[volunteers] Fwd: [web-team] Linode Support Ticket 5649987 - Critical Xen Maintenance / Reboot Schedule

Rick Moen rick at linuxmafia.com
Mon May 2 11:29:09 PDT 2016


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> It was already strongly implied in there to begin with. This is
> literally the oldest use case for group ownership.

Given that the desired ownership inside /var/www/svlug-main and
usr/local/src/site-docs is www-data:www-data, and the desired rights mask
is 775 for directories, 664 for files, shouldn't this be enforced via 
nightly cron job?  (That is, enforced after testing the script on a test
directory in /tmp, as a regular precaution against sysadmin own
goals.[1])

I think nightly deletion of any files matching *~ or *.bak would be also
a good idea.

Something like

#!/bin/sh
#
# datafile-cleanup:  Cron script to fix ownership/permissions on 
# system site-docs and HTML trees, and remove rubbish files.
#
#               Written by Rick Moen (rick at linuxmafia.com)
#               $Id: cron.daily,v 1.00 2016-05-03 11:23:00 rick
set -o errexit  #aka "set -e": exit if any line returns non-true value
set -o nounset  #aka "set -u": exit upon finding an uninitialised variable
#
/usr/bin/find /var/www/svlug-main -type f -exec chmod 0664 {} \;
/usr/bin/find /var/www/svlug-main -type d -exec chmod 0775 {} \;
/usr/bin/find /usr/local/src/site-docs -type f -exec chmod 0664 {} \;
/usr/bin/find /usr/local/src/site-docs -type d -exec chmod 0775 {} \;
/bin/chown -R -P www-data:www-data /var/www/svlug-main
/bin/chown -R -P www-data:www-data /usr/local/src/site-docs
/usr/bin/find /var/www/svlug-main -type f \( -name '*~' -o -name '*.bak' \) -print -exec rm '{}' \;
/usr/bin/find /usr/local/src/site-docs -type f \( -name '*~' -o -name '*.bak' \) -print -exec rm '{}' \;

One of the recurring themes of system administration is that manually
applied policy is sometimes necessary, but automatic application of 
any necessary policy (after testing) is much better.
 
Feel like writing and testing such a cron script?  (Writing might be
deemed mostly done, depending on QA.)

Confirmed what you said about 'svn up' restoring undesired files.
Notice the 'phpinfo.php', both of which I had previously deleted with
prejudice.

rick at gruyere:~$ cd /var/www/svlug-main/
rick at gruyere:/var/www/svlug-main$ ls -al
total 1236
drwxrwsr-x 18 www-data www-data   4096 May  2 02:36 .
drwxrwxr-x  3 www-data www-data   4096 May  2 00:45 ..
drwxrwxrwx  6 www-data www-data   4096 May  2 02:37 .svn
-rw-rw-r--  1 www-data www-data   1415 Apr  1  2011 404-old.php
-rw-rw-r--  1 www-data www-data    807 Apr  1  2011 404handler.php
-rw-rw-r--  1 www-data www-data  13409 Sep 12  2011 about.php
drwxrwxr-x  3 www-data www-data   4096 Apr  1  2011 buttons
-rw-rw-r--  1 www-data www-data   2733 Sep  9  2011 call4speakers.php
drwxrwxr-x  3 www-data www-data   4096 Dec 24 17:09 directions
drwxrwsr-x  3 www-data www-data   4096 Sep 13  2011 downloads
drwxrwsr-x  3 www-data www-data   4096 Sep 13  2011 editorials
drwxrwxr-x  4 www-data www-data   4096 May  1 18:58 events
-rw-rw-r--  1 www-data www-data   1364 May  2 01:33 events.html
-rw-rw-r--  1 www-data www-data   3638 Sep 11  2011 events.php
-rw-rw-r--  1 www-data www-data  29429 Jul  8  2015 farm.php
-rw-rw-r--  1 www-data www-data   3135 Apr  1  2011 freenode.html
-rw-rw-r--  1 www-data www-data   6956 Oct  7  2015 header.php
drwxrwxr-x  9 www-data www-data   4096 Dec 24 17:17 images
-rw-rw-r--  1 www-data www-data   2948 Sep  6  2011 index.php
drwxrwxr-x  3 www-data www-data   4096 Dec 24 17:56 installfest
-rw-rw-r--  1 www-data www-data   1564 Sep  7  2011 longnews.php
-rw-rw-r--  1 www-data www-data   8667 Sep  9  2011 mbone.php
-rw-rw-r--  1 www-data www-data   1889 Oct 23  2012 meetfunc.php
-rw-rw-r--  1 www-data www-data   1006 Oct 23  2012 meetings.php
-rw-rw-r--  1 www-data www-data 441610 May  2 02:36 meetings.txt
-rw-rw-r--  1 rick     www-data 441612 May  2 01:39 meetings.txt~
-rw-rw-r--  1 www-data www-data   2194 Sep 12  2011 membership.php
-rw-rw-r--  1 www-data www-data    412 Sep  7  2011 news.php
-rw-rw-r--  1 www-data www-data   5470 Oct  4  2011 officers.php
-rw-rw-r--  1 rick     rick         26 May  2 02:11 phpinfo.php
drwxrwxr-x  3 www-data www-data   4096 Dec 24 17:56 policies
drwxrwxr-x  3 www-data www-data   4096 Dec 24 17:56 press
drwxrwxr-x 29 www-data www-data   4096 Apr  8 01:34 prev
-rw-rw-r--  1 www-data www-data   1104 Sep  4  2011 prevmeet.php
-rw-rw-r--  1 www-data www-data   1159 Sep 12  2011 projects.php
-rw-rw-r--  1 www-data www-data    132 Sep  4  2011 robots.txt
-rw-rw-r--  1 www-data www-data   3549 Sep 22  2011 search.php
-rw-rw-r--  1 www-data www-data   1314 Apr  1  2011 shortnews.php
-rw-rw-r--  1 www-data www-data  11704 Apr 19 01:07 sponsors.php
drwxrwsr-x  3 www-data www-data   4096 May  1 23:04 stv
-rw-rw-r--  1 www-data www-data   6152 Sep 13  2011 stv.php
-rw-rw-r--  1 www-data www-data  34654 May  2 04:42 svlug-news-long.html
-rw-rw-r--  1 www-data www-data   4549 May  2 00:14 svlug-news-short.html
-rw-rw-r--  1 www-data www-data  47421 Apr  8 01:43 svlug-news.txt
drwxrwxr-x  3 www-data www-data   4096 Apr  1  2011 tables
-rw-rw-r--  1 www-data www-data  31818 Sep  8  2011 tba.php
drwxrwxr-x  3 www-data www-data   4096 Dec 24 17:58 teams
drwxrwsr-x  3 www-data www-data   4096 Sep 13  2011 tech-notes
drwxrwsr-x  3 www-data www-data   4096 Sep 13  2011 vote
rick at gruyere:/var/www/svlug-main$

Hmm, this is A Problem.

And yet:

rick at gruyere:/var/www/svlug-main$ svn log meetings.txt~
svn: 'meetings.txt~' is not under version control
rick at gruyere:/var/www/svlug-main

Removed phpinfo.php (and meetings.txt~) again.

rick at gruyere:/var/www/svlug-main$ svn up
Restored 'phpinfo.php'
At revision 347.
rick at gruyere:/var/www/svlug-main$ svn del phpinfo.php 
D         phpinfo.php
rick at gruyere:/var/www/svlug-main$ svn ci -m 'Remove phpinfo.php, which
has no business being on a production Web server routinely, and
certainly not in our svn repo' phpinfo.php
Deleting       phpinfo.php

Committed revision 348.
rick at gruyere:/var/www/svlug-main$ svn up
At revision 348.
rick at gruyere:/var/www/svlug-main$


That took care of that.



[1] Once back in the 1990s, a high-schooler, to whom the San Francisco
PC User Group foolishly gave root permission for its Slackware-based
dial-up Internet server on the mistaken impression he could be their
sysadmin, did a recursive chmod right down from (IIRC) right near root
to '644' permissions, I think on all library files, with catastrophic
effects on all libs subdirectories as they now lacked execute permission,
hence could not be descended into.  This functionally destroyed the
installed system, and it was deemed necesary to reinstall and rebuild
the entire system.

The need to NOT do 'chmod -R 644 *' because of the need to treat
directories differently is just subtle enough to make junior sysadmins
dangerous to systems.  In my experience, the best way for _anyone_ to
avoid such errors is to test on simulated targets, e.g., on a subset of
the file tree copied over to /tmp.




More information about the volunteers mailing list