====== Set rights of files in public_html ======

Set rights of user /home/*/public_html directors in a secure and useful way
  - all files/directories get chown user:www-data, so users own them and the webserver has group access
  - group www-data is added g+r for files (webserver can read all files) g+rsx for directories (webserver can read and change into all directories)
  - o-rights (for all) are completely removed, so shell users can't read files of other users (possibly containing passwords etc).

You can run the script using ''sudo fixphrights.sh'' or add a cron-job to go over all public_html directories every hour or so. 

Note: Users should be informed what happens, because a lot have taken the bad habit of doing chmod 755 to everything, and they will be confused if their files go back to 750 every hour.

Ref: http://ubuntuincident.wordpress.com/2010/11/21/setting-rights-for-public_html/

<code bash>
#!/bin/bash - 
#===============================================================================
#
#          FILE:  fixphrights.sh
# 
#         Usage:  ./fixphrights.sh 
# 
#   Description:  Set rights of user /home/*/public_html directors in a secure
#                 and useful way
#                 - all files/directories get chown user:www-data, so users own them
#                   and the webserver has group access
#                 - group www-data is added 
#                   g+r for files (webserver can read all files)
#                   g+rsx for directories (webserver can read and change into all directories)
#                 - o-rights (for all) are completely removed, so shell users can't read
#                   files of other users (possibly containing passwords etc).
#                 This can be run in a cronjob and will fix rights every five minutes, e.g.:
#               Crontab entry:
#               5   */1   * * *     root   nice /home/brb/bin/fixphrights.sh 
#       Options:  none
#  Requirements:  ---
#          BUGS:  ---
#         Notes:  ---
#        Author: Bernhard Brunner (bn), bernhard point brunner att epr point ch
#       Company: epr.ch
#       Created: 2011/03/11 07:33
# Last modified: 2011/03/11 07:40
#      Revision:  ---
#===============================================================================

set -o nounset                              # Treat unset variables as an error

setrights ()
{
    echo $1
    cd /home/$1
    mkdir -p public_html
    cd public_html
    find . -type d -print0 | xargs -0 chown $1:www-data
    find . -type d -print0 | xargs -0 chmod u+s,g+rsx,o-rwx
    find . -type f -print0 | xargs -0 chown $1:www-data
    find . -type f -print0 | xargs -0 chmod g+r,o-rwx
    chown $1:www-data .
    chmod u+x,g+rx,o-rwx .
#   chmod u+x 
}	
# ----------  end of function setrights  ----------

cd /home
for i in * ; do
  echo $i
  if [[ "$i" != "lost+found" ]] ; then
    setrights $i 
  fi
done
</code>

{{tag>linux bash webserver}}

~~LINKBACK~~
~~DISCUSSION~~