The chown command in Linux and Unix (macOS)

Saturday, July 20, 2024 at 2:33 PM | 7 min read

Last modified on Tuesday, July 23, 2024 at 10:29 AM

#linux, #unix, #macOS, #chmod, #chown, #cybersecurity, #identity and access management, #user ownership

Change ownership

Photo by RDNE Stock project on pexels.com

Table of Contents

In Linux and Unix (macOS), there are not only permissions for files and directories, which can be modified with the chmod command, but there are also user ownership that can be modified with the chown command.

The chown command

The chown command, or change owner, allows owners to change the owner of files and directories. This command is particularly useful when administrators need to either permit or revoke access to resources. In fact, chmod and chown would fall under the identity and access management CISSP (Certified Information Systems Security Professional) security domain on the local network. identity and access management is focused on access and authorization to keep data secure, by making sure users follow established policies to control and manage assets. It is essential to keep an organization's systems and data as secure as possible, by ensuring user access is limited to what employees need.

Linux users and file permissions recap

Different users in the Linux (and Unix) OS have both ownership and permissions to ensure that files are secure and restrictions are made on who can modify the contents of files.

On Linux (and Unix), there is the root user and the regular or standard user.

The root user, or superuser, has access to all files and directories on the OS and can perform any operation. And only the root user can change rile permissions or ownership that they don't own.

The standard user has limited access to files and directories and can only modify the files they own.

Permissions are used in the OS to control what a user can do with a file or directory. There are three types of file or directory permissions: read (r), write (w), or execute (x). However, file permissions differ somewhat from directory permissions. To learn more, please read my article entitled Changing permissions using symbolic mode and numeric mode in Linux and Unix (macOS).

Note 7.23.24: It is important to note that only standard users with access to sudo can change ownership of files and directories. Any user that a standard user with sudo privileges creates on the system does not have access to sudo by default. At least this is the case in the Linux distribution I am using: Linux Mint.

Adding a new user

On my Linux Mint/VirtualBox instance, I only had 1 user. In order to be able to change ownership of a file, for example, I needed to have another user on the system. In order to add another user, I ran the following in Terminal:

sudo adduser magdala --home /home/magdala/

I had to use sudo because only root can add another user to the system. After the user has been created, we are prompted for a new password for the new user.

New password:
Retype new password: password created successfully

Changing the information for username
Enter the new value, or press enter for the default
Full name []: username goes here # I entered the username (first name) followed by a last name
Room Number []: # left blank
Work Phone []: # left blank
Home Phone []: # left blank
Other []: # left blank

And if I want to use a quick way of checking the number of users that I now have on my system, I can run the following in Terminal:

ls /home

And for me, it returns the following in Terminal:

magdala maria

Another way of listing all users on Linux is the following:

awk -F':' '{ print $1}' /etc/passwd

Which returns something like the following in Terminal:

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-network
systemd-resolve
messagebus
systemd-timesync
syslog
_apt
tss
rtkit
systemd-coredump
kernoops
uuidd
cups-pk-helper
lightdm
tcpdump
speech-dispatcher
avahi-autoipd
usbmux
nm-openvpn
geoclue
dnsmasq
pulse
_flatpak
avahi
saned
colord
fwupd-refresh
hplip
maria
magdala

This extracts all the "usernames" including system "usernames" from the /etc/passwd file which are located in field 1.

The -F flag refers to field, and the field delimiter here is ':', which means it is a field separator (fs) between fields, which results in each field taking up a line.

'{ print $1}' means to print field 1 ($1), or the beginning of each line in /etc/passwd where the username is located. /etc/passwd is where the data is being extracted.

awk, or gawk (which still uses awk as the command name) in my case, is a powerful command which is a pattern scanning and processing language. And as I state in my article entitled Swapping columns of a text file and then joining its contents with another text file via Command Line,

awk is a pattern-directed scanning and processing language. awk scans each input file for lines that match any of a set of patterns specified literally in prog or in one or more files specified as -f progfile. With each pattern there can be an associated action that will be performed when a line of a file matches the pattern. ... An input line is normally made up of fields separated by white space, or by the regular expression FS. The fields are denoted $1, $2, ..., while $0 refers to the entire line.

Now I was ready to start using chown!

chown syntax

chown [OPTION] OWNER[:GROUP] FILE(s)

option: represents the flags one can pass along with chown. To learn more, run man chown in Terminal.

owner:group: permits the user to change ownership for a user and group at the same time. owner is the username or ID of the new owner, and :group is the new group.

file(s): represents the file(s) the owner wants to change ownership for.

How to use the chown command

Let's say I have a file called chown-file.txt, and currently the file ownership and permissions are the following:

# ls -lah chown-file.txt
# returns the following in Terminal:

-rw-rw-r-- 1 maria maria 0 Jul 20 17:27 chown-file.txt

I am the owner of the file. But let's say I want to transfer ownership to my new user with username magdala. I would do the following:

sudo chown -v magdala chown-file.txt

which returns the following in Terminal:

[sudo] password for maria:
changed ownership pf 'chown-file.txt' from maria ro magdala

If I did not use the -v flag, or --verbose, I would not get back something like the above message describing in detail the results of using the chown command to change ownership of the chown-file.txt file.

I could have also used the c flag, or --changes, which outputs the same information as the -v flag, but outputs information only when a change is made.

I could also change the group owner of chown-file.txt:

sudo chown :magdala chown-file.txt

which returns the following in Terminal:

# returns nothing because I did not use either the -c or -v flag

But when I run ls -l chown-file.txt, the following is returned in Terminal:

-rw-rw-r-- 1 magdala magdala 0 Jul 20 17:27 chown-file.txt

Now the file is owned by user magdala and group magdala. I could have changed the user and group all at once by doing the following:

sudo chown magdala:magdala chown-file.txt

Change ownership from one particular owner to another

Another way of changing ownership from one particular owner to another is the following:

sudo chown -v --from=magdala maria chown-file.txt

The following would be returned in Terminal:

changed ownership of 'chown-file.txt' from magdala to maria

And if I run ls -l chown-file.txt the following would be returned in Terminal:

-rw-rw-r-- 1 maria magdala 0 Jul 20 17:27 chown-file.txt

Change ownership from one particular group to another

Another way of changing ownership from one particular group to another is the following:

sudo chown maria: chown-file.txt

And if I then run ls -l chown-file.txt, the following would be returned in Terminal:

-rw-rw-r-- 1 maria maria 0 jul 20 17:27 chown-file.txt

sudo chown maria: results in changing the owner group to the default login group for user maria, because I omitted a group name after the colon (:).

If I wanted to switch back to the group magdala, I would run the following in Terminal:

sudo chown -v :magdala chown-file.txt

which would return the following in Terminal:

changed ownership of 'chown-file.txt' from maria:maria to :magdala

And if I ran ls -l chown-file.txt, the following would be returned in Terminal:

-rw-rw-r-- 1 maria magdala 0 Jul 20 17:27 chown-file.txt

But if I tried to change group ownership back to :maria, I had to do it in the following way as shown previously:

sudo chown -v maria: chown-file.txt

or:

sudo chown -v :maria chown-file.txt

which return the following in Terminal:

changed ownership of 'chown-file.txt' from maria:magdala to :maria

And when I run ls -l chown-file.txt, the following is returned:

-rw-rw-r-- 1 maria maria 0 Jul 20 17:27 chown-file.txt

Change user and group ownership all at once

I can also change user and group ownership of a file all at once:

sudo chown -v magdala:magdala chown-file.txt

The magdala to the left of the colon (:) is the user, and the magdala to the right of the colon (:) is the group.

Duplicating ownership of one file onto another

We can also duplicate the ownership of one file onto another by running the following in Terminal:

sudo chown -v --reference=chown-file.txt chown-file2.txt

which returns the following in Terminal:

changed ownership of 'chown-file2.txt' from maria:maria to maria:magdala

To learn more about the chown command, please run man chown in Terminal.

Using chown to change ownership of a directory

Let's say I create a new directory called chown-directory, and then I ran ls -ld chown-directory in Terminal. It would return the following:

drwxrwxr-x  2 maria maria 4096 Jul 20 22:51 chown-directory

Now I want to transfer ownership of this directory to user magdala. I would run the following in Terminal:

# ~/Desktop is where I created chown-directory and from where I changed ownership as well
sudo chown -v magdala chown-directory

This returned the following in Terminal:

changed ownership of 'chown-directory' from maria to magdala

And after running ls -ld chown-directory, it returned the following in Terminal:

drwxrwxr-x  magdala maria 4096 Jul 20 22:51 chown-directory

To change only the group ownership:

sudo chown -v :magdala chown-directory

To check this change of ownership, I run ls -ld chown-directory which results in the following:

drwxrwxr-x 2 magdala magdala 4096 Jul 20 22:51 chown-directory

Now let's say I create some files and folders inside chown-directory. And after that, I want to change ownership of the directory contents recursively:

sudo chown -v -R magdala:magdala chown-directory

the following is returned in Terminal:

changed ownership of 'chown-directory/chown-subdirectory' from maria:maria to magdala:magdala
changed ownership of 'chown-directory/chown-file1.txt' from maria:maria to magdala:magdala
changed ownership of 'chown-directory/chownfile2.txt' from maria:maria to magdala:magdala
changed ownership of 'chown-directory' from maria:maria to magdala:magdala

Now I cd into chown-directory. Then, if I try to create a file, the following happens:

touch: cannot touch 'chown-file3.txt': Permission denied

Next, if I try to delete a file, the following is returned:

rm chown-file2.txt
rm: remove write-protected regular empty file 'chown-file2.txt'? y
rm: cannot remove 'chown-file2.txt: Permission denied

Now let's say I wanted to open one of the files inside chown-directory and add some content. I can't because I only have read permissions. And in order to get out of Vim, I have to press the Esc key followed by colon (:), the Q key and finally the ! key.

There is a way of users executing other users' files and directories without being root user. There is setuid and setgid. And then there is the opposite, sticky bit. These topics are outside of the scope of this article, but I will discuss them in an upcoming one.