UNIX for Dummies Questions & Answers

For the rest of the filesystem operations you have to have write permissions only. You don't have to be the owner. I don't quite see the reason why modifying a timestamp is diffrent.

The rules for chown, chmod and touch are there in unix by design.

Unfortunately the file permissions do not stop someone who has write access to both directory and file from renaming or deleting a file which they do not own! This could help us though.


Depending on the local rules, here is an idea for a circumvention. It is a way of changing the last modification timestamp (ls -la). As a side effect it alters the inode timestamp (ls -lac) to the current time.
If suitable, try this on a test file before going near live data and always consider the effect on backup software when altering file timestamps.

1) Rename the file to a new name.
2) Copy the renamed file back to its correct name. The copy file is now owned by yourself.
Use chmod to correct the permissions.
Use "touch -t" to change the timestamp.
Use chown to revert the file ownership.

I understand chmod and chown rules. However I can't find a reason for requiring ownership for modifing a timestamp. I'd be happy to see one.

The timestamps are supposed to reflect operations to a file. If I have a globally writable file I can notice when it changes because the timestamp will change. So I allow changes to my file provided that I can detect the changes. If you can change the timestamp you can alter the file and then back date the timestamp to conceal the change from me. Ideally, a new bit in addition to the rwx bits might allow me to give others a timestamp permission on a file... but that would be expensive.

It's harder to justify why the owner must also have write permission on the file. Maybe the idea is that if the owner has removed write permission from himself he must want to prevent any unintended changes to the file.

Well. Makes sense. However I wouldn't create any security mechanisms based on the timestamps of the files. The file for which you've given someone write permission can't be trusted, period. I now think that timestamp - as all the other metadata - might have been put into the same category as ownership and permissions by "unix designers" without much thinking about security. It is a part of metadata indeed.

For the workaround for this issue I'd create a script/command and put into the "visudo" so that it's checking writeability by caller only, skipping the ownership part and then touch the file with the file owner privilages. However security must be double checked for such a workaround.

I doubt that the UNIX designers thought a lot about computing security in the 1970s, especially since it started as a purely academic idea (and to play a game). Which is why today no serious admin relies on UNIX permissions alone, but uses the OS' specific variant of advanced access control lists (RBAC, SELinux, ...)

Perderabo's comments just goes to show that there is always something new to learn about Unix!