search

progrium / bashstyle

Let's do Bash right!
1.82k stars 94 forks source link

Ownership and modes #30

Open stuartpb opened 9 years ago

stuartpb commented 9 years ago

(This is a best practice that sort of runs into the "protips" area, one that applies more in Plushu or Dokku than it does to most Bash scripts.)

Ownership and sudo

Whenever you're creating something in a script, you should make sure that the files will be owned by the correct user.

For example, if you have a script that creates a directory of files, and this script is meant to be run as root, after creating it, you should do something like this:

if [[ "$EUID" == 0 && -n "$SUDO_USER" ]]; then
  chown -R "$SUDO_USER:" "$created_dir"
fi

Take care to note the colon after the username in the chown command. This tells chown to change not only the owning user on the files, but also the owning group on those files to the specified user's group (the same ownership it would have had had that user created the files themselves).

Permission bits

If you want to create a file with certain modes unset, you can run the command that creates the file in a subshell, prefixed by a umask command which will unset permission bits for any file created in that subshell:

(umask 0226; printf '%s\n' \
  "$PLUSHU_USER ALL=(ALL)NOPASSWD:`command -v nginx` -s reload" \
  >/etc/sudoers.d/plushu-reload-nginx)

Note that the umask is an inverted octal bitmask to restrict the permissions that files will be created with. If the script will normally create files with permission bits 0666 (-rw-rw-rw-), a umask of 0226 will create files with permissions of 0440 (-r--r-----).

This is specifically useful for creating a sudoers file (either the main /etc/sudoers or a file included from it), as sudo will refuse to run when a file in sudo's configuration does not have the proper permission bits. This can also be useful when working with files in a user's .ssh directory.

progrium commented 9 years ago

Yeah I don't think issues are the best place for these. Maybe a wiki page or perhaps you could start a blog with these posts?

On Sunday, January 18, 2015, Stuart P. Bentley notifications@github.com wrote:

(This is a best practice that sort of runs into the "protips" area, one that applies more in Plushu or Dokku than it does to most Bash scripts.) Ownership and sudo

Whenever you're creating something in a script, you should make sure that the files will be owned by the correct user.

For example, if you have a script that creates a directory of files, and this script is meant to be run as root, after creating it, you should do something like this:

if [[ "$EUID" == 0 && -n "$SUDO_USER" ]]; then chown -R "$SUDO_USER:" "$created_dir"fi

Take care to note the colon after the username in the chown command. This tells chown to change not only the owning user on the files, but also the owning group on those files to the specified user's group (the same ownership it would have had had that user created the files themselves). Permission bits

If you want to create a file with certain permission bits unset, you can run the command that creates the file in a subshell, prefixed by a umask command which will unset permission bits for any file created in that subshell:

(umask 0226; printf '%s\n' \ "$PLUSHU_USER ALL=(ALL)NOPASSWD:command -v nginx -s reload" \

/etc/sudoers.d/plushu-reload-nginx)

Note that the umask is an inverted octal bitmask to restrict the permissions that files will be created with. If the script will normally create files with permission bits 0666 (-rw-rw-rw-), a umask of 0226 will create files with permissions of 0440 (-r--r-----).

This is specifically useful for creating a sudoers file (either the main /etc/sudoers or a file included from it), as sudo will refuse to run when a file in sudo's configuration does not have the proper permission bits. This can also be useful when working with files in a user's .ssh directory.

— Reply to this email directly or view it on GitHub https://github.com/progrium/bashstyle/issues/30.

Jeff Lindsay http://progrium.com