Linux Filesystem Permissions Watcher

This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.

Johann Schmitz c8d1997e72 Fixed imports, added setup.py		5 years ago
doc	Added example config; add syslog/console logging option	5 years ago
src/permwatcher	Fixed imports, added setup.py	5 years ago
.gitignore	Initial setup	5 years ago
LICENSE.txt	Initial setup	5 years ago
README.md	Added README.md	5 years ago
setup.py	Fixed imports, added setup.py	5 years ago

README.md

permwatcher

permatcher is a daemon to reset linux filesystem permissions. It’s clearly a technical solution for a social problem: Many users do a chmod 777 “because it solves the problem”. chmoding a file to 777 not only opens a big security hole, but also cause any other file system permission bits to be dropped (777 is actually 0777 which drops the setgid bit for example).

I finally gave up explaining why its bad to do chmod 777 and decided to just reset the permissions.

requirements

permwatcher needs

Python 3.x (2.7 may work, but haven’t tested with)
pyinotify

Usage

The permwatcher daemon is controlled by a single configuration file, typically installed in /etc/permwatcher.cfg.

The configuration file contains one ore more sections. A minimal configuration section looks like this:

[webroots]
directories = /var/www

The name of the section doesn’t really matter - it’s just an identifier. The directories option takes a space-separated list of directories to watch for changes.

Other options:

exclude: Space-separated glob patterns. Objects matching one of these patterns will be ignored by pyinotify.
remove_file_masks: Name of masks from the stat module to remove from files. Defaults to S_IXUSR S_IXGRP S_IWOTH S_IXOTH
remove_dir_masks: Name of masks from the stat module to remove from directories. Defaults to S_IWOTH
keep_setgid: re-add the setgid bit if it is set on the parent directory
keep_setuid: re-add the setuid bit if it is set on the parent directory