sudoers question

[duffsterlp]

I know that there have been many sudoers questions on forums and here's another one. I'm trying to write a PHP script that creates a file and changes back ownership to the user of the workstation. The problem I am having is that I can't change ownership from apache to myself. I tried running a system command thinking that because the apache server was the owner of the file, one should be able to change ownership of the file it created. Wrong. A coworker told me that you still needed to logon as root. I didn't want the end user of this script to have to login as root. The process should be a black box for them. I then tried to alter the sudoers file to allow apache to use chown. This didn't work so I tried to allow apache to do everything ("apache ALL = NOPASSWD: ALL"). That still didn't work. How do I allow apache access to be able to change ownership of a file it created in a PHP script to the user of the workstation? Do I need commands in the sudoers file in addition to the aforementioned one? Here is a simple php script that describes what I am doing:

<?php

shell_exec("touch test.txt;chown duffyg test.txt");

?>

After editing the sudoers file, I tried the command 'sudo -u chown duffyg test.txt' in place of the command you see in the script.

Thanks

[hazel]

The reason why only root can change the personal ownership of files is that otherwise a malicious downloaded executable with the SUID bit set could change its ownership to root and thus run with root permissions.

Group ownership however can be changed by the file's owner. Could you perhaps set the modes so that group ownership will do what you want?

[duffsterlp]

Thanks for the quick response.

This did not work. I tried modifying sudoers to say:
%apache ALL=(ALL) NOPASSWD: ALL
After this didn't work, I coupled that with:
%userss ALL=(ALL) NOPASSWD: ALL