Quote:
Originally Posted by Turbocapitalist
Welcome.
I'd not trust plain -print, the files or directories might have spaces in them. You could use -print0 with find and --null with xargs but -exec is another option:
Code:
find -L /var/www/html -group apache -perm /g=w -print -exec chmod g-w {} \;
|
Thank you very much for the welcome and quick reply.
1) I have just tried run the command above but there was no return output. FYI, the 'html' directory is owned by root which is the default and by default it does not have the 'w' permission. See below:
[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=w -print -exec chmod g-w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
2) My understanding is that if the directory was owned by the apache group, the above command 'g-w' would remove (w) write access from the apache group if it was the owner? With this in mind, I decided to change the owner of the 'html' directory from 'root' to 'apache' to test whether this command actually works. I then ran the same command but with a 'w-r' to see if it would work because the apache group already was missing the write 'w' permission. See output below:
[ec2-user@ip-172-31-22-72 www]$ sudo chgrp -R apache /var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=w -print -exec chmod g-w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=r -print -exec chmod g-w {} \;
/var/www/html
chmod: changing permissions of ‘/var/www/html’: Operation not permitted
[ec2-user@ip-172-31-22-72 www]$ sudo find -L /var/www/html -group apache -perm /g=r -print -exec chmod g-w {} \;
/var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ sudo find -L /var/www/html -group apache -perm /g=x -print -exec chmod g-w {} \;
/var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ sudo chgrp -R root /var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$
3) I even tried adding the 'w' write permission to root to see if i could first add then remove using the same command but testing it with the group 'root' but I was unable to assign it the 'w' permission. See below:
[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group root -perm /g=w -print -exec chmod g+w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
4) Just to contextualise things, I'm trying to write a shell script that will run against a vanilla apache installation on Amazon Linux 2 of which one of the requirements is to "Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted"
Apologies for the long reply. Just trying to identify my thought process. I suspect this is user error on my part