1CHOWN(2) Linux Programmer's Manual CHOWN(2)
2
3
4
6 chown, fchown, lchown, fchownat - change ownership of a file
7
9 #include <unistd.h>
10
11 int chown(const char *pathname, uid_t owner, gid_t group);
12 int fchown(int fd, uid_t owner, gid_t group);
13 int lchown(const char *pathname, uid_t owner, gid_t group);
14
15 #include <fcntl.h> /* Definition of AT_* constants */
16 #include <unistd.h>
17
18 int fchownat(int dirfd, const char *pathname,
19 uid_t owner, gid_t group, int flags);
20
21 Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
22
23 fchown(), lchown():
24 /* Since glibc 2.12: */ _POSIX_C_SOURCE >= 200809L
25 || _XOPEN_SOURCE >= 500
26 || /* Glibc <= 2.19: */ _BSD_SOURCE
27
28 fchownat():
29 Since glibc 2.10:
30 _POSIX_C_SOURCE >= 200809L
31 Before glibc 2.10:
32 _ATFILE_SOURCE
33
35 These system calls change the owner and group of a file. The chown(),
36 fchown(), and lchown() system calls differ only in how the file is
37 specified:
38
39 * chown() changes the ownership of the file specified by pathname,
40 which is dereferenced if it is a symbolic link.
41
42 * fchown() changes the ownership of the file referred to by the open
43 file descriptor fd.
44
45 * lchown() is like chown(), but does not dereference symbolic links.
46
47 Only a privileged process (Linux: one with the CAP_CHOWN capability)
48 may change the owner of a file. The owner of a file may change the
49 group of the file to any group of which that owner is a member. A
50 privileged process (Linux: with CAP_CHOWN) may change the group arbi‐
51 trarily.
52
53 If the owner or group is specified as -1, then that ID is not changed.
54
55 When the owner or group of an executable file is changed by an unprivi‐
56 leged user, the S_ISUID and S_ISGID mode bits are cleared. POSIX does
57 not specify whether this also should happen when root does the chown();
58 the Linux behavior depends on the kernel version, and since Linux
59 2.2.13, root is treated like other users. In case of a non-group-exe‐
60 cutable file (i.e., one for which the S_IXGRP bit is not set) the S_IS‐
61 GID bit indicates mandatory locking, and is not cleared by a chown().
62
63 When the owner or group of an executable file is changed (by any user),
64 all capability sets for the file are cleared.
65
66 fchownat()
67 The fchownat() system call operates in exactly the same way as chown(),
68 except for the differences described here.
69
70 If the pathname given in pathname is relative, then it is interpreted
71 relative to the directory referred to by the file descriptor dirfd
72 (rather than relative to the current working directory of the calling
73 process, as is done by chown() for a relative pathname).
74
75 If pathname is relative and dirfd is the special value AT_FDCWD, then
76 pathname is interpreted relative to the current working directory of
77 the calling process (like chown()).
78
79 If pathname is absolute, then dirfd is ignored.
80
81 The flags argument is a bit mask created by ORing together 0 or more of
82 the following values;
83
84 AT_EMPTY_PATH (since Linux 2.6.39)
85 If pathname is an empty string, operate on the file referred to
86 by dirfd (which may have been obtained using the open(2) O_PATH
87 flag). In this case, dirfd can refer to any type of file, not
88 just a directory. If dirfd is AT_FDCWD, the call operates on
89 the current working directory. This flag is Linux-specific; de‐
90 fine _GNU_SOURCE to obtain its definition.
91
92 AT_SYMLINK_NOFOLLOW
93 If pathname is a symbolic link, do not dereference it: instead
94 operate on the link itself, like lchown(). (By default, fchow‐
95 nat() dereferences symbolic links, like chown().)
96
97 See openat(2) for an explanation of the need for fchownat().
98
100 On success, zero is returned. On error, -1 is returned, and errno is
101 set to indicate the error.
102
104 Depending on the filesystem, errors other than those listed below can
105 be returned.
106
107 The more general errors for chown() are listed below.
108
109 EACCES Search permission is denied on a component of the path prefix.
110 (See also path_resolution(7).)
111
112 EFAULT pathname points outside your accessible address space.
113
114 ELOOP Too many symbolic links were encountered in resolving pathname.
115
116 ENAMETOOLONG
117 pathname is too long.
118
119 ENOENT The file does not exist.
120
121 ENOMEM Insufficient kernel memory was available.
122
123 ENOTDIR
124 A component of the path prefix is not a directory.
125
126 EPERM The calling process did not have the required permissions (see
127 above) to change owner and/or group.
128
129 EPERM The file is marked immutable or append-only. (See
130 ioctl_iflags(2).)
131
132 EROFS The named file resides on a read-only filesystem.
133
134 The general errors for fchown() are listed below:
135
136 EBADF fd is not a valid open file descriptor.
137
138 EIO A low-level I/O error occurred while modifying the inode.
139
140 ENOENT See above.
141
142 EPERM See above.
143
144 EROFS See above.
145
146 The same errors that occur for chown() can also occur for fchownat().
147 The following additional errors can occur for fchownat():
148
149 EBADF dirfd is not a valid file descriptor.
150
151 EINVAL Invalid flag specified in flags.
152
153 ENOTDIR
154 pathname is relative and dirfd is a file descriptor referring to
155 a file other than a directory.
156
158 fchownat() was added to Linux in kernel 2.6.16; library support was
159 added to glibc in version 2.4.
160
162 chown(), fchown(), lchown(): 4.4BSD, SVr4, POSIX.1-2001, POSIX.1-2008.
163
164 The 4.4BSD version can be used only by the superuser (that is, ordinary
165 users cannot give away files).
166
167 fchownat(): POSIX.1-2008.
168
170 Ownership of new files
171 When a new file is created (by, for example, open(2) or mkdir(2)), its
172 owner is made the same as the filesystem user ID of the creating
173 process. The group of the file depends on a range of factors, includ‐
174 ing the type of filesystem, the options used to mount the filesystem,
175 and whether or not the set-group-ID mode bit is enabled on the parent
176 directory. If the filesystem supports the -o grpid (or, synonymously
177 -o bsdgroups) and -o nogrpid (or, synonymously -o sysvgroups) mount(8)
178 options, then the rules are as follows:
179
180 * If the filesystem is mounted with -o grpid, then the group of a new
181 file is made the same as that of the parent directory.
182
183 * If the filesystem is mounted with -o nogrpid and the set-group-ID bit
184 is disabled on the parent directory, then the group of a new file is
185 made the same as the process's filesystem GID.
186
187 * If the filesystem is mounted with -o nogrpid and the set-group-ID bit
188 is enabled on the parent directory, then the group of a new file is
189 made the same as that of the parent directory.
190
191 As at Linux 4.12, the -o grpid and -o nogrpid mount options are sup‐
192 ported by ext2, ext3, ext4, and XFS. Filesystems that don't support
193 these mount options follow the -o nogrpid rules.
194
195 Glibc notes
196 On older kernels where fchownat() is unavailable, the glibc wrapper
197 function falls back to the use of chown() and lchown(). When pathname
198 is a relative pathname, glibc constructs a pathname based on the sym‐
199 bolic link in /proc/self/fd that corresponds to the dirfd argument.
200
201 NFS
202 The chown() semantics are deliberately violated on NFS filesystems
203 which have UID mapping enabled. Additionally, the semantics of all
204 system calls which access the file contents are violated, because
205 chown() may cause immediate access revocation on already open files.
206 Client side caching may lead to a delay between the time where owner‐
207 ship have been changed to allow access for a user and the time where
208 the file can actually be accessed by the user on other clients.
209
210 Historical details
211 The original Linux chown(), fchown(), and lchown() system calls sup‐
212 ported only 16-bit user and group IDs. Subsequently, Linux 2.4 added
213 chown32(), fchown32(), and lchown32(), supporting 32-bit IDs. The
214 glibc chown(), fchown(), and lchown() wrapper functions transparently
215 deal with the variations across kernel versions.
216
217 In versions of Linux prior to 2.1.81 (and distinct from 2.1.46),
218 chown() did not follow symbolic links. Since Linux 2.1.81, chown()
219 does follow symbolic links, and there is a new system call lchown()
220 that does not follow symbolic links. Since Linux 2.1.86, this new call
221 (that has the same semantics as the old chown()) has got the same
222 syscall number, and chown() got the newly introduced number.
223
225 The following program changes the ownership of the file named in its
226 second command-line argument to the value specified in its first com‐
227 mand-line argument. The new owner can be specified either as a numeric
228 user ID, or as a username (which is converted to a user ID by using
229 getpwnam(3) to perform a lookup in the system password file).
230
231 Program source
232 #include <pwd.h>
233 #include <stdio.h>
234 #include <stdlib.h>
235 #include <unistd.h>
236
237 int
238 main(int argc, char *argv[])
239 {
240 uid_t uid;
241 struct passwd *pwd;
242 char *endptr;
243
244 if (argc != 3 || argv[1][0] == '\0') {
245 fprintf(stderr, "%s <owner> <file>\n", argv[0]);
246 exit(EXIT_FAILURE);
247 }
248
249 uid = strtol(argv[1], &endptr, 10); /* Allow a numeric string */
250
251 if (*endptr != '\0') { /* Was not pure numeric string */
252 pwd = getpwnam(argv[1]); /* Try getting UID for username */
253 if (pwd == NULL) {
254 perror("getpwnam");
255 exit(EXIT_FAILURE);
256 }
257
258 uid = pwd->pw_uid;
259 }
260
261 if (chown(argv[2], uid, -1) == -1) {
262 perror("chown");
263 exit(EXIT_FAILURE);
264 }
265
266 exit(EXIT_SUCCESS);
267 }
268
270 chgrp(1), chown(1), chmod(2), flock(2), path_resolution(7), symlink(7)
271
273 This page is part of release 5.12 of the Linux man-pages project. A
274 description of the project, information about reporting bugs, and the
275 latest version of this page, can be found at
276 https://www.kernel.org/doc/man-pages/.
277
278
279
280Linux 2021-03-22 CHOWN(2)