Following Eric's links I was able to learn a few new things - and create a short script that allows me to do what I wanted and more!
I have written it into a single init script and am now using it on the system which started this line of thought.
Anyone interested please download, read the configuration notes to set it up, and offer improvements or comments! But this is my first time to share one of my own scripts with others, so please be kind!
You can download a tarball (single file) here
A brief description follows:
What it does
It uses inotify
to monitor a directory tree for filesystem events. This makes it very efficient, not a resource hog!
When a file is created or modified within the tree, it enforces ownership by a single user and group, and sets minimum default file permission level. (I have created a special owner/user with 002 UMASK, but this is not necessary).
This allows you to set up a directory tree owned by some user and group, where all group members have r/w access, as usual. But when a group member other than the directory owner creates a file, ownership is assigned to the directory owner, not
the user creating the file.
Additionally, and optionally, it will enforce a configurable minimum access permission level for all files in the tree. For example, if you specify that owner and group members have at least r/w access in the tree, ug+rw
, then if an attempt is made to change any file to read only, or no access for owner or group members, it will instead be set to r/w - minimum permission level.
It also enforces a default minimum permission level for new files, but respects 'excess' permissions. For example, the new default is ug+rw,o-wx
, which restricts non-group members to read only access. But if you create a file outside the watched tree and assign r-w-x to all users, then the excess x
for groups will be respected, but the x
for others conflicts with the minimum level of -wx
and will be changed to r
It is set up to be run as /etc/rc.d/rc.iwatch when added to /etc/rc.d/rc.local, so it should be always on. But in the event file ownership or permissions within the tree are changed while the script is not running, it will detect and correct those when next started.
It has the usual start, stop and restart options, plus a start-fg option to start it as a foreground process for testing from a shell and receiving output for all events.
Finally, it recognizes its own watched path for start and stop conditions, and will only start or stop the inotify process using the same path. This allows you to run more than one watch scripts on different trees at the same time, but without conflict.
I am running two, each with a filename suffix which reflects its use - the example I uploaded is one of those so change or remove the suffix to meet your needs.
Give it a try and let me know what you think!