Script to capture and restore file permissions

Backing up file permissions is the best practice. Even extra permissions on files can mess up installed software.

Editing this post:

Thanks to zhwsh about this comment, that even does not need to be explained:

“getfacl -R /u01/app/11.2.0.4/grid > dir_privs.txt
setfacl –restore dir_privs.txt”

In front of the “restore”, you should write two hyphens “- -”

In any case leaving perl script that does the same as getfacl. 

Usage:

chmod 755 backup_permissions.pl

./backup_permissions.pl <Path>

Script: 

#!/usr/bin/perl -w
#
# Captures file permissions and the owner of the files
# useage : perm1.pl <path to capture permission>
#

use strict;
use warnings;
use File::Find;
use POSIX();

my (@dir) = @ARGV;
my $linecount=0 ;

#print @ARGV, $#ARGV;

if ($#ARGV < 0) {
print “\n\nOpps….Invalid Syntax !!!!\n” ;
print “Usage : ./perm1.pl <path to capture permission>\n\n” ;
print “Example : ./perm1.pl /home/oralce\n\n” ;
exit ;
}
my $logdir=$dir[0] ;
#my ($sec, $min, $hr, $day, $mon, $year) = localtime;
##my ($dow,$mon,$date,$hr,$min,$sec,$year) = POSIX::strftime( ‘%a %b %d %H %M %S %Y’, localtime);
my $date = POSIX::strftime( ‘%a-%b-%d-%H-%M-%S-%Y’, localtime);
my $logfile=”permission-“.$date;
my $cmdfile=”restore-perm-“.$date.”.cmd” ;

open LOGFILE, “> $logfile” or die $! ;
open CMDFILE, “> $cmdfile” or die $! ;
find(\&process_file,@dir);

print “Following log files are generated\n” ;
print “logfile : “.$logfile. “\n” ;
print “Command file : “.$cmdfile. “\n” ;
print “Linecount : “.$linecount.”\n” ;
close (LOGFILE) ;
close (CMDFILE) ;

sub process_file {
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks,$username,$user,$pass,$comment,$home,$shell,$group);
my %uiduname = () ;
my %gidgname = () ;
my $filename = $File::Find::name;

#### Building uid, username hash

open (PASSWDFILE, ‘/etc/passwd’) ;

while ( <PASSWDFILE>) {
($user,$pass,$uid,$gid,$comment,$home,$shell)=split (/:/) ;
$uiduname{$uid}=$user ;
}
close (PASSWDFILE) ;

#### Building gid, groupname hash

open (GRPFILE, ‘/etc/group’) ;

while ( <GRPFILE>) {
($group,$pass,$gid)=split (/:/) ;
$gidgname{$gid}=$group ;
}
close (GRPFILE) ;

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat(“$filename”);
# printf “%o %s %s %s\n”, $mode & 07777, $uiduname{$uid}, $gidgname{$gid}, $filename ;
printf LOGFILE “%o %s %s %s\n”, $mode & 07777, $uiduname{$uid}, $gidgname{$gid}, $filename ;
printf CMDFILE “%s %s%s%s %s\n”, “chown “,$uiduname{$uid}, “:”, $gidgname{$gid}, $filename ;
printf CMDFILE “%s %o %s\n”, “chmod “,$mode & 07777, $filename ;
# printf “%o %s %s %s\n”, $mode & 07777, $uiduname{$uid}, $gidgname{$gid}, $filename ;
$linecount++ ;
}

Note:

The above script generates restore-perm-<timestamp>.cmd file.

When you want to restore permissions make this file executable and run:

chmod 755 restore-perm-<timestamp>.cmd

./restore-perm-<timestamp>.cmd

 

 

 

How to restore file permissions of the installed package to its default on Linux?

Hello all,

(Please, note that in command string instead of “” there are two dashes “- -“ like “–setperms” it is “– -setperms”)

By mistake, I run the following command on / directory:

chmod -R 777 *

I stopped this command, but unfortunately some file permissions were changed.

Because of that, I was not able to connect to the server with WinSCP and ssh was not working.

I looked in to the /var/log/messages and found the following entry:

Sep  6 15:02:37 stbynode sshd[24226]: fatal: /var/empty/sshd must be owned by root and not group or world-writable.

I run the following command on another server:

ls -la /var/empty/sshd
total 16
drwx–x–x 3 root root 4096 Sep 3 21:07 .
drwxr-xr-x 3 root root 4096 Sep 3 21:07 ..
drwxr-xr-x 2 root root 4096 Sep 3 21:36 etc

On my server it was:

ls -la /var/empty/sshd
total 16
drwxrwxrwx 3 root root 4096 Sep 3 14:00 .
drwxrwxrwx 3 root root 4096 Sep 3 14:00 ..
drwxrwxrwx 2 root root 4096 Sep 3 14:00 etc

You can change these permissions by hand (that will be boring if not only one file permissions have been changed)but there exist one very useful command:

rpm  –setperms {packagename}

This will reset package permissions, because of rpm database contains permission information.

So I run the following :

for p in $(rpm -qa); do rpm –setperms $p; done

Note this script will reset permissions of the  installed package, not user created file…

After completed this command , I was able to connect to the server with WinScp and  /var/empty/sshd permissions were set to drwxr-xr-x

To avoid such kind of situation my advice would be to save permission information everyday. By running the following command using crontab:

find / -exec stat –format “chmod %a ${MPOINT}%n” {} \; > /tmp/permissionsbackup.sh

Good Luck , I hope the post was helpful…