer support while HQ has the executives (CFO, CEO, etc...). S1 and S2 both need to access employee payroll, where as S3 has no need for it and only individual people at HQ need to as well.

If the user:group settings for the payroll report is cfo:financial, as the permissions are 660 (read+write for user & group, nothing for others), you can assign everyone at S1 & S2 and the individuals at HQ to the financial group and those users will be able to access the information without jeoporidizing others having access to it as well.
 

Attachments

  • slide.jpg
    slide.jpg
    68.2 KB · Views: 50,693

Members online


Top