Change the owner of a file or directory
Reassign a file or directory to a different user (and optionally group) — for fixing permission errors after copying files between users, after extracting tarballs as root, or when handing data over to a service account.
How to change the owner of a file or directory in each shell
sudo chown alice file.txt`chown USER FILE` sets the owner. `chown USER:GROUP FILE` sets both at once (the colon is portable; `.` works on GNU but not BSD). `-R` recursive. Almost always requires `sudo` — only root can `chown` someone else's file (Linux can be relaxed via `CAP_CHOWN` capability).
sudo chown alice file.txtsudo chown alice file.txt$acl = Get-Acl file.txt; $acl.SetOwner((New-Object Security.Principal.NTAccount "DOMAIN\alice")); Set-Acl file.txt $acl`Get-Acl`/`Set-Acl` is Windows-only — pwsh 7 on Linux/macOS has NO equivalent (falls back to invoking `chown` via the system shell). On Windows, taking ownership of someone else's file additionally requires the "Take ownership" privilege (`SeTakeOwnershipPrivilege`), typically held by Administrators.
takeown /f file.txt /a && icacls file.txt /setowner Administrators`takeown` claims ownership for the current user (or `/a` Administrators group). `icacls /setowner` sets to a specific principal. Use `/r` (takeown) or `/t` (icacls) for recursive. Both require an elevated cmd (Run as administrator) unless you already own the file.
Equivalents listed for Bash, Zsh, Fish, PowerShell, cmd.exe.
Gotchas & notes
- **Numeric UID vs name — portability matters**: `chown 1000:1000 file` uses raw IDs (the only form that's safe across systems that don't share `/etc/passwd`). `chown alice:staff file` is human-readable but breaks the moment you `tar` and ship to a host where `alice` doesn't exist (extracts as UID-of-`alice` literal — could be a random user). For Docker images, NFS-mounted volumes, and cross-host tarballs: ALWAYS prefer numeric form (`chown -R 1000:1000 /data`) or `--numeric-owner` on tar. For shell scripts on a single host: name form is fine and self-documenting.
- **`-R` recursive + symlink behaviour is a GNU/BSD divergence trap**: GNU `chown -R` does NOT follow symlinks by default (changes the symlink itself only if your `chown` supports `-h`, otherwise the target). BSD `chown -R` historically followed symlinks. Modern explicit flags: `-H` follow only command-line symlinks, `-L` follow ALL symlinks (dangerous: a symlink pointing to `/etc` would chown system files), `-P` never follow (safest default). `find / -xdev -user olduser -exec chown newuser {} \;` is the safer pattern for "change owner of every file owned by X" — `-xdev` stays on one filesystem, avoiding NFS / `/proc` mishaps.
- **Common failure modes**: "Operation not permitted" — you're not root and not the owner. "Invalid user: ‘alice’" — name not in `/etc/passwd` (use `id alice` to verify; consider numeric). After `chown`, the file's SETUID/SETGID bits are CLEARED on Linux (security feature — prevents owning a setuid binary and then chown'ing it to root). On macOS, `chown` on a file inside a Time Machine snapshot may need Recovery Mode + `csrutil disable` because SIP protects certain paths. Inside Docker containers: `chown` respects the container's `/etc/passwd`, not the host's — UID 1000 may map to different names.
- **Capabilities as a sudo-free alternative on Linux**: instead of `chown root:root /usr/local/bin/mytool && chmod u+s mytool` (SUID — risky), grant only the specific capability needed: `setcap cap_net_bind_service=+ep /usr/local/bin/mytool` lets the binary bind ports < 1024 without root. Capabilities sidestep ownership changes for many "needs root for one thing" scenarios. Verify with `getcap`.
- **Windows ownership semantics differ fundamentally**: there's no single "owner" file attribute the way POSIX has — instead, ownership is a security descriptor field set via ACLs. Owners always have implicit `WRITE_DAC` (can change permissions), but EVERY other permission is governed by ACLs. `takeown` is the cmd analogue of "I want to chown this to me, by force" — Administrators can always do it; ordinary users can only take ownership of files where the ACL explicitly grants `SeTakeOwnershipPrivilege`. After `takeown`, use `icacls /grant` to actually grant read/write — taking ownership ALONE doesn't give read access.
Related commands
Related tasks
- Change file permissions— Modify read/write/execute permissions on a file or directory.
- Change the group ownership of a file or directory— Reassign a file's group — for granting team-wide read/write via group permissions, for matching a service account's primary group, or for fixing post-clone permissions where the working tree is owned by the wrong group.
- Set permissions recursively on a directory tree— Apply a single permission change to a directory and every file underneath — for locking down a freshly-extracted tarball, undoing world-writable mistakes, or normalizing permissions on a copied directory.