Hi folks,

I'm pretty new to Linux and am trying to lock down Apache 2.4 but can not get the following command to work. FYI, I am using Amazon Linux 2 on AWS:

example found online:
find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

my command:
find -L /var/www/html -group apache -perm /g=w -print | xargs chmod g-w

but I receive the error: "chmod: missing operand after ‘g-w’"

Can anybody shed some light or assist?

Most there is nothing for xargs to apply
You can use xargs -r, so it stops complaining

Welcome.

I'd not trust plain -print, the files or directories might have spaces in them. You could use -print0 with find and --null with xargs but -exec is another option:

Thank you very much for the welcome and quick reply.


1) I have just tried run the command above but there was no return output. FYI, the 'html' directory is owned by root which is the default and by default it does not have the 'w' permission. See below:

[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=w -print -exec chmod g-w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel


2) My understanding is that if the directory was owned by the apache group, the above command 'g-w' would remove (w) write access from the apache group if it was the owner? With this in mind, I decided to change the owner of the 'html' directory from 'root' to 'apache' to test whether this command actually works. I then ran the same command but with a 'w-r' to see if it would work because the apache group already was missing the write 'w' permission. See output below:

[ec2-user@ip-172-31-22-72 www]$ sudo chgrp -R apache /var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel

[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=w -print -exec chmod g-w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel

[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group apache -perm /g=r -print -exec chmod g-w {} \;
/var/www/html
chmod: changing permissions of ‘/var/www/html’: Operation not permitted
[ec2-user@ip-172-31-22-72 www]$ sudo find -L /var/www/html -group apache -perm /g=r -print -exec chmod g-w {} \;
/var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ sudo find -L /var/www/html -group apache -perm /g=x -print -exec chmod g-w {} \;
/var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root apache 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$ sudo chgrp -R root /var/www/html
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel
[ec2-user@ip-172-31-22-72 www]$


3) I even tried adding the 'w' write permission to root to see if i could first add then remove using the same command but testing it with the group 'root' but I was unable to assign it the 'w' permission. See below:

[ec2-user@ip-172-31-22-72 www]$ find -L /var/www/html -group root -perm /g=w -print -exec chmod g+w {} \;
[ec2-user@ip-172-31-22-72 www]$ ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel



4) Just to contextualise things, I'm trying to write a shell script that will run against a vanilla apache installation on Amazon Linux 2 of which one of the requirements is to "Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted"


Apologies for the long reply. Just trying to identify my thought process. I suspect this is user error on my part

If the directories are owned by another account, such as root, then you'll have to use that other account to make the changes using find and chmod there:

Strictly speaking, the -print option is not needed there but when present it provides a little more verbosity to watch what is going on.

Later, if you are going to share the directories with more than just yourself, you might need the write permissions for the groups turned back on, just not for the web server's group. See https://www.linuxquestions.org/quest...e-users-37043/

1 members found this post helpful.

I just tried the below? is this what you meant? I tried giving root the 'w' permission but it did not seem to work.

In the meantime, I'll refer to the post you just sent. Thank you very much for your help so far

[ec2-user@ip-172-31-22-72 www]$ sudo -s
[root@ip-172-31-22-72 www]# find -L /var/www/html -group root -perm /g=w -print -exec chmod g+w {} \;
[root@ip-172-31-22-72 www]# ll
total 4
drwxr-xr-x 2 root root 6 Oct 22 22:59 cgi-bin
drwxr-xr-x 2 root root 6 Apr 17 11:06 html
drwx------ 12 root root 4096 Apr 15 11:44 laravel

Thank you for the link that you posted. This helped