Bernhard Brunner's Blog

Link to this comparison view

--- blog:set_rights_of_files_in_public_html [2011-03-10 18:55] – created brb
+++ blog:set_rights_of_files_in_public_html [2011-03-11 07:57] (current) – brb
@@ Line 1: / Line 1: @@
 ====== Set rights of files in public_html ======
-<code>
+Set rights of user /home/*/public_html directors in a secure and useful way
-#!/bin/bash
+  - all files/directories get chown user:www-data, so users own them and the webserver has group access
+  - group www-data is added g+r for files (webserver can read all files) g+rsx for directories (webserver can read and change into all directories)
+  - o-rights (for all) are completely removed, so shell users can't read files of other users (possibly containing passwords etc).
-# setjog-here.sh
+You can run the script using ''sudo fixphrights.sh'' or add a cron-job to go over all public_html directories every hour or so.
-find . -type d -print0 | xargs -0 chmod 755
+Note: Users should be informed what happens, because a lot have taken the bad habit of doing chmod 755 to everything, and they will be confused if their files go back to 750 every hour.
-find . -type f -print0 | xargs -0 chmod 644
-chmod 755 .
-chmod u+x $0
-</code>
 Ref: http://ubuntuincident.wordpress.com/2010/11/21/setting-rights-for-public_html/
-{{tag>}}
+<code bash>
+#!/bin/bash -
+#===============================================================================
+#
+#          FILE:  fixphrights.sh
+#
+#         Usage:  ./fixphrights.sh
+#
+#   Description:  Set rights of user /home/*/public_html directors in a secure
+#                 and useful way
+#                 - all files/directories get chown user:www-data, so users own them
+#                   and the webserver has group access
+#                 - group www-data is added
+#                   g+r for files (webserver can read all files)
+#                   g+rsx for directories (webserver can read and change into all directories)
+#                 - o-rights (for all) are completely removed, so shell users can't read
+#                   files of other users (possibly containing passwords etc).
+#                 This can be run in a cronjob and will fix rights every five minutes, e.g.:
+#               Crontab entry:
+#               5   */1   * * *     root   nice /home/brb/bin/fixphrights.sh
+#       Options:  none
+#  Requirements:  ---
+#          BUGS:  ---
+#         Notes:  ---
+#        Author: Bernhard Brunner (bn), bernhard point brunner att epr point ch
+#       Company: epr.ch
+#       Created: 2011/03/11 07:33
+# Last modified: 2011/03/11 07:40
+#      Revision:  ---
+#===============================================================================
+set -o nounset                              # Treat unset variables as an error
+setrights ()
+{
+    echo $1
+    cd /home/$1
+    mkdir -p public_html
+    cd public_html
+    find . -type d -print0 | xargs -0 chown $1:www-data
+    find . -type d -print0 | xargs -0 chmod u+s,g+rsx,o-rwx
+    find . -type f -print0 | xargs -0 chown $1:www-data
+    find . -type f -print0 | xargs -0 chmod g+r,o-rwx
+    chown $1:www-data .
+    chmod u+x,g+rx,o-rwx .
+#   chmod u+x
+}
+# ----------  end of function setrights  ----------
+cd /home
+for i in * ; do
+  echo $i
+  if [[ "$i" != "lost+found" ]] ; then
+    setrights $i
+  fi
+done
+</code>
+{{tag>linux bash webserver}}
 ~~LINKBACK~~
 ~~DISCUSSION~~