CHOWN(2) System Calls CHOWN(2)

chown, lchown, fchown, fchownat
change owner and group of a file

#include <unistd.h>
#include <sys/types.h>

int
chown(const char *path, uid_t owner, gid_t group);

int
lchown(const char *path, uid_t owner, gid_t group);

int
fchown(int fildes, uid_t owner, gid_t group);

int
fchownat(int fildes, const char *path, uid_t owner, gid_t group, int flag);

The chown() and fchown() functions set the owner ID and group ID of the file specified by path or referenced by the open file descriptor fildes to owner and group respectively. If owner or group is specified as -1, chown() and fchown() do not change the corresponding ID of the file.

The lchown() function sets the owner ID and group ID of the named file in the same manner as chown(), unless the named file is a symbolic link. In this case, lchown() changes the ownership of the symbolic link file itself, while chown() changes the ownership of the file or directory to which the symbolic link refers.

The fchownat() function sets the owner ID and group ID of the named file in the same manner as chown(). If, however, the path argument is relative (does not start with a “/”), the path is resolved relative to the fildes argument rather than the current working directory. If the fildes argument has the special value AT_FDCWD, the path resolution reverts back to current working directory relative. If the flag argument is set to AT_SYMLINK_NOFOLLOW, the function behaves like lchown() with respect to symbolic links. If the path argument is absolute, the fildes argument is ignored. If the path argument is a null pointer, the function behaves like fchown().

If chown(), lchown(), fchown(), or fchownat() is invoked by a process that does not have {PRIV_FILE_SETID} asserted in its effective set, the set-user-ID and set-group-ID bits of the file mode, S_ISUID and S_ISGID respectively, are cleared (see chmod(2)). Additional restrictions apply when changing the ownership to uid 0.

The operating system defines several privileges to override restrictions on the chown() family of functions. When the {PRIV_FILE_CHOWN} privilege is asserted in the effective set of the current process, there are no restrictions except in the special circumstances of changing ownership to or from uid 0. When the {PRIV_FILE_CHOWN_SELF} privilege is asserted, ownership changes are restricted to the files of which the ownership matches the effective user ID of the current process. If neither privilege is asserted in the effective set of the calling process, ownership changes are limited to changes of the group of the file to the list of supplementary group IDs and the effective group ID.

The operating system provides a configuration option, {_POSIX_CHOWN_RESTRICTED}, to control the default behavior of processes and the behavior of the NFS server. If {B_POSIX_CHOWN_RESTRICTED} is not in effect, the privilege {PRIV_FILE_CHOWN_SELF} is asserted in the inheritable set of all processes unless overridden by policy.conf(4) or user_attr(4). To set this configuration option, include the following line in /etc/system:

set rstchown = 1

To disable this option, include the following line in /etc/system:

set rstchown = 0

See system(4) and fpathconf(2).

Upon successful completion, chown(), fchown(), lchown(), and fchownat() mark for update the st_ctime field of the file.

Upon successful completion, 0 is returned. Otherwise, -1 is returned, the owner and group of the named file remain unchanged, and errno is set to indicate the error.

All of these functions will fail if:
The effective user ID does not match the owner of the file and the {PRIV_FILE_CHOWN} privilege is not asserted in the effective set of the calling process, or the {PRIV_FILE_CHOWN_SELF} privilege is not asserted in the effective set of the calling process.

The chown(), lchown(), and fchownat() functions will fail if:

Search permission is denied on a component of the path prefix of path.
The path argument points to an illegal address and for fchownat(), the file descriptor has the value AT_FDCWD.
A signal was caught during the execution of the chown() or lchown() function.
The group or owner argument is out of range.
An I/O error occurred while reading from or writing to the file system.
Too many symbolic links were encountered in translating path.
The length of the path argument exceeds {PATH_MAX}, or the length of a path component exceeds {NAME_MAX} while {_POSIX_NO_TRUNC} is in effect.
The path argument points to a remote machine and the link to that machine is no longer active.
Either a component of the path prefix or the file referred to by path does not exist or is a null pathname.
A component of the path prefix of path is not a directory, or the path supplied to fchownat() is relative and the file descriptor provided does not refer to a valid directory.
The named file resides on a read-only file system.

The chown() and fchownat() functions will fail if:

For fchown(), the fildes argument is not an open file descriptor.

For fchownat(), the path argument is not absolute and the fildes argument is neither AT_FDCWD, nor an open file descriptor.

An I/O error occurred while reading from or writing to the file system.
A signal was caught during execution of the function.
The fildes argument points to a remote machine and the link to that machine is no longer active.
The group or owner argument is out of range.
The named file referred to by fildes resides on a read-only file system.

Committed

Async-Signal-Safe

chgrp(1), chown(1), chmod(2), fpathconf(2), system(4), attributes(5), standards(5)
March 13, 2021 OmniOS