Question

6

Allow users to change file ownership of a specific file without sudo

rated 0 times [ 6] [ 0] / answers: 1 / hits: 9273 / 3 Years ago, thu, july 1, 2021, 7:22:18

Let's say that we have this situation:

-rwxrwx-r- 1 user1 mygroup  0 Sep 12 16:53 testfile

A group of developers are working on the same VM (Linux). I need to simulate the concept of checkout/checkin. If a user checks out a file no one should be able to write in it until he checks it in.

I tried changing file owner; each time a user wants to checkout he becomes the file owner and prevents other from writing to it and then checks in by changing the file owner to the default and sets back permissions on the file to the default. This means I'll need chown and chmod but these commands require sudo and I can't give sudo permission to developers.

Can I give a user the possibility to chown and chmod only a specific file?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

enytidge

Add To Favorites

Follow

Total Points: 169

Total Questions: 105

Total Answers: 107

Location: Papua New Guinea

Member since Tue, Aug 24, 2021

3 Years ago

answered 3 Years ago cretanol · Accepted Answer

You'll have to write a script that checks for the conditions, and then give your users sudo access to that script alone. Something like:

#! /bin/bash

set -e

die()

{

    printf "%s

" "$@"

    exit 1

}



if [[ $EUID != 0 ]]

then

    die "This script must be run with sudo."

fi



DEFAULT_USER=nobody

SOURCE_DIR=/some/dir



cd "$SOURCE_DIR"



# Get path of file relative to the source directory

# Then we can check if it is actually in the directory.

FILE=$(realpath -e --relative-base="$SOURCE_DIR" "${1?}")    

if [[ $FILE == /* ]]

then

    die "$1 is outside $SOURCE_DIR."

fi



FILE_OWNER=$(stat -c %U "$FILE")



case $FILE_OWNER in

    $DEFAULT_USER)

        # checkout

        echo "Checking out $FILE..."

        chown "$SUDO_USER" "$FILE"

        ;;

    $SUDO_USER)

        # checkin

        echo "Checking in $FILE..."

        chown nobody "$FILE"

        ;;

    *)

        die "Sorry, this file is checked out by $FILE_OWNER."

        ;;

esac

Save this as, say, /usr/local/bin/check, add the following sudoers rule:

%dev ALL = (root) /usr/local/bin/check

That's assuming:

The developers are all in the dev group (if not, use usernames or groups accordingly).

The files are in /some/dir. Modify $SOURCE_DIR accordingly.

The default user is nobody, and unchecked files are owned by the default user.

Nobody has write permissions on the source directory except root.

Then the devs can do:

sudo check some/file

to checkout /some/dir/some/file, and run it again to check it in.