Ownership and modes

[stuartpb]

(This is a best practice that sort of runs into the "protips" area, one that applies more in Plushu or Dokku than it does to most Bash scripts.)

Ownership and sudo

Whenever you're creating something in a script, you should make sure that the files will be owned by the correct user.

For example, if you have a script that creates a directory of files, and this script is meant to be run as root, after creating it, you should do something like this:

if [[ "$EUID" == 0 && -n "$SUDO_USER" ]]; then
  chown -R "$SUDO_USER:" "$created_dir"
fi

Take care to note the colon after the username in the chown command. This tells chown to change not only the owning user on the files, but also the owning group on those files to the specified user's group (the same ownership it would have had had that user created the files themselves).

Permission bits

If you want to create a file with certain modes unset, you can run the command that creates the file in a subshell, prefixed by a umask command which will unset permission bits for any file created in that subshell:

(umask 0226; printf '%s\n' \
  "$PLUSHU_USER ALL=(ALL)NOPASSWD:`command -v nginx` -s reload" \
  >/etc/sudoers.d/plushu-reload-nginx)

Note that the umask is an inverted octal bitmask to restrict the permissions that files will be created with. If the script will normally create files with permission bits 0666 (-rw-rw-rw-), a umask of 0226 will create files with permissions of 0440 (-r--r-----).

This is specifically useful for creating a sudoers file (either the main /etc/sudoers or a file included from it), as sudo will refuse to run when a file in sudo's configuration does not have the proper permission bits. This can also be useful when working with files in a user's .ssh directory.

[progrium]

Yeah I don't think issues are the best place for these. Maybe a wiki page
or perhaps you could start a blog with these posts?

On Sunday, January 18, 2015, Stuart P. Bentley [email protected]
wrote:

(This is a best practice that sort of runs into the "protips" area, one
that applies more in Plushu or Dokku than it does to most Bash scripts.)
Ownership and sudo

Whenever you're creating something in a script, you should make sure that
the files will be owned by the correct user.

For example, if you have a script that creates a directory of files, and
this script is meant to be run as root, after creating it, you should do
something like this:

if [[ "$EUID" == 0 && -n "$SUDO_USER" ]]; then
chown -R "$SUDO_USER:" "$created_dir"fi

Take care to note the colon after the username in the chown command. This
tells chown to change not only the owning user on the files, but also the
owning group on those files to the specified user's group (the same
ownership it would have had had that user created the files themselves).
Permission bits

If you want to create a file with certain permission bits unset, you can
run the command that creates the file in a subshell, prefixed by a umask
command which will unset permission bits for any file created in that
subshell:

(umask 0226; printf '%s\n'
"$PLUSHU_USER ALL=(ALL)NOPASSWD:command -v nginx -s reload" \

/etc/sudoers.d/plushu-reload-nginx)

Note that the umask is an inverted octal bitmask to restrict the
permissions that files will be created with. If the script will normally
create files with permission bits 0666 (-rw-rw-rw-), a umask of 0226 will
create files with permissions of 0440 (-r--r-----).

This is specifically useful for creating a sudoers file (either the main
/etc/sudoers or a file included from it), as sudo will refuse to run when a
file in sudo's configuration does not have the proper permission bits. This
can also be useful when working with files in a user's .ssh directory.

—
Reply to this email directly or view it on GitHub
#30.

Jeff Lindsay
http://progrium.com