permatcher is a daemon to reset linux filesystem permissions. It's clearly a technical solution for a social problem: Many users do a chmod 777 "because it solves the problem". chmoding a file to 777 not only opens a big security hole, but also cause any other file system permission bits to be dropped (777 is actually 0777 which drops the setgid bit for example).

I finally gave up explaining why its bad to do chmod 777 and decided to just reset the permissions.

requirements

permwatcher needs

  • Python 3.x (2.7 may work, but haven't tested with)
  • pyinotify

Usage

The permwatcher daemon is controlled by a single configuration file, typically installed in /etc/permwatcher.cfg.

The configuration file contains one ore more sections. A minimal configuration section looks like this:

[webroots]
directories = /var/www

The name of the section doesn't really matter - it's just an identifier. The directories option takes a space-separated list of directories to watch for changes.

Other options:

  • exclude: Space-separated glob patterns. Objects matching one of these patterns will be ignored by pyinotify.
  • remove_file_masks: Name of masks from the stat module to remove from files. Defaults to S_IXUSR S_IXGRP S_IWOTH S_IXOTH
  • remove_dir_masks: Name of masks from the stat module to remove from directories. Defaults to S_IWOTH
  • keep_setgid: re-add the setgid bit if it is set on the parent directory
  • keep_setuid: re-add the setuid bit if it is set on the parent directory

Source code