Background: I have a cron job which chown's the directories of new users. More often than not, these users are already uploading files to the server before the job occurs.
So will files successfully have their ownership changed if they are in the process of being uploaded?
I have a cron job which chown's the directories of new users.
I take it you mean both the directories of these new users, and all the contents of those directories (i.e. chown -R newuser:newuser /home/newuser-dir).
This is a race condition, much like in programming, except you are experiencing it at the system rather than process level, but it is still a security risk.
Mo is correct, unless you have a very strange requirement, it would be much better to use a uploading process that does not need such a background task to change file ownership.
Because in one sense you are taking unvalidated data (the uploaded file), and automatically setting the trust level to equivalent to a different, presumably a more trusted user, without necessarily ensuring the security of the files. This creates the potential for abusing this race condition, such as if the new user can create a symbolic or hard link to a system file (e.g. /etc/shadow) so they can obtain the hashed passwords to then mount an off-line password cracking attack. That would be sad.
Ownership information is set when the file is created. If it's changed after that, it will stay unless the program rewrites ownership information again after the fact.
Assuming you’re doing a recursive chown, and the files are written somewhere within the tree that you’re recursively changing the ownership of, then yes.
What user are they uploading files as, though? How do they have write permission if the directories haven’t been chowned yet? Why not set the correct permissions before giving them access?
