I have a situation where an automated process running as apache needs to share a file with another user, foo. For security reasons, it would be preferable if this file were not readable to other Unix users. The obvious solution is to have apache "chgrp foo FILENAME", but chgrp complains that permission to do this is denied, even though the file is owned by apache and has the group set to apache. This does not make much sense to me. It also seems to have security implications, because now apache must make the file world-readable in order to share it. coreutils-5.97-12.5.fc6
This is a kernel permission check. Changing component and reassigning.
apache cannot change a file's group unless apache is a member of the new group.
Any particular reason for that? As the file owner, apache can get read/write/execute access at any time, so it seems that the only thing that restriction does is prevent sharing access with groups of which it is not a member. I'm not sure why that would be desirable.
Because... 1) user creates script 2) user makes script setgid 3) user changes the group on script to one w/elevated privs that they aren't a member of 4) user runs setgid script with elevated privs they shouldn't have BAD. I'd suggest perhaps making your user foo a member of the apache group if it needs r/w access to that file.
Ah, that makes sense. Thanks for the explanation.