Hey guys, today I faced a problem, I wanted my new /var/www files to be owned by
www-data user and
www-data group, sure I can
chown manually every time I create new files, but that wasn't the solution I was looking for.
I think ACL might be a possible solution but I know nothing about that and I needed a fast solution.
I'm running some bots on a virtual machine, these bots crawl some websites then write the captured content inside
You may not want to apply the contents of this article on a production server, the apache user (www-data) should only have read access to the website content, this way if apache or your website have some vulnerability the website content and the server will be more "secure".
After some searching I found
incron, as said in the official page:
This program is an "inotify cron" system. It consists of a daemon and a table manipulator. You can use it a similar way as the regular cron. The difference is that the inotify cron handles filesystem events rather than time periods.
That seems to be all I was looking for, except for one little problem, it's not recursive! This means that if I'm watching
/var/www/ and I create a file/directory in
/var/www/mypage/ it won't do anything.
After some more searching I finally found something, Watcher:
Watcher is a daemon that watches specified files/folders for changes and fires commands in response to those changes. It is similar to incron, however, configuration uses a simpler to read ini file instead of a plain text file. Unlike incron it can also recursively monitor directories. It's also written in Python, making it easier to hack.
This is a fork of this, I chose the fork because it's written for Python 3.
First of all, I tested this on a machine running debian, I won't cover Arch Linux this time, It should be easy to get it running on Arch except for the cron path but you can achieve the same with a systemd service.
First we need to choose where we want to store the software, I chose the
$ cd /opt
Now we clone the repository (download the script):
$ git clone https://github.com/splitbrain/Watcher
We need python and pyinotify, if you are using
debian execute the following:
# apt-get install python python-pyinotify
$ cd /opt/Watcher
Change the contents of the configuration (
/opt/watcher.ini) file to this:
[DEFAULT] logfile=/tmp/watcher.log pidfile=/tmp/watcher.pid [job1] watch=/var/www events=create excluded= recursive=true autoadd=true command=chown www-data:www-data -R $filename
I have removed all the commented lines to ease the readability, you probably want to store the sample config file for future reference.
Now try to run the watcher in debug mode for testing:
$ ./watcher.py debug -c watcher.ini
If it's all working you can kill it with
You probably want this to start on boot, we can achieve this with cron, to do that execute the following:
# crontab -e
With the editor running you just need to add this line in the end of the file:
@reboot /opt/Watcher/watcher.py -c /opt/Watcher/watcher.ini start
Note: If the editor is
vi you can enter insert mode with the
i key, after the edition just press
ESC and then
And that's it, you can reboot and test if it's working.
Edited on 19/12/2016, added security warning. Thanks z3bra
This section is still in development.
If you want to share any thoughts drop me a line at email@example.com