Tag error: <txp:article allowoverride="0" form="lazydays_default" limit="3" listform="lazydays_default" pgonly="0" searchall="0" searchsticky="0" sort="Posted desc" status="4" /> ->  Textpattern Notice: Form not found: comments_display while_parsing_page_form: lazydays_default, None
Blog: KHPtech: Script: Set correct permissions on macosx server user home folders

Script: Set correct permissions on macosx server user home folders

One of my routine sysadmin tasks involves correcting Unix permissions and Darwin ACLs on the user home folders on our macosx file server. Sometimes things happen and users alter the permissions on various items in their home folder, giving (or restricting) access to the wrong people. Or, your friendly junior sysadmin copies home folders around and they end up being owned by him or her, instead of the user they should belong to. Or you restore from a backup that does not restore the permissions. You get the picture.

Over the years I have added new features and made a variety of improvements to the script that I run to set (or re-set) the permissions on our user home folders. I now feel that the script is robust (and customizable) enough that I ought to share it others who might want to use it too.

The script is actually two scripts that work in tandem. The first script is called FixUser.sh, and it sets the correct Unix permissions and Darwin ACLs on a home folder (and subfolders) for a specific user.

The script must be run as root, and it can be placed anywhere you like. I keep mine in the directory that contains the users’ home folders. Of course the script will need to both readable and executable; if you’re going to keep it in a place where other people can see it, make it owned by root and disallow access to others. (e.g. chown root:wheel FixUser.sh; chmod ug+rwx,o-wx FixUser.sh).

Usage is as follows:

./FixUser.sh username

The username parameter should be the primary shortname for a user on your system, and the home folder for that user needs to have the same name.

Two items of importance are found on lines 2 and 3 of the script. These are variables that need to be set to the full (absolute) path to the folder that contains your users’ home folders, and the folder that contains your users’ Windows profiles (if you’re also running samba, with roaming profiles). PLEASE EDIT THESE VARIABLES BEFORE RUNNING.

Here’s the script:

FixUser.sh

#! /bin/bash HomeDir=/NetUsers ProfileDir=/NetProfiles cd $HomeDir User=$1 if id -u $User 1> /dev/null; then if [ -d $User ]; then if [ -x $User/.ApplyPrePerms.sh ]; then echo “ Running pre-permissions task…” cd $User su -f -m $User ./.ApplyPrePerms.sh cd $HomeDir echo “ Done.” fi echo Processing Home Directory for $User chflags -R nouchg $User chmod -R -N $User chown -R $User:staff $User chmod -R u+rwX,go-rwx $User chmod go+rX $User chmod -R go+rX $User’/Sites’ $User’/Public’ chmod -R go-r+wX $User’/Public/Drop Box’ chmod +a “$User allow list,add_file,search,delete,add_subdirectory,delete_child,read,write,append,execute,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit” $User’/Public/Drop Box’ if [ -x $User/.ApplyPostPerms.sh ]; then echo “ Running post-permissions task…” cd $User su -f -m $User ./.ApplyPostPerms.sh cd $HomeDir echo “ Done.” fi fi cd $ProfileDir if [ -d $User ]; then if [ -x $User/.ApplyPrePerms.sh ]; then echo “ Running pre-permissions task…” cd $User su -f -m $User ./.ApplyPrePerms.sh cd $ProfileDir echo “ Done.” fi echo Processing Profile for $User chflags -R nouchg $User chmod -R -N $User chown -R $User:staff $User chmod -R u+rwX,go-rwx $User if [ -x $User/.ApplyPostPerms.sh ]; then echo “ Running post-permissions task…” cd $User su -f -m $User ./.ApplyPostPerms.sh cd $ProfileDir echo “ Done.” fi fi fi

As you can see, it does a bit of sanity checking. Feel free to alter the permission setting and clearing as you see fit; this is how I like it on my macosx server, and I think the resulting permissions are pretty much factory-default, or slightly improved. The ACL on the Drop Box is really a nice touch.

If you don’t use samba or windows roaming profiles, you can remove the whole cd $ProfileDir and following if block.

A single line is printed for each user home folder and profile folder that is processed. The script tries not to display any unimportant error or warning text, but warnings or errors that deserve your attention should be printed.

One final and very BIG feature is the ability to “augment” the permissions for specific users. You will notice that the script checks for (and calls) additional, optional, scripts inside the user’s home folder, called .ApplyPostPerms.sh .ApplyPostPerms.sh. These scripts are run as the user (not root) for safety, and they allow you to modify or augment the specific resulting permissions on a per-user basis. (Or they can be used to allow the user to customize their own permissions to their liking.) The point is, these files can be permanently stored in various home folders that need customization, without having to remember or figure it all out the next time you decide to reset user permissions en masse.

Which brings us to our next script, FixUsers.sh (plural).

This second script is much smaller and simply enumerates all the items in the directory that contains your user home folders. Then, for each item, it runs FixUser.sh (singular), which actually sets the permissions for that specific user’s home folder.

The item of greatest importance in FixUsers.sh is line 2, where we set the variable WorkDir to the full path to the directory containing your users’ home folders. You can keep this scripts anywhere you like, but it needs to be together in the same folder with FixUser.sh, and will also need to run as root in order to work. If you decide to keep this in a place where other people might access the script, please remember to set some reasonable permissions on it (e.g. chown root:wheel FixUsers.sh; chmod ug+rwx,o-wx FixUsers.sh).

FixUsers.sh

#! /bin/bash WorkDir=/NetUsers cd $WorkDir for User in * do if [ -d $User ]; then ./FixUser.sh “$User” fi done

I hope you find these useful. I sure do.

If you have any suggestions for improvement, please leave a comment!

PayPal tips are welcome at kevpatt@khptech.com :)

Posted by Kevin H. Patterson - 2012-03-09 17:20.
Posted in .