- Create a file as a different user and group
- How do I create a file in UNIX /tmp directory so that all users can read and write to it?
- 5 Answers 5
- Command to create a file owned by another user
- 1 Answer 1
- How to create file as specific group
- How to create file as another user via C/C++ in Linux?
- 2 Answers 2
Create a file as a different user and group
I have a bash script that has to rsync to download files writing them locally, and then needs to set the owner to apache, and the group to a particular user group (that apache is not a member of). Is there a way to create those files with those ownerships as they’re being written by the rsync process, without having to go through and change them after the fact using chown? There are so many files that the time it takes to go through them later is prohibitive. I have to do this for multiple user groups, so I shouldn’t be adding apache to these groups, and certainly can’t make all of them the default group. In other words: is there a way root can create a file as user X and group Y when X is not a member of Y? I’ve tried using runuser, but I’m unable to set the group (presumably because apache doesn’t belong to the group). I know you can use chmod to change permissions and add any user/group combination. What I’m asking is if there is a way to open a file for writing and use any user/group combo while creating it. Attempt using sudo:
[root@centos7 tmp]# groups angelo angelo : angelo wheel [root@centos7 tmp]# groups apache apache : apache [root@centos7 tmp]# sudo -u angelo -g apache touch angelo-file Sorry, user root is not allowed to execute '/bin/touch angelo-file' as angelo:apache on centos7 [root@centos7 tmp]# ls -ld angelo-file ls: cannot access angelo-file: No such file or directory [root@centos7 tmp]# sudo -u angelo -g angelo touch angelo-file [root@centos7 tmp]# ls -ld angelo-file -rw-r--r-- 1 angelo angelo 0 Nov 12 03:13 angelo-file
That question is asking about the filesystem. You can chmod the file to give any user/group you want. I want to know if you can open a file descriptor acting as any user/group combo. If it is possible, then I haven’t found out how.
I mean using normal Linux tools or commands. I would accept an answer that could verify that you could only do this in C because no tools exist. But I also wouldn’t be surprised if you can’t even do it in C and this is not an available request through the API. sudo with -g will work if the user is a member of the group, but seems to be disallowed if not.
How do I create a file in UNIX /tmp directory so that all users can read and write to it?
I see that I do not have the write access permission for user2 (considering the fact that user1 created it, I have write access for user1 , but user2 , who is considered to be «others» does not have any access). I have tried to use mode 0766 in the open function (and such combinations of 7 and 6 for modes), so that I may get write access for user2 , but I still don’t have the required access.
5 Answers 5
You have to set your umask to 000. The bits on the umask are removed from the permission you have chosen, and the default umask is usually 022 or 002.
Note that things like default ACLs and SELinux labels might also affect the readability and writability of files. Use getfacl to see ACLs and ls -Z to see SELinux labels; for SELinux, you also have to know which policies are active and what effect they have. The presence of ACLs can also be seen on ls -l as a + character after the permissions.
Rather than changing your umask, you may want to set explicit permissions on the file using chmod(2).
As CesarB noted, Unix unsets the bits that are set in the process’s umask, so to get complete access, you would have to unset umask — temporarily.
mode_t oldmask = umask(0); fd = open(. ); oldmask = umask(oldmask); assert(oldmask == 0);
(OK; you don’t have to do the assertion; it won’t fire.)
As Pistos noted, creating files in /tmp is a fraught process. If you think the file should not be there yet, add O_EXCL to prevent following symlinks to unexpected places.
One final point — why would you be making the file executable? I think you should be aiming for just 666 permission, not 777 or 766. You most certainly should not execute a program that others can change at any time (so the owner should not have execute permission on a file others can write to), and the members of the group probably wouldn’t really appreciate the generosity either. Other may, perhaps, get what they deserve if they execute the file — but it still isn’t nice.
Command to create a file owned by another user
I created a directory test owned by the root user, and then I created a file called F1 inside test , now I need to create a file called T5 inside test but by a user called student What is the command to do that? This what I did:
root@mylamp:/# mkdir test root@mylamp:/# touch F1
1 Answer 1
At first, I think you should edit your question and make it more readable. What you are looking for are either chmod, chown or setfacl.
You can modify the permissions for the directory «test» with chmod in order to give another user access to it.
For instance, you could do
Now everyone has write access to this directory, also your student user. Please be aware that you are giving away more permissions than you might like.
Put the user student into a group and do
chown root:studentgroup test
Afterwards make sure that groups may write into that directory:
Another approach could be to use ACLs. ACLs are made for a more complex permissions management. You can use setfacl to manage the permissions for a directory or file. For example you can run the following command:
setfacl -m u:student:rwx test
This command ensures that the user student has read, write and execute permissions on test. Please note that this only works when the underlying file system was mounted with ACL support (see /etc/fstab).
How to create file as specific group
sudo chgrp www-data *yourfile* will do it for individual files.
to do it for all files within a specific directory, change the group for that directory with the same command
sudo chgrp www-data /path/to/your/dir
then use the chmod command to make all files created within that directory belong to the group the directory belongs to with
sudo chmod g+s /path/to/your/dir
i don’t want to change the group of the file. i want that file to have www-data group at the moment of creation
The command sg can execute a command under a different group ID. If you are a member of the group newgroup , this should create newfile within that group :
sg newgroup "touch newfile"
We can create a simple function, based on touch and chown commands, which will create new empty files and will change their permissions simultaneously. Or when the file exists it just will change its permissions. For this purpose type in the terminal:
function touch-www < touch $1; chown $USER:www-data $1; >export -f touch-www
Now we have a new command, called touch-www , and we can use it in this way:
To be possible to use this new command everywhere in the file system let’s modify the function in this way:
function touch-www < sudo touch $1; sudo chown $USER:www-data $1; >export -f touch-www
Once the file have enough permissions we can edit it with the current user. So let’s assume we want to use and nano in the way described here. Let’s create new function:
function nano-www < sudo touch $1; sudo chown $USER:www-data $1; nano $1; >export -f nano-www
To be these new commands permanently available we can add these lines in the bottom of the ~/.bashrc file:
function touch-www < sudo touch $1; sudo chown $USER:www-data $1; >export -f touch-www function nano-www < sudo touch $1; sudo chown $USER:www-data $1; nano $1; >export -f nano-www
Sorry but I think you didn’t read the question carefully. I don’t want to change the group of the files. The keyword is «create» and not «change» what you are proposing is changing the files group after they are created.
Assuming you only want to change the group and retain the user value, try
sudo chown newuser:newgroup sample.txt
sudo chown ubuntu:www-data sample.txt
sorry maybe i wasn’t clear enough. i want the NEW files that i create to have already the www-data group!
You could create a www-data user, with www-data group as their primary [see useradd , adduser , or eg kuser ], change to that user [ su www-data ] and then all files made would be owned by that user:group.
Backup /etc/group (or the whole of /etc) first before messing with groups. Also lookup what to do if you’re locked out because of group permissions.
Or, you could alter the primary group of the user named «ubuntu» to be www-data:
sudo usermod —gid www-data ubuntu .
There may be security issues with the later as it might at some point (eg combined with other bugs) expose all files owned by that group to your web server. The point of www-data group is that only those files owned by it are allowed to be sent externally by the server (apache, nginx, whatever). Having all your standard user login files belong to that group thus creates a risk.
How to create file as another user via C/C++ in Linux?
Linux C/C++ has open or fopen API, but created file are belong to process uid. If we want to change owner/group of this file, we can use chown or fchown API after file created. But, is there one API for creating file as another user, not two API ?
You can only change the ownership of a file as root , and there are no means to create a file, even for root owned by some other uid or gid.
2 Answers 2
There is no Unix api dedicated for that, but you can change the current user to other user before create the file, such as:
- Make sure you have permission. The current effective user must be «root» OR set user or group ID on executable file.
- Call setgid and setuid to other user.
- Create the file.
- Call setuid and setgid to old user if required.
Because the user is process-wide, if your program is multi-threaded, you may need to fork a child process doing the steps I listed before.
But if you want non-root user (such as nobody) to run your program, you can give the permission to your executable file:
sudo chown root:root ./your_app && sudo chmod gu+s ./you_app
Now you can call setuid(0) and setgid(0) to acquire root permission.
You don’t need to call setuid(0) or setgid(0) because the effective uid will be 0 (because of the s bit) which allows you to directly set the uid to other user.
You need to call setgid() before you call setuid() — otherwise, the setgid() will fail because the process no longer has root privileges. Traditionally, if a process with root privileges calls setuid() to set a non-zero (non-root) UID, you can’t change the effective UID back to root (so the saved UID is reset). This is necessary so that programs like login work as expected — without giving ordinary users a way to become root without going through programs such as sudo or su .
Also, you should mention the chown system call options because that is more general. They only require the CAP_CHOWN .
It’s not possible in Linux.
Allowing this could cause some subtle security bugs (remote code execution, destroying files of other users, etc.) and therefore is not allowed.
Instead, please just run the process under sudo .
I would argue that fork and exec suid root binary (be it sudo or custom binary which performs extra checks on file to be created) is API which allows doing this. So first paragraph is kinda incorrect iMO. It is possible if you have admin access at install time.
@hyde: That’s an alternative definition of API. If you’re working at the system call level (as the question seems to be), then executing other programs (even sudo ) is not really the API — yes, it uses fork() and exec*() , but it isn’t a simple system call which the term API is normally used to describe.
@JonathanLeffler Depends if you consider «Linux» as an operating system (so you can for example consider C standard library or the usual Linux libraries as available APIs), or as a kernel (in which case only syscalls, special files under /dev and /proc, etc can be counted as API). The question talks about OS libraries (mentions fopen ).
Or, to put it another way, you can certainly wrap «create file as another user» as a package you can install in basically any Linux, which would provide a .so library, a .h file for building software using the library, and the helper «suid root» binary (either daemon available through some IPC mechanism or as a binary run with fork and exec ) used by the library. So in that sense this is quite possible in Linux, the kernel provides APIs which allow doing this from application perspective as a simple library function call.