Monitor multiple directories using glob patterns and automatically adjust file ownership and permissions.
Arch Forum Thread:
See the autochown man page below.
The package includes a Systemd service file that uses a system configuration file for automatic directory management.
ACLs do not change the owner of files in a shared directory, which is what I need. ACLs do not enforce permissions either.
autochown - Monitor multiple directories using glob patterns and automatically adjust file ownership and permissions.
autochown [options] <input file>
autochown is a tool for group collaboration. It recursively monitors shared directories with inotify and responds to events that affect file ownership and permissions. It can be used to automatically chown and chmod files to ensure that target files are accessible to certain users but not others.
autochown can be used in combination with access control lists and other methods for sharing directories between users.
autochown must be run with superuser permissions to be able to chown files.
autochown's behavior is determined by the input file. The input file has a simple yet versatile format.
Lines beginning with '#' or a space are ignored.
Lines the begin with "> " indicate target directories. They have the following format:
> <user>:<group>:<mask>:<glob pattern>
<mask> are all optional and may be omitted, but the colon field delimiters must remain. See the examples below.
autochown will recurse into directories that match
<glob pattern>. If
<user> is given then it will change the owner of the file to the given user name. If
<group> is given then it will change the group to the given group name.
The "group" and "other" mode of the file will be set to the "user" mode. If
<mask> is given then it will be applied to the resulting mode.
will change the owner and group of the directory /tmp/test and all files in it to "nobody" and "users", respectively. The mask
007 will then be applied to each file after copying the "user" mode to the "group" and "other"1 To make this clear with an example, consider a file with the mode
755. Applying the "user" mode to the other two modes gives
007 mask is then applied to this mode to give the final mode of
770. The effect of the
007 mask is to copy the "user" mode to the "group" mode and deny all access to "other".
To change the user to "nobody" but keep the current group and mode, use
To change the user to "nobody" and deny access to everyone else, use
Greater control of the target files can be achieved by using inclusion and exclusion patterns:
+ <glob pattern> - <glob pattern>
The following will do the same as the previous example, except that all files and directories in /tmp/test that begin with "private-" will be ignored:
> nobody:users:007:/tmp/test - /tmp/test/private-*
This can be further refined with an inclusion line:
> nobody:users:007:/tmp/test - /tmp/test/private-* + /tmp/test/private-users
The above adds /tmp/test/private-users to the targets while still excluding all other paths that begin with "/tmp/test/private-".
Multiple targets may be specified in a single file:
> nobody:users:007:/tmp/test - /tmp/test/private > nobody::077:/tmp/test/private
The above will make all files and directories in /tmp/test accessible to members of the "users" group, except for /tmp/test/private, which will only be accessible by "nobody".
In some cases you may wish to apply different masks to different file types. For example, you may wish to unset the executable bit on all files while leaving it on all directories. This can be done by preceeding the octal mask in the target line with one of the following characters:
Starting with the previous example
which would apply the mask 007 to all filetypes, we could change it to
The mask specifier here is
117D007. This is interpretted as a default mask of
117 and a directory mask of
007. If a file is a directory then
007 will be applied, otherwise
117 will be applied. This effectively removes the executable bit from all files except directories in the target directory hierarchy.
The order is irrelevant and the mask specifier could just as well be given as
The only time that order matters is if the same mask type is specified twice, e.g.
The default mask in this case will be
117 because it was specified after
Note that no default mask is required. If none is given then files will only be chmod'd if they match a given filetype mask.
For the exact interpretation of the different file types, consult the "Testing File Type" section of the GNU C library documentation. The character specifiers above match the
S_IS... macros there.
700 would be non-sensical given the above rules so it is given a special meaning by Autochown.
700 is the killmask. It instructs Autochown to remove matching files. This is very useful to prevent certain filetypes from appearing in the target directory. For example, to prevent the creation of FIFOs, the previous example could be changed to
Be very careful when using the killmask. It can wipe out an entire directory hierarchy if you make a mistake. To minimize the risk of a catastrophic typo, the killmask is only recognized when the
-k option is passed.
Setting the killmask for directories (
D700) will not recursively remove non-empty directories directly. Automatic removal of files inside a directory via the killmask will triggger inotify events as the directory is emptied so that it may eventually be removed.
Killmasks do not apply to the paths in the target line. It would amount to a Rube Goldberg implementation of
$ autochown -h autochown - automatically change file ownership and permissions version 1970-02-18 23:10:47 usage: autochown [options] <input file> options: -d: daemonize process -e: update file attributes and exit -k: enable the killmask (700) -n: dry run -h: display this message and exit -p: <path>: write PID to path -v: verbose mode (pass multiple times to increase verbosity) -x: disable device crossing when recursing directories Read the man page for more information.
-vtwice will now print each path as it is scanned.
-vflag multiple times
main()to avoid unintentional directory watches when using "-e" option
This is only done in an internal mask calculation. The file mode is not updated twice.↩