changing ownership of file as group user

Question

let's say i have files owned by:

sftp-user:www-data

now I want that www-data can change the ownership of it, say to foobar. Is that even possible?

score 4 · Accepted Answer · answered Mar 26 '17 at 14:36

Only the owner of a file or root is permitted to change permissions.

And even if a file is owned by you, you can't change it ownership to another user. You can however, change its group, to one of the groups which your user is part of.

If a user can execute sudo then the user can execute:

sudo chown new-owner filename

You can try to manipulate the system files in a way it will be possible, however it will create major security risk to your system.

Such non recommended solution might be:
sudo cp /bin/chown /bin/chown.mod
sudo chown root.www-data /bin/chown.mod
sudo chmod 750 /bin/chown.mod
sudo chmod +s /bin/chown.mod
Now, user with groupid www-data can execute /bin/chown.mod as user root
/bin/chown.mod userid /path/to/filename
It is very dangerous, for example: as such user can change the owner of /etc/passwd to himself, modify the password file, and change the owner back to root, and a new user was added to the system.

changing ownership of file as group user

1 Answers1