3

I have a system where multiple users are running an application that chmod the same file. I've tried using setacl to add both users as user owners of the file to do this, but it doesn't work. The application errors out because the chmod system call fails.

See example:

[jacob@macbook-debian ~/Projects/test] getfacl bin/testfile
# file: bin/testfile
# owner: root
# group: root
user::rwx
user:jacob:rwx
user:jason:rwx
group::r-x
group:www-data:rwx
mask::rwx
other::r-x


[jacob@macbook-debian ~/Projects/test] chmod 0755 bin/testfile
chmod: changing permissions of 'bin/testfile': Operation not permitted
Dmitri Chubarov
  • 2,296
  • 1
  • 15
  • 28
Jacob Brown
  • 130
  • 4
  • 1
    @DmitriChubarov: you need to be the owner of the file or root to change file permissions or the calling process needs to have the appropriate capabilities. Having write access to the directory gives you the ability to delete or overwrite things. – Thomas Jul 14 '18 at 09:56

1 Answers1

5

With Linux ACLs when adding users, you do not add them as owners of the file. It's just the privilege to open/modify and write to that file.
When invoking chown or chmod the effective user ID will be e.g. jacob and that one will be matched against the value in owner. If that does not match, your command will fail.

From man 2 chmod.

The effective UID of the calling process must match the owner of the file, or the process must be privileged (Linux: it must have the CAP_FOWNER capability).

An alternative would be to set the capability as described to the calling process/binary chmod. But this would open up a big security issue, as everybody could use this command to change permissions.
Here is a thread about more fine-grained to capabilities access for users, but it seems not very straight forward.

Depending on the constraints of your use case, you might want to add sudo rules for the users to make use of chmod or you evaluate why the users have to run chmod on files they don't own. Maybe using umask during file creation is sufficient.

If your users belong to a group that has write permissions on the directory, you also could copy the file in question, remove the original and move the copy to the original name. This would result in that the user will own the copied file and can do chmod.

[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:49 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 root user    5 Jul 14 11:41 testfile
[user@localhost testdir]$ getfacl testfile 
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

[user@localhost testdir]$ chmod 777 testfile
chmod: changing permissions of 'testfile': Operation not permitted
[user@localhost testdir]$ cp -a testfile testfile.copy
[user@localhost testdir]$ getfacl *
# file: testfile
# owner: root
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

# file: testfile.copy
# owner: user
# group: user
user::rw-
user:user:rw-
group::rw-
group:user:rw-
mask::rw-
other::---

[user@localhost testdir]$ mv testfile.copy testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rw-rw----+ 1 user user    5 Jul 14 11:41 testfile

[user@localhost testdir]$ chmod 777 testfile
[user@localhost testdir]$ ll
total 12K
drwxrwxr-x  2 root user 4.0K Jul 14 11:50 .
drwxr-xr-x  3 user user 4.0K Jul 14 11:47 ..
-rwxrwxrwx+ 1 user user    5 Jul 14 11:41 testfile
Thomas
  • 4,155
  • 5
  • 21
  • 28
  • To summarise your answer, The user(s) added by setfacl are not actually owners, so they can't use chmod. It is not possible to have multiple people have access to chmod the same file. – Jacob Brown Jul 16 '18 at 17:38
  • In case anyone was wondering what tool is giving me these problems, the tool is composer, and it is being run as part of a CI/CD process, so it runs as a different user than the user that will be editing the files, but that user would also like to be able to use composer as well. – Jacob Brown Jul 16 '18 at 17:40
  • I might have to look into a libc-wrapper or system-call-wrapper to intercept the chmod() requests so I can get this to work. For now, I think I'm going to switch to running this in a virtual machine that virtualisation the user IDs. – Jacob Brown Jul 16 '18 at 17:41
  • @JacobBrown: it is not possible directly, but as outlined above, using `sudo` or linux capabilities for chmod (which can also be a copy of the original) could do the job, you also could set a umask to set the appropriate access rights are set during file creation so the users do not need to change them or the users have to copy the files to a folder they have write access. In my opinion, using a wrapper for that system call should be the last resort. – Thomas Jul 16 '18 at 19:14