SELinux - a call for end-of-life.

Bryn M. Reeves bmr at
Thu Sep 2 13:42:14 UTC 2010

On 09/02/2010 01:46 PM, Tim wrote:
> Again, it's more or less what I said, earlier.  To *give* someone a
> file, your only options are to let them read the file, and then they
> copy it.  If you want them to *own* the file, instead of you.

And that's how it's supposed to work. Only root (or rather processes
with CAP_CHOWN) can  change the uid of an existing object in the file
system like this. Disabling this would break _POSIX_CHOWN_RESTRICTED
behaviour (which you can do if you like but don't expect other users of
a general-purpose distro to want it!).

In the dim and distant past you could use chown to give your files away;
it allowed users to subvert the quota system (and today would likely
create fun for xattrs too).

The current Linux behaviour for chown is a standards requirement:

If you don't like the behaviour you need to come up with a way to allow
what you want without affecting standards compliance or existing users
who are happy with that behaviour.

Solaris seems to have a knob to disable this compliance but I'm not
aware of such a thing on Linux. You should be able to get a similar
effect via capabilities on Linux (giving all processes CAP_CHOWN) but
it's not something I've ever tried and I don't recommend it.


More information about the users mailing list