Set default user and group for new files/directories

Hey guys, today I faced a problem, I wanted my new /var/www files to be owned by www-data user and www-data group, sure I can chown manually every time I create new files, but that wasn't the solution I was looking for.

I think ACL might be a possible solution but I know nothing about that and I needed a fast solution.

The reason

I'm running some bots on a virtual machine, these bots crawl some websites then write the captured content inside /var/www.

You may not want to apply the contents of this article on a production server, the apache user (www-data) should only have read access to the website content, this way if apache or your website have some vulnerability the website content and the server will be more "secure".

The solution

After some searching I found incron, as said in the official page:

This program is an "inotify cron" system. It consists of a daemon and a table manipulator. You can use it a similar way as the regular cron. The difference is that the inotify cron handles filesystem events rather than time periods.

That seems to be all I was looking for, except for one little problem, it's not recursive! This means that if I'm watching /var/www/ and I create a file/directory in /var/www/mypage/ it won't do anything.

After some more searching I finally found something, Watcher:

Watcher is a daemon that watches specified files/folders for changes and fires commands in response to those changes. It is similar to incron, however, configuration uses a simpler to read ini file instead of a plain text file. Unlike incron it can also recursively monitor directories. It's also written in Python, making it easier to hack.

This is a fork of this, I chose the fork because it's written for Python 3.

Let's get our hands dirty

First of all, I tested this on a machine running debian, I won't cover Arch Linux this time, It should be easy to get it running on Arch except for the cron path but you can achieve the same with a systemd service.

  1. First we need to choose where we want to store the software, I chose the /opt directory:

    $ cd /opt

  2. Now we clone the repository (download the script):

    $ git clone https://github.com/splitbrain/Watcher

  3. We need python and pyinotify, if you are using debian execute the following:

    # apt-get install python python-pyinotify

  4. Go to /opt/Watcher directory:

    $ cd /opt/Watcher

  5. Change the contents of the configuration (/opt/watcher.ini) file to this:

    [DEFAULT]
    logfile=/tmp/watcher.log
    pidfile=/tmp/watcher.pid
    
    [job1]
    watch=/var/www
    events=create
    excluded=
    recursive=true
    autoadd=true
    command=chown www-data:www-data -R $filename
    

    I have removed all the commented lines to ease the readability, you probably want to store the sample config file for future reference.

  6. Now try to run the watcher in debug mode for testing:

    $ ./watcher.py debug -c watcher.ini

  7. If it's all working you can kill it with Ctrl+Z

  8. You probably want this to start on boot, we can achieve this with cron, to do that execute the following:

    # crontab -e

  9. With the editor running you just need to add this line in the end of the file:

    @reboot /opt/Watcher/watcher.py -c /opt/Watcher/watcher.ini start

Note: If the editor is vi you can enter insert mode with the i key, after the edition just press ESC and then :wq.

And that's it, you can reboot and test if it's working.


Edited on 19/12/2016, added security warning. Thanks z3bra

Comments

This section is still in development.

If you want to share any thoughts drop me a line at bruno.fl.jesus@gmail.com