can't change ownership on files

[Waldher, Travis R]

> -----Original Message-----
> From: Rick Stevens [mailto:rstevens at vitalstream.com]
> Sent: Monday, April 25, 2005 9:54 AM
> To: Getting started with Red Hat Linux
> Subject: Re: can't change ownership on files
> 
> Waldher, Travis R wrote:
> >
> >>-----Original Message-----
> >>From: Rick Stevens [mailto:rstevens at vitalstream.com]
> >>Sent: Friday, April 22, 2005 4:36 PM
> >>To: Getting started with Red Hat Linux
> >>Subject: Re: can't change ownership on files
> >>
> >>>
> >>>Ew...
> >>>
> >>>Beyond that there is not hack/tweak I can make?
> >>>
> >>>Sudo would basically open up chown/chgrp for any file on local
disk,
> >
> > and
> >
> >>>any filesystem that is mounted with root level access.  Correct?
> >>
> >>Yup.  You still haven't said why they need to chown a file.  There
is
> >>virtually never a good reason to allow that.
> >>
> >>If people need to share a file, make them all part of the same group
> >
> > and
> >
> >>grant rwx group to each file or, alternately, allow the users to
join
> >>other groups by putting their usernames in /etc/group or allowing
the
> >>"newgrp" command.
> >
> >
> > Well, lets just say that's the way it's always been.  I'm picking
other
> > battles at the moment and am not ready to attack something like
this.
> 
> That doesn't make it right and it's dangerous to boot.  "that's the
way
> we've always done it" is a totally invalid argument when it comes to
> security.
>

Choir man, your preaching to the Choir.

I inherited a gigantic mess when I got in this particular position 3
years ago.  First on the windows side, I cleaned that up in about 1
year.  The UNIX side is MUCH more difficult to get users to change.  And
unfortunately, I just can't go and change it.

I'm just attacking the larger problems than chown, before I get to a
chown problem.  Fortunately, the users decided they could figure out how
to live without the ability to chown on the linux systems.  Too bad
hp/(s)ux still allows it.