autochown

Metadata
About
Service File
FAQ
- Why don't you just use ACLs?
AUTOCHOWN(1)
- Name
- Synopsis
- Description
- Input File
Help Message
CHANGELOG

autochown

2013-05-12 22:34 UTC

Xyne

Metadata

Description:	Monitor multiple directories using glob patterns and automatically adjust file ownership and permissions.
Latest Version:	2013.4.25
Architecture:	i686 x86_64
Build Dependencies:	cmake rabbit_tree
Arch Repositories:	[xyne-i686] [xyne-x86_64]
AUR ID:	62866
Arch Forum ID:	149097
Tags:	utilities

Service File

The package includes a Systemd service file that uses a system configuration file for automatic directory management.

FAQ

Why don't you just use ACLs?

ACLs do not change the owner of files in a shared directory, which is what I need. ACLs do not enforce permissions either.

AUTOCHOWN(1)

Name

autochown - Monitor multiple directories using glob patterns and automatically adjust file ownership and permissions.

autochown is a tool for group collaboration. It recursively monitors shared directories with inotify and responds to events that affect file ownership and permissions. It can be used to automatically chown and chmod files to ensure that target files are accessible to certain users but not others.

autochown can be used in combination with access control lists and other methods for sharing directories between users.

Note: autochown must be run with superuser permissions to be able to chown files.

Input File

autochown's behavior is determined by the input file. The input file has a simple yet versatile format.

Lines beginning with '#' or a space are ignored.

Lines the begin with "> " indicate target directories. They have the following format:

> <user>:<group>:<mask>:<glob pattern>

<user>, <group> and <mask> are all optional.

autochown will recurse into directories that match <glob pattern>. If <user> is given then it will change the owner of the file to the given user name. If <group> is given then it will change the group to the given group name.

The "group" and "other" mode of the file will be set to the "user" mode. If <mask> is given then it will be applied to the resulting mode.

For example,

> nobody:users:007:/tmp/test

will change the owner and group of the directory /tmp/test and all files in it to "nobody" and "users", respectively. Each file will have its group permissions set to the user permissions, and the other permissions will be 0. E.g. if the file's original mode were 755, then the mask 007 would be applied to 777 to give 770.

Greater control of the target files can be achieved by using inclusion and exclusion patterns:

+ <glob pattern>
- <glob pattern>

For example,

> nobody:users:007:/tmp/test
- /tmp/test/private-*

will do the same as the previous example, except that all files and directories in /tmp/test that begin with "private-" will be ignored. This can be further refined with an inclusion line:

> nobody:users:007:/tmp/test
- /tmp/test/private-*
+ /tmp/test/private-users

The above adds /tmp/test/private-users to the targets while still excluding all other paths that begin with "/tmp/test/private-".

Multiple targets may be specified in a single file:

> nobody:users:007:/tmp/test
- /tmp/test/private

> nobody::077:/tmp/test/private

The above will make all files and directories in /tmp/test accessible to members of the "users" group, except for /tmp/test/private, which will only be accessible by "nobody".

Per-filemode Masks

In some cases you may wish to apply different masks to different file types. For example, you may wish to unset the executable bit on all files while leaving it on all directories. This can be done by preceeding the octal mask in the target line with one of the following characters:

D: directory
C: character special file
B: block special file
R: regular file
F: FIFO special file
L: symbolic link
S: socket

For example, starting with the previous example

> nobody:users:007:/tmp/test

which would apply the mask 007 to all filetypes, we could change it to

> nobody:users:117D007:/tmp/test

The mask specifier here is 117D007. This is interpretted as a default mask of 117 and a directory mask of 007. If a file is a directory then 007 will be applied, otherwise 117 will be applied. This effectively removes the executable bit from all files except directories in the watch directory hierarchy.

The order is irrelevant and the mask specifier could just as well be given as

> nobody:users:D007117:/tmp/test

The only time that order matters is if the same mask type is specified twice, e.g.

> nobody:users:017D007117:/tmp/test

The default mask in this case will be 117 because it was specified after 017.

Note that no default mask is required. If none is given then files will only be chmod'd if they match a given filetype mask.

For the exact interpretation of the different file types, consult the "Testing File Type" section of the GNU C library documentation. The character specifiers above match the S_IS... macros there.

Killmask

The mask 700 would be non-sensical given the above rules so it is given a special meaning by Autochown. 700 is the killmask. It instructs Autochown to remove matching files. This is very useful to prevent certain filetypes from appearing in the watched directory. For example, to prevent the creation of FIFOs, the previous example could be modified as follows:

> nobody:users:007F700:/tmp/test

Be very careful when using the killmask. It can wipe out an entire directory hierarchy if you make a mistake. To minimize the risk of a catastrophic typo, the killmask is only recognized when the -k option is passed.

Setting the killmask for directories (D700) will not recursively remove non-empty directories directly. Automatic removal of files inside a directory via the killmask will triggger inotify events as the directory is emptied so that it may eventually be removed.

Killmasks to not apply to the paths in the target line. It would amount to a Rube Goldberg implementation of rm otherwise.

Help Message

$ autochown -h

autochown - automatically change file ownership and permissions

version 2013-04-25 21:26:10

usage:
  autochown [options] <input file>

options:
  -d: daemonize process
  -e: update file attributes and exit
  -k: enable the killmask (700)
  -n: dry run
  -h: display this message and exit
  -p <path>: write PID to path
  -v: verbose mode (pass multiple times to increase verbosity)

Read the man page for more information.

CHANGELOG

2013-03-01

added previous user and group to verbose lchown output

2013-02-13 (second session)

fixed regression bug that caused autochown to follow symlinks outside of target directory hierarchy
added multi-level verbosity (only 2 levels so far, maybe more later)
- pass the -v flag multiple times

2013-02-13

added per-filetype masks
added killmask
added killmask option -k
added dry run option -n

2012-12-09

restructured logic in main() to avoid unintentional directory watches when using "-e" option

2012-11-27

removed timestamp from output messages (should be handled by the system log)

2012-11-25

added service file

2012-09-20

corrected typo in man page and further clarified chmod behavior

Contact: echo xyne.archlinux.ca | sed 's/\./@/'
Feeds: Blog News
Validation: XHTML 1.0 Strict CSS level 3 Atom 1.0

~/projects/autochown

Contents

autochown