0

I have a script I periodically run that reapplies FACL and chmod permissions for home directories of gameservers I run.

The script first issues a home-directory wide recursive chmod, and then chmods certain files to specific values (first all files are set to 770, then additional changes are made).

Relevant bit from the script:

for d in */; do
    < server verification and type checking >
    chmod -R 770 ${d%/}
    chmod 771 ${d%/}
    chmod 775 ${d%/}/$gamedir
    < ... chmodding unrelated game asset directories for webserver access ... >
    for k in "${BLOCK_DIRS[@]}"; do
        if [ -d "$k" ]; then
            echo -e "${CYAN}Checking $(pwd)/$k...${NC}"
            echo -e "${RED}Debug: chmod -R 1700 $(pwd)/$k${NC}"
            chmod -v 1700 "$(pwd)/$k"
            chmod -R 0700 "$(pwd)/$k"
        fi
    done
done

Sample output:

mode of ‘/home/servers/tf_test/tf/../bin’ changed from 0770 (rwxrwx---) to 1700 (rwx-----T)

However, directory permissions only change for the last server in the first loop. That is, there are 9 servers in the first for loop, and only the last one gets changes by the inner for loop.

Same commands issued manually work absolutely fine. What am I doing wrong?

(also, this is my first question - if I didn't say something important - please correct me, I'll edit the question accordingly)

quake84
  • 11
  • 2
  • Welcome to the site. What are `BLOCK_DIRS`? – kubanczyk Dec 31 '16 at 15:59
  • BLOCK_DIRS are the directories that are supposed to be protected, and it's an array - I have however responded to the question - it's no longer active. Huge thanks for trying to help, though! – quake84 Dec 31 '16 at 16:00
  • As a side note, do all these files really need execute permissions, that is, are they executable files? If not, you should apply 600 permissions to them. – Tero Kilkanen Jan 01 '17 at 14:20

1 Answers1

1

ls doesn't show access flags for the owner group - it shows the highest group's access, and that fooled me. I also rearranged the chmods in the script so they first chmod the directory's contents and then the directory itself, and the sticky bit now works.
As for the ls group permissions issue.

foo@bar:/foo# ls -lha game_server | grep bin
drwxrwx--T+  2 gameaccount  gameaccount  4.0K Dec 21 20:56 bin
foo@bar:/foo#

The directory is owned by gameaccount, and it looks like the group gameaccount that owns it has the 7 permission bit, right? Wrong

foo@bar:/foo# getfacl game_server/bin
# file: game_server/bin
# owner: gameaccount
# group: gameaccount
# flags: --t
user::rwx
group::---
group:root:rwx
mask::rwx
other::---

Question can be closed - ls just didn't show the permission bits I expected.

quake84
  • 11
  • 2