|
|
|
@@ -0,0 +1,34 @@ |
|
|
|
# permwatcher |
|
|
|
|
|
|
|
permatcher is a daemon to reset linux filesystem permissions. It's clearly a technical solution for a social problem: Many users do a `chmod 777` "because it solves the problem". `chmod`ing a file to 777 not only opens a big security hole, but also cause any other file system permission bits to be dropped (`777` is actually `0777` which drops the setgid bit for example). |
|
|
|
|
|
|
|
I finally gave up explaining why its bad to do `chmod 777` and decided to just reset the permissions. |
|
|
|
|
|
|
|
## requirements |
|
|
|
|
|
|
|
`permwatcher` needs |
|
|
|
|
|
|
|
* Python 3.x (2.7 may work, but haven't tested with) |
|
|
|
* pyinotify |
|
|
|
|
|
|
|
|
|
|
|
## Usage |
|
|
|
|
|
|
|
The permwatcher daemon is controlled by a single configuration file, typically installed in `/etc/permwatcher.cfg`. |
|
|
|
|
|
|
|
The configuration file contains one ore more sections. A minimal configuration section looks like this: |
|
|
|
|
|
|
|
[webroots] |
|
|
|
directories = /var/www |
|
|
|
|
|
|
|
The name of the section doesn't really matter - it's just an identifier. |
|
|
|
The `directories` option takes a space-separated list of directories to watch for changes. |
|
|
|
|
|
|
|
Other options: |
|
|
|
|
|
|
|
* `exclude`: Space-separated [glob patterns](https://docs.python.org/3.4/library/glob.html). Objects matching one of these patterns will be ignored by pyinotify. |
|
|
|
* `remove_file_masks`: Name of masks from the [stat module](https://docs.python.org/3.4/library/stat.html) to remove from files. Defaults to `S_IXUSR S_IXGRP S_IWOTH S_IXOTH` |
|
|
|
* `remove_dir_masks`: Name of masks from the [stat module](https://docs.python.org/3.4/library/stat.html) to remove from directories. Defaults to `S_IWOTH` |
|
|
|
* `keep_setgid`: re-add the setgid bit if it is set on the parent directory |
|
|
|
* `keep_setuid`: re-add the setuid bit if it is set on the parent directory |
|
|
|
|
