1

Is there a way you can setup a list of receipts of folders and directories of their correct default permissions that can be used as a backup to compare the correct permissions and be used to fix incorrect permissions caused by system or user changes, and installed software?

For example; You install some software package, and installs itself into /usr/lib/ but it modified the permissions for a folder or file, but using a backup list of permissions for those files and folders it can be compared against that and corrected if needed.

file1 is -rwxrwxrwx but should be -rwxr-xr-x
folder1 is drwxrwxrwx but should be drwx------

and so on and so forth… and use the backup list in a script to run a check with the list and the directories and folders and correct them all with chown, chmod and setfacl.

How can this be achieved, and if possible show examples of how it can be done. This might even be useful for a linux server in general if specific permissions need to be kept or set to prevent modifications or changes taking place where it shouldn't, and perhaps have it run automatically after each reboot or system update, and have its list automatically add new ones to the list when needed on the fly without much user interaction required.

2 Answers2

1

The easy way to do that would be by using ACL tools:

getfacl -R / > /path/to/perms/file.acl

to back up permissions (both traditional permissions and ACL) and ownership, and

setfacl --restore=/path/to/perms/file.acl /

to restore them.

Gilles 'SO- stop being evil'
  • 829,060
David King
  • 3,147
  • 9
  • 23
0

As a disclaimer, please be careful when doing batch changes to permissions. If you have a bug in a script that change permissions, it can be nasty.

That said, consider this example:

Create a directory in which you can experiment, and change to that directory:

mkdir /tmp/experiment
cd /tmp/experiment

Create a bunch of files in directories:

mkdir -p {a,b,c,d}/{e,f,g,h}/{i,j,k,l}
touch {a,b,c,d}/{m,n,o,p}
touch {a,b,c,d}/{e,f,g,h}/{q,r,s,t}
touch {a,b,c,d}/{e,f,g,h}/{i,j,k,l}/{u,v,w,x}

As an experiment, give all the files random permissions

for i in $(find . -type f); do
    chmod $(($RANDOM % 8))$(($RANDOM % 8))$(($RANDOM % 8)) $i
done

Also give the directories random permissions, but retain permissions for the owner:

for i in $(find . -type d); do
    chmod 7$(($RANDOM % 8))$(($RANDOM % 8)) $i
done

Create a permission restoration script using stat:

find . | xargs stat --printf="chmod %a %n\n" > /tmp/perms.sh

Note the output format:

head -n3 /tmp/perms.sh
chmod 715 .
chmod 700 ./b
chmod 250 ./b/n

Now trash the permissions:

find . | xargs chmod 777

You could now restore the permissions using the script:

bash /tmp/perms.sh

To verify that this works, you can find the new permissions the same way you did before, but save them to a different file:

find . | xargs stat --printf="chmod %a %n\n" > /tmp/perms.sh_new

Then compare the two files and not that there are no differences:

diff /tmp/perms.sh{,_new}
Andy Dalton
  • 13,993
  • This is very descriptive and informative. It certainly helps to give an idea on how to achieve this. –  Dec 21 '15 at 20:39
  • @user94959 This breaks down on files containing special characters. It can be fixed but it's more than just a matter of adding quotes. – Gilles 'SO- stop being evil' Dec 22 '15 at 00:25
  • @Gilles do you have to state the obvious? if something doesn't work first time, just add quotation marks to something that needs it, and I found the above answer to be pretty helpful, and marked it so as an acceptable answer, and as such this information can be iterated on to be more useful in future. –  Dec 22 '15 at 00:46