I want a particular user to recursively change owner and group of all the contents of a particular directory, and only that directory. The directory is a kind of "inbox", where a service writes files, and subdirectories.
Currently, I have an administrator sudo chown, but I would prefer the destination owner to do it themselves, without that user having any more permissions then required. Let's say the original owner is "headsman", and the final owner should be "audience". Neither user is in the same group.
sudo chown -R audience:watchers /usr/files/pathofdir
Is not quite right, because I don’t want audience to have unlimited authority to use chown. My first guess was to try to add "audience" to /etc/ sudoers with permission to /usr/bin/chown and /usr/bin/chgrp. But that is too much authority.
I thought of writing a script exclusively for audience, but I don’t know how to make that script have the correct permissions and no more.
What is a good way to do this?
You can specify a full command in
sudoers, with arguments and all, in which case the user will have authority to run the specified command only with the specified arguments. So thissudoersentry should solve your problem:However, I think you should check out ACLs, as I suspect your problem can be more easily handled with the use of a default ACL on the directory. See this post for an example.
@Lasek pointed out that I probably wanted to use ACLS. This seems to be working for me:
There is probably a more concise syntax, but this is my first use of
setfacl