#!/usr/bin/perl ################################################################################ # A script that updates the permissions of the Foswiki installation that is # given on the commandline. # # TODO: The directories for "data" and "pub" (and underneath) should really be # "setgid httpd" so that group httpd permissions are kept. But it works even # so. ################################################################################ use strict; use warnings; # This is the script installation base (edit as needed) my $dir = "/usr/local/toolbox"; # Pull in some functions require "$dir/adjustFilesystemV2_functions.pl"; our ($USER,$GROUP,$DIRPERM,$FILEPERM); # keywords exported by adjustFilesystemV2_functions.pl require "$dir/intro.pl"; # --- # Check that the foswiki root has been correctly passed; if intro() returns, all is cool # --- my ( $root, $bin, $data, $lib, $locale, $pub, $templates, $tools, $working ) = intro(); # --- # Now adjust # --- # Default settings: my $collected = {}; # Everything belongs to "root:apache" # Every directory has permissions 750 (so apache can read and list contents but not write) # Every file has permissions 640 (so apache can read but not write or execute) adjustTree($collected, $root, { $USER => "root", $GROUP => "apache", $FILEPERM => "640", $DIRPERM => "750" }); # Stuff underneath 'data', including 'data' itself (topics) can simply be handed to apache so that apache can modify and add topics # Underneath data "mime.types" and TWiki should be more restricted; we might want to adjust that later adjustTree($collected, $data, { $FILEPERM => "660", $DIRPERM => "770", $USER => "apache", $GROUP => "apache" }); # "lib" can be restricted except for LocalSite.cfg adjustTree($collected, $lib, { $FILEPERM => "640", $DIRPERM => "770" }); adjustFile($collected, "$lib/LocalSite.cfg", { $FILEPERM => "660" }); # Stuff underneath "pub", including 'pub' itself (attachments) can simply be handed to apache so that apache can modify and add attachments adjustTree($collected, $pub, { $FILEPERM => "660", $DIRPERM => "770", $USER => "apache", $GROUP => "apache" }); # "working" definitely must be writeable; but files are not executable adjustTree($collected, $working, { $FILEPERM => "660", $DIRPERM => "770", $USER => "apache", $GROUP => "apache" }); # All the scripts underneath '/bin' need to have the 'execute' flag set otherwise the webserver won't run them. adjustAnyFileUnder($collected, $bin, { $FILEPERM => "750" } ); adjustFile($collected, "$bin/LocalLib.cfg.txt", { $FILEPERM => "640" }); # For tools, it is more complicated adjustAnyFileUnder($collected, $tools, { $FILEPERM => "750" }); adjustFile($collected, "$tools/extender.pl", { $FILEPERM => "640" }); adjustFile($collected, "$tools/upgrade_emails.pl", { $FILEPERM => "640" }); adjustFile($collected, "$tools/jslint4java.jar", { $FILEPERM => "640" }); adjustFile($collected, "$tools/yuicompressor.jar", { $FILEPERM => "640" }); # Now realize the adjustments, i.e. apply them to the file tree my $counter = applyCollected($collected); print "Applied $counter changes\n";