Creating files and directories with a certain owner (user/group) while sudoing

I need to wget something (results in a compressed file in cwd), then I have to extract it, then do some copy/move/modification stuff and perhaps finally execute an script (from the downloaded archive).

Now all these task either directly (wget, extract etc.) or indirectly (running the script) result in creating files and directories (all in the current working directory). I do all this stuff as root (no way to do it with the final, desired user).

The problem is: Anything created in the process is owned by root or the sudo user. When I'm done (and sometimes in the mid-way), I have to issue a series of chmod and chown commands to make things right.

Now it would be nice if could somehow tell the system that "From now on, any files or dirs that you create when I issue commands as root, you would create with such and such ownership and permissions".

Ashkan Kh. Nazary

Posted 2012-02-07T08:33:52.533

Reputation: 341

Answers

You can always sudo -u username touch filename when your script is executed as root. It usually requires no password, depending on your sudoers configuration.

Alternatively, run su username -c touch filename. The additional arguments are supplied to the user's shell, and the -c option to the shell executes the specified commands by convention.

Some commands (like mkdir) support arguments to specify the permissions:

mkdir -m 0700 foo

By default, file operations respect the umask set for the shell. It defines which permissions are denied. A umask of 0022 for example does not set write permissions for group and others. Set to 0077 to prevent group and others from getting any permissions.

You can set the setgid on directories to have all files created within inherit their group membership:

chmod g+s someDir

Some Unixes support the same behavior for setuid (chmod u+s), but not Linux.

Daniel Beck

Posted 2012-02-07T08:33:52.533

Reputation: 98 421

1I think it's safe to assume that there is no dedicated support for what you're asking for. Only the super user can chown files to a different user, and setting a default like this has the potential of user mistakes, giving other users permissions without the root user realizing. – Daniel Beck – 2012-02-07T09:38:45.173

There is another way, quite elegant I think. Using install(1)

For example, zabbix-agentd needs a subfolder inside /var/run, but recent distributions are using tmpfs for /var/run, so the directory does not survive reboots. I solved it by creating a file /etc/sysconfig/zabbix-agentd containing:

install -g zabbix -o zabbix -d /var/run/zabbix

Angelo Turetta

Posted 2012-02-07T08:33:52.533

Reputation: 121

1Add also -m 0700 for instance. The answer. – Ring Ø – 2016-07-15T00:56:21.140

4Note that install creates the directory and then changes the owner/group. So there is a short time where the directory does not have the specified owner/group. In some contexts it can matters. – user368507 – 2016-07-29T14:04:21.797

This works on Alpine Linux – Mauricio Sánchez – 2019-11-21T02:16:25.370

On Unix-like systems newly created files and directories are owned by the owner of the process which created them. Standard utilities normally do not have option to change the owner of the created files.

Variables with UID and GID of the original user

If you run some commands repeatedly, you can use the variables $SUDO_UID and $SUDO_GID to refer to the user who invoked sudo:

sudo sh -c "do_something ; chown -R \"\$SUDO_UID:\$SUDO_GID\" files and directories"

Getting the list of created files and directories automatically

If you want to get the list of created (and possibly modified) files and directories automatically you can run your commands under strace surveillance which is based on the ptrace() syscall:

strace -qqfe open,creat,mkdir,link,symlink,mknod -o '|your_processing_of_strace_output' do_something

or you can use for example Installwatch which is based on the LD_PRELOAD mechanism.

Ideas for further work

Based on the methods mentioned above it is possible to create a tool which would automatically change the owner and possibly access rights of the created/modified files. The use could be as simple as:

sudo watch-chown do_something

pabouk

Posted 2012-02-07T08:33:52.533

Reputation: 5 358