Why can't I change the permissions of files I have access to?
I'm logged into a server as user "ubuntu" and I've got files that look like this:
-rw-rw-r-- 1 www-data www-data 33150 2012-06-04 22:17 file-a.png
-rw-rw-r-- 1 www-data www-data 36371 2012-06-04 22:15 file-b.png
-rw-rw-r-- 1 www-data www-data 41439 2012-06-04 22:16 file-c.png
The ubuntu user is a member of the group www-data:
groups ubuntu
produces
ubuntu : ubuntu www-data
So shouldn't I be able to change other permissions since I have access to the file? I'm not an expert on the user/group stuff. So this is just perplexing me.
I'm trying to run:
chmod o-r *
I realize I can do it with sudo, easily, but I'm trying to understand why I can't modify the files without sudo.
Only The Owner of a File May Change Its Permissions
As jackweirdy commented, only the owner of a file (or root
) can change the file's permissions. Being a member of a group that has some kind of access to the file does not impart the ability to change the file's permissions.
The idea is that a file is owned by a user (whether that user represents a real person, or not), and that user is the one who decides who gets access to the file. Permissions for access by users (who are not the owner) in the group-owner of the file are controlled by the user who owns the file. If anyone in the file's group-owner could change the file's permissions, this security model would be broken.
For example, consider these permissions, as in your specific situation:
-rw-rw-r--
The owner can read and write the file but cannot execute it. The users in the group-owner besides the owner of the file can also read and write the file but not execute it. Others may only read the file.
Suppose www-data
(or someone with the ability to run commands as www-data
or as root
) set those permissions with the intention of keeping other users in the group-owner from executing the file. If other users in the group-owner could change the permissions, they could run:
chmod g+x file-a.png
And then they would gain the ability to execute the file. Such an ability would render group permissions worthless.
In contrast, the reason for user permissions, even though the user owns the file, isn't to restrict the owner from doing anything with the file, but is rather to protect the user from doing things with the file they don't want to do. For example, files that aren't programs, or that might be programs but have just been obtained from an untrusted source like the Internet, tend to have the execute bit set to 0 even for the owner, for their own benefit. In this case, it's helpful and necessary for the owner to be able to change this.
A separate problem with allowing members of the group-owner (who aren't the owner) from changing permissions is that this is a separate ability not accounted for by r
, w
, or x
. Even if the group had read, write, and execute permissions wouldn't necessarily mean that they should be able to change the permissions. (For example, suppose you have a file where the owner is not a member of the group-owner. If members of the group-owner could change the permissions, they could deprive the owner of permissions. The owner could change this back...but this would still break any automated tasks the user had scheduled that use the file.)
Allowing People to Become The Owner
When a file is owned by a user like www-data
who doesn't represent any actual person, you might want to allow some people to perform actions as that user. sudo
doesn't just facilitate allowing select users to run commands as root
. It also facilitates allowing select users to run command as other specified users. You could set things up so that everyone in the www-data
group has the ability to run commands as the www-data
user, including changing permissions on files owned by www-data
. (Make sure you understand the implications of this, though. Depending on how your system is configured, users in www-data
may be able to schedule tasks to run as www-data
, and will be able to do anything at all to any file owned by www-data
and to any process run as www-data
.)
See man sudoers
for information about how to set this up. If you decide you want to do this and you have trouble, you could post a separate question about it.
Allowing Non-Owners to Change the File's Permissions?
I think it may be possible to allow some users who don't own a file to change some or all of the file's permissions, using Access Control Lists. I've hardly used ACLs on Ubuntu though. If you're interested in accomplishing this, you might want to post another question asking if it's possible and, if so, how to do it.
Basically, your permissions are allowing the www-data user, or any user within the www-data group Read and Write access only. Only the owner may change the group permissions of a file or directory, and to one of which the user is apart of.
In your situation, Ubuntu cannot change the permissions because Ubuntu doesn't own those files, and has no right to do so, only www-data or root may otherwise change this.