Re: Changing permission in user's home directory

To: debian-user@lists.debian.org
Subject: Re: Changing permission in user's home directory
From: The Wanderer <wanderer@fastmail.fm>
Date: Sat, 20 Dec 2014 21:04:10 -0500
Message-id: <[🔎] 54962A9A.7080600@fastmail.fm>
In-reply-to: <[🔎] 201412210111.32524.peter@arbitrary.ch>
References: <[🔎] 201412210111.32524.peter@arbitrary.ch>

On 12/20/2014 at 07:11 PM, Peter Gerber wrote:

> I want to change permission of a directory, recursively. The directory is a 
> subdirectory of a user's home directory.
> 
> Is there a way to do this in a secure and easy way with the user having full 
> write access to the home directory?
> 
> Let's assume I would change the permissions as follows
> $ chgrp -R www-data ~user/subdir
> $ chmod -R g+rwX ~user/subdir
> 
> The issue is that the user could do something like this beforehand:
> $ mv ~user/subdir ~user/subdir2
> $ ln -s / ~user/subdir
> 
> Not a very nice thing to do, is it?
> 
> Well, I could just change the user's permission for the home directory as 
> follows:
> $ chown root:users-group ~user
> $ chmod g+rwx,+t
> 
> But this seems rather error-prone. Especially because I would have to adjust 
> the permission of quite a lot of directories, some of which are not even in 
> the top level of the users' home directories. Frankly, me forgetting to adjust 
> the permissions of a few directories is just to great.
> 
> What I now would like to know is, is there an easier way to solve the issue. 
> Like teaching chmod not to follow links. Unfortunately, I haven't found a --
> make-sure-as-hell-not-to-follow-links-in-any-way parameter or anything the 
> like.

As usual when dealing with recursive action under *nix, the answer is
find:

find -P ~user/subdir -type d -execdir chgrp www-data {} \; -execdir
chmod g+rwX {} \;

should I think do what you want, and even if I've missed a point or two
somewhere it should still be a decent starting point.

The '-P' option tells find to never follow any symlinks. The rest of it
is standard find syntax; the man page is a bit long, but informative.
(In particular, you should read the section on the '-execdir' option,
since it mentions a security consideration you may want to be aware of.)

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Changing permission in user's home directory
  - From: Bob Proulx <bob@proulx.com>

References:
- Changing permission in user's home directory
  - From: Peter Gerber <peter@arbitrary.ch>

Prev by Date: Re: wordperfect 5.1 for unix, and debian?
Next by Date: Re: Changing permission in user's home directory
Previous by thread: Re: Changing permission in user's home directory
Next by thread: Re: Changing permission in user's home directory
Index(es):
- Date
- Thread