锁定没有根特权的特定文件夹
[英]Chown a specific folder without root privilleges
问题描述
I need to chown a file to some other user, and make sure it is unreadable again. 
我需要将文件扔给其他用户,并确保它再次不可读。 Sounds complicated but it will be mainly look like this: 听起来很复杂,但主要看起来是这样的:
cd /readonly
wget ...myfile
cd /workdir
chmod -R 444 /readonly
chown -R anotheruser /readonly
ls /readonly # OK
echo 123 > /readonly/newfile # Should not be allowed
cat /readonly/myfile # OK
chown 777 /readonly # Should not be allowed
In SunOS I saw something similar to this, I remember not being able to delete the disowned files by Apache, but I could not find something similar to this in Linux, as chmod requires root privilleges. 在SunOS中,我看到了与此类似的东西,我记得无法删除Apache所丢弃的文件,但是在Linux中我找不到类似的东西,因为chmod需要root privilleges。
The reason I need this, I will fetch some files from web, make sure they will be unchangable by the rest of the script, only root can change it. 之所以需要该文件,是因为我将从Web上获取一些文件,并确保其余脚本无法更改它们,只有root才能更改它。 The script can not definetely run as root. 该脚本不能定义为root用户运行。
1 个解决方案
解决方案1
1 2014-09-01 21:29:44
On many *nixes (Linux, at the very least), this will be impossible. 在许多* nixes(至少是Linux)上,这是不可能的。 chown is a privilege restricted to root, since otherwise you could pawn off your files on other users to avoid quota restrictions. chown是仅限于root用户的特权,因为否则您可以典当其他用户的文件,以避免配额限制。 In a related case, it would also pose something of a semantic problem if arbitrary users could chown files to themselves to gain access. 在相关情况下,如果任意用户可以将文件自己chown自己以获取访问权限,这也将带来语义问题。
More precisely, you can chown files that you own to change their group ownership information, but you can only change user ownership if you are root. 更准确地说,你可以chown ,你自己去改变他们的所有权组信息文件,但你只能更改用户的所有权,如果你是根。
In any case, chown is the wrong hammer for this particular nail. 在任何情况下,对于这种特殊的钉子, chown锤子都是错误的锤子。 chmod , which you are already using, is the correct way to make a file read-only within a script. chmod (您已经在使用)是使文件在脚本内变为只读的正确方法。 The chmod 444 that you are already doing will protect against accidental modifications to the files. 您已经在执行的chmod 444将防止意外修改文件。 You cannot "freeze" or otherwise render permissions static as a Unix/Linux user without elevating to root privileges (at which point, you can chown them to root:root and no one other than root can change permissions or ownership on them). 在不提升root特权的情况下,您不能以Unix / Linux用户身份“冻结”或以其他方式呈现为静态的权限(此时,您可以将它们chown为root:root ,除root以外的任何人都不能更改其权限或所有权)。
In terms of script design, you should not need to be more restrictive than this. 在脚本设计方面,您不需要限制得更多。 If your script is haphazardly chmod ing or rm -f ing files, then you have much more serious correctness problems to worry about than ensuring that the downloaded data is safe and sound. 如果您的脚本无意间chmod或rm -f文件,则与确保下载的数据安全可靠相比,您还要担心更严重的正确性问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.