Changing a File's Owner or Group
The chown and chgrp commands allow you to change the owner or the group of a file, respectively.
1 chown: Changing a File's Owner
The chown command has the form:
chown [ -fRh ] owner filelist
The -f and -R options are interpreted exactly as they are for the chmod and chgrp commands, if supported. The -h option is a bit different from that of chmod. Under chown, the option specifies that the owner of the link itself is changed and not what the link points to.
Other entries have the following meanings:
1.1 Old and new chown behavior
In earlier versions of Unix, all users could run the chown command to change the ownership of a file that they owned to that of any other user on the system. This lets them "give away" a file. The feature made sharing files back and forth possible, and allowed a user to turn over project directories to someone else.
Allowing users to give away files can be a security problem because it makes a miscreant's job of hiding his tracks much easier. If someone has acquired stolen information or is running programs that are trying to break computer security, that person can simply change the ownership of the files to that of another user. If he sets the permissions correctly, he can still read the results. Permitting file giveaways also makes file quotas useless: a user who runs out of quota simply changes the ownership of his larger files to another user. Worse, perhaps, he can create a huge file and change its ownership to someone else, exceeding that user's quota instantly. If the file is in a directory to which the victim does not have access, she is stuck.
The BSD development group saw these problems and changed the behavior of chown so that only the superuser could change ownership of files. This change has led to an interesting situation. When the POSIX group working on a standard was faced with the hard choice of which behavior to pick as standard, they bravely took a stand and said "both." Thus, depending on the setting of a system configuration parameter, your system might use either the old AT&T behavior or the BSD-derived behavior. We strongly urge you to choose the BSD-derived behavior if your system presents such a choice. Not only does it allow you to use file quotas and keep mischievous users from framing other users, but many software packages you might download from the Web or buy from vendors will not work properly if run under the old AT&T-style environment.
1.2 Use chown with caution
If you have an old or odd system that came to you with the old chown behavior, then ensure that the software was written with that in mind. Be extra careful as you read some of our advice in this book, because a few things we might recommend won't work for you on such a system. Also, be especially cautious about software you download from the Web or buy from a vendor. Most of this software has been developed under BSD-derived systems that limit use of chown to the superuser. Thus, the software might have vulnerabilities when run under your environment.
Do not mix the two types of systems when you are using a network filesystem or removable, user-mountable media. The result can be a compromise of your system. Files created with one paradigm can be exploited with another.
Under some versions of Unix (particularly those that let non-superusers chown files), chown will clear the SUID, SGID, and sticky bits. This is a security measure to prevent SUID programs from being accidentally created. If your version of Unix does not clear these bits when using chown, check with an ls -l after you have done a chown to make sure that you have not suddenly created a SUID program that will allow your system's security to be compromised. (Actually, this process is a good habit to get into even if your system does do the right thing.) Other versions of Unix will clear the execute, SUID, and SGID bits when the file is written or modified. You should determine how your system behaves under these circumstances and be alert to combinations of actions that might accidentally create a SUID or SGID file.
POSIX specifies that when chown is executed on a symbolic link, the ownership of the target of the link is changed instead of the ownership of the link itself. POSIX further specifies that the -R option does not follow symbolic links if they point to directories (but nevertheless changes the ownership of these directories). On most modern systems of Unix, there is a -h option to chown (and chgrp and chmod) that instructs the command to not follow the link and to instead change the permissions on the link itself—or to ignore the symbolic link and change nothing. You should understand how this behaves on your system and use it if appropriate.
2 chgrp: Changing a File's Group
The chgrp command lets you change the file's group. The behavior mirrors that of chown. Under most modern versions of Unix, you can change the group of a file if you are either of the following users:
On older AT&T versions of Unix, you can set any file you own to any group that you want. That is, you can "give away" files to other groups, just as you can give away files to other users. Beware.
The chgrp command has the form:
chgrp [ -fRh ] group filelist
The -f and -R options are interpreted the same as they are for the chmod and chown commands. The -h option is a bit different from that of chmod. Under chgrp, the option specifies that the group of the link itself is changed and not what the link points to.
Other entries have the following meanings:
For example, to change the group of the file paper.tex to chem, you would type:
% chgrp chem paper.tex % ls -l paper.tex -rw-r--r-- 1 kevin chem 59321 Jul 12 13:54 paper.tex %
Some versions of chown can also change a file's group at the same time they change its owner. The syntax is usually:
ch owner:group filelist
ch owner.group filelist