chown - Security Uses

Discussion in 'Filesystem' started by Eric Hansen, Nov 20, 2013.

  1. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    116
    Likes Received:
    69
    Trophy Points:
    28
    Similar to chmod, chown is found on every system and has its own uses. While chown works more as a controller for ACL and does best when mixed with chmod, it also has some helpful uses that make it handy for security.
    Switches
    While most of chmod's switches work for chown as well, there are some different ones as well.
    Code:
          --from=CURRENT_OWNER:CURRENT_GROUP
    When using the from switch it only modifies objects that are already owned by the provided owner and group.

    The following work along side the -R or recursive switch.
    • -H : If the target is a symlink, traverse through it
    • -L : Traverses through the symlinks it finds
    • -P : Don't traverse through any symbolic links (default on most systems)
    Security Uses
    When it comes to security chown provides you the ability to allow only specific users and groups to access resources.

    You can change just the ownership of the user:
    Code:
    [ehansen@as-l-001-eric ~]$ touch monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
    [ehansen@as-l-001-eric ~]$ sudo chown root monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 root    ehansen    0 Nov 20 04:15 monkeys
    You can also change the user and group:
    Code:
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
    [ehansen@as-l-001-eric ~]$ sudo chown root:root monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 root    root       0 Nov 20 04:15 monkeys
    Lastly you can also change just the group:
    Code:
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 ehansen ehansen    0 Nov 20 04:15 monkeys
    [ehansen@as-l-001-eric ~]$ sudo chown :root monkeys 
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524558 -rw-r--r--  1 ehansen root       0 Nov 20 04:15 monkeys
    This, along with chmod, allows fine grain control over access to folders, files and devices.
    Scenario
    Lets say you work for a company that has a HQ and 3 satellite offices (S1, S2, S3). S1 has HR, S2 has fianacial and S3 has customer support while HQ has the executives (CFO, CEO, etc...). S1 and S2 both need to access employee payroll, where as S3 has no need for it and only individual people at HQ need to as well.


    If the user:group settings for the payroll report is cfo:financial, as the permissions are 660 (read+write for user & group, nothing for others), you can assign everyone at S1 & S2 and the individuals at HQ to the financial group and those users will be able to access the information without jeoporidizing others having access to it as well.

    Attached Files:

Share This Page