How to maintain file/folder ownserhip and permissions over time?

linux file-permissions debian

We have folders on a number of our (debian) servers that require various users (both real and system) to be able to read and/or write. We've come up with a particular file permissioning and ownership model that makes everyone happy but for a variety of reasons, this model comes undone over time as users modify things.

We've tried setting things like the umask and setting sticky bits on the group permission in an attempt to maintain correct permissions and ownerships but these efforts don't tend to be enough.

Ideally, we'd specify our file permissions and ownership model in a configuration file and have a daemon that enforces this model. Does something like this exist?

(Googling would suggest no, but I would prefer not to reinvent the wheel if this has already been solved)


To answer my own question here, I wrote a small daemon which accepts a simple YAML configuration file and then enforces file ownership, group and permissions. It's called enforced (https://github.com/torrance/enforced) — you'll need Go (golang) to build it.

It does an initial search of the folders under configuration and then sets itself up to watch for any file changes, immediately correcting any files that change.

I hope it's of help to someone else.


You can use fam (the file alteration monitoring daemon) to be notified whenever a file is modified (that's the reported fam event if access rights are changed). Then you can stat the file, check whether just the mtime has changed or ctime and reset the access rights if necessary.

If it is not required that the users are capable of changing the access rights then you can wait for file creation events instead (much less), change the file owner, reset the access rights and you are done: Never again trouble with this file.

Strange: At least to my knowledge Linux doesn't offer restrictions on access right changes.

This problem could also be used by a FUSE filesystem which just modifies access rights. I don't know whether something like that already exists but there are so many FUSE modules out there that it's worth a check.

Related

Where can I find a list of IP addresses of hosting providers?
PostgreSQL raw query vs "Function returns TABLE" - insane difference in performance. Why?
Can I run two server applications on port 80?
Slow Memcached: Average 10ms memcached `get`
When using ps with a user-defined format, how do I get a column with unlimited width?
How come identical name and authentication between two windows PCs on same network works?
How do I route a public IP range over an IPSEC VPN?
pf slows traffic extremely down
GlusterFS direct I/O mode
IPv6 default gateway route disappear after reboot
How to set a default domain controller for all PowerShell AD cmdlets?
Default Apache page shows up on localhost:80 even after "stopping" apache2 service