With Linux ACLs when adding users, you do not add them as owners of the file. It's just the privilege to open/modify and write to that file.
When invoking chown
or chmod
the effective user ID will be e.g. jacob
and that one will be matched against the value in owner
. If that does not match, your command will fail.
From man 2 chmod
.
The effective UID of the calling process must match the owner of the file, or the process must be privileged (Linux: it must have the CAP_FOWNER capability).
An alternative would be to set the capability as described to the calling process/binary chmod
. But this would open up a big security issue, as everybody could use this command to change permissions.
Here is a thread about more fine-grained to capabilities access for users, but it seems not very straight forward.
Depending on the constraints of your use case, you might want to add sudo
rules for the users to make use of chmod
or you evaluate why the users have to run chmod
on files they don't own. Maybe using umask
during file creation is sufficient.
If your users belong to a group that has write permissions on the directory, you also could copy the file in question, remove the original and move the copy to the original name. This would result in that the user will own the copied file and can do chmod
.
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x 2 root user 4.0K Jul 14 11:49 .
drwxr-xr-x 3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 root user 5 Jul 14 11:41 testfile
[user@localhost testdir]$ getfacl testfile
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---
[user@localhost testdir]$ chmod 777 testfile
chmod: changing permissions of 'testfile': Operation not permitted
[user@localhost testdir]$ cp -a testfile testfile.copy
[user@localhost testdir]$ getfacl *
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---
# file: testfile.copy
# owner: user
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---
[user@localhost testdir]$ mv testfile.copy testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x 2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x 3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 user user 5 Jul 14 11:41 testfile
[user@localhost testdir]$ chmod 777 testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x 2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x 3 user user 4.0K Jul 14 11:47 ..
-rwxrwxrwx+ 1 user user 5 Jul 14 11:41 testfile