Reset Permissions and Ownership Script

chownpermissions

On a development server (Ubuntu 14.04) we have this shell script running every minute on cron:

for dir in /home/*; do
  username=$(basename $dir)
  echo "changing ownership to $username in $dir/public_html"
  chown -R $username:$username $dir/public_html
  chmod 755 $dir
  chmod -R 775 $dir/public_html
done

Which has the aim of changing ownership and chmod of any file to the virtualhost's username. This is because when a new file is created, it's created by 'root' as our local machines are SMB to the server using root user. The files need to be owned by virtualhost username in order for them to run.

This script works perfectly well, BUT will start to slow down the server when we get a lot of virutalhosts / files as it chowns everything regardless of if it needs it. Most of the time it won't need it as it's only new files which do.

My thoughts are to change it to foreach public_html directory look for any files which are not owned by that virtualhost username and chown that only.

But I fear that having to roll through every file to know which ones to chown might be just as (or more) intensive than the way it works at the moment (just looking at directory level then running recursively).

So was wondering if anyone has a better idea for this? (happy with sh or php script solution)

Aim: any newly created file, chown and chmod it to virtualhost username and 755. Skip all other files. Would also be good to have ability to skip certain filetypes regardless.

Best Answer

"chown -R" will not change any file that already has the desired ownership. It will probably do the job more efficiently than writing a program that does it yourself. chown is written by some very good coders, who probably have taken into consideration a lot of edge cases that you may not have. However, the only way to know is via a benchmark. (I'd love to see your results!)

Here is a simple script that will safely find files not owned by mary, and set their ownership to mary:

find /home/the_place_to_start -xdev \! -user mary -print0 | xargs -0 chown mary

The "-xdev" means "don't cross mountpoints" and is a good safely mechanism. The "-print0" and "-0" options are to handle filenames with spaces and newlines in a secure way. This (and chmod -R) won't follow symlinks for security reasons... if someone made a symlink to / it would be very bad.

Also, if you are running a cron job every minute, it is often better to run the same code in a loop. Here is an explanation of why: http://everythingsysadmin.com/2014/02/how-not-to-use-cron.html

Related Solutions

Nfs – CentOS 5.4 NFS v4 client file permissions differ from original files & NFS Share file contents

It's confusing to try to understand what your problem is, you don't make it clear if you're checking a file on web1 on web1, or db1 on web1, or whatever. Please give a good description of what's you're actually seeing, without confusing the issue with copying and chmoding. Something simple like I create a file on db1, with permissions x:y and on web1 I see permissions a:b and on web2 I see permissions c:d.

First thing, using NFS, any file which is owned by root will usually be shared so that it's owned by nobody. This means that if you have root on the client machine, you effectively don't have root on the server. I think that explains some of what you're seeing.

Secondly, if you are running NFS, it's vital that the userid->username mappings are identical on all the servers. Unix filesystems only store a numeric id for userid & groupid, which are then mapped to usernames by programs like ls. Are you sure that they are all in sync? It could be that you've got a mismatch.

Finally, tar p is an option for extracting, not creating tars. It's ignored when creating tars, and even when it's used, it's not going to set the ownership to what they originally were. -p basically means, ignore the umask. Tar will create files owned by you only, unless you're root.

Linux – File ownership and permissions on web site PHP files

check your apache configurations, usually in /etc/apache2/ or /etc/httpd/ or /etc/apache, and look through the configuration for the directive User, if User is numeric 2016, that's just how it is set up.

do you know if the server is running with SELinux or any 'non-standard' configurations going on on it?

you can also do ps aux | grep apache (or grep httpd, mileage may vary), to see the user/userid that the service is running as. for example:

www-data 14549  0.0  1.0  23340  9864 ?        S    May17   0:00 /usr/sbin/apache2 -k start

shows me www-data is the user running apache2 on my site.

let us know what you find out.

Best Answer

Related Solutions

Nfs – CentOS 5.4 NFS v4 client file permissions differ from original files & NFS Share file contents

Linux – File ownership and permissions on web site PHP files

Related Topic