ensure filesystem permissions with configuration files
a configuration file format and evaluator implementation for specifying and setting filesystem permissions. a bit like css for filesystem permissions
programs, copied files and remote users working on a system sometimes create new files with incorrect permissions and modify the permissions of existing files. if there are no regular automatic checks and fixes to keep desired filesystem permissions, the security of the system is at risk and processes that need specific permissions might stop working. for the purpose of ensuring filesystem permissions, writing shell scripts that use the chown, chmod, setfacl, find and similar utilities is much more cumbersome, unclear, error prone and harder to maintain than necessary
permission configuration file with almost all features mixed:
("/home/nonroot" "directory:rwx,rw:nonroot:http" (file-type regular default-user (nonroot rw) user (testuser rw http r) group (http rw) other r) ("temp/documents/*" (acl file-type directory "d:u:1000:rwx")) (("modules" "tests") "rwx,rw::git"))
same with comments
("/home/nonroot" ;restriction on directories. sets permissions, user and group "directory:rwx,rw:nonroot:http" ;acl as a key/value list (file-type regular default-user (nonroot rw) user (testuser rw http r) group (http rw) other r) ("temp/documents/*" ;an alternative acl notation as a key/value list and string as would be used with "setfacl" (acl file-type directory "d:u:1000:rwx")) ;matches any of the listed file names (("modules" "tests") "rwx,rw::git"))
more practical example
; matches all ".git" directories under "/home/testuser" ("/home/testuser/**/.git" "rw:nonroot:git")
$ fs-perm-set --help
parameters options ... specifier path paths ... options --acl --config-file=value --dry-run --help | -h --interface
$ cat my-fs-config | fs-perm-set --dry-run $ fs-perm-set --config-file=my-fs-config $ fs-perm-set rw,r:testuser testpath testpath/** $ fs-perm-set --acl u:testuser:rw testpath-1 testpath-2
$ fs-perm-set rwx,rw:nonroot /usr/share/guile/site/2.2/ice-9/* --dry-run chown 1000:-1 "/usr/share/guile/site/2.2/ice-9/match-phd-lookup.scm" chmod 760 "/usr/share/guile/site/2.2/ice-9/match-phd-lookup.scm" chown 1000:-1 "/usr/share/guile/site/2.2/ice-9/match-phd.scm" chmod 760 "/usr/share/guile/site/2.2/ice-9/match-phd.scm" chown 1000:-1 "/usr/share/guile/site/2.2/ice-9/set" chmod 770 "/usr/share/guile/site/2.2/ice-9/set" chown 1000:-1 "/usr/share/guile/site/2.2/ice-9/vset.scm" chmod 760 "/usr/share/guile/site/2.2/ice-9/vset.scm"
if both octal and rwx notation would be supported, it would occur mixed and make usage inconsistent and the configuration slightly more complicated because you need to know/learn the semantics of both. is any one of those notations better? octal notation is shorter (i usually prefer it on the command-line), but specific to only three permission types where it has to be known which octal value stands for which permission. rwx is more generic and the characters hint at the name of the permission. in this program not all three (user, group, other) parts have to be specified, in short the benefits should be consistency and clearer notation (write-once read-often) through the use of characters instead of integers
(sph fs-perm config)