Bash Script to scan folders and PHP files for bad permissions

Print Friendly

This script will run through all Cpanel user account home directories and recursively do the following:

  • check for directories that have the write bit set for group(g) or other(o) – and reset any found to 755 permissions.
  • check for any files with the .php extension and that have any access bits at all allowed for other (o), write/execute bits set for group(g), or execute bit set for user(u) – and reset any found to 640 permissions.

It is quite easy to modify for your own purposes, but these permissions are generally a good starting point when on a server running PHP with the suPHP module (THIS WILL BREAK EVERYTHING IF YOU ARE RUNNING PHP AS DSO).

If you are not feeling very brave, then just increase the SLEEP delay statement to more than 1 second. This delay is repeated between each account. Of course if you feel brave, you can set it to zero.

The reasoning

When running under suPHP, php scripts run under the context of the user account. Therefore you only need to allow the user account to have write permission on directories. Group and Other only needs read and execute (read allowing enumeration/listing, and execute allowing directory changing). Therefore chmod 755 is optimal.

Php scripts are run by the PHP interpreter, which operates under the privileges of the user account. Therefore the nobody account (which apache runs under when accessing anything other than php files) does not require any explicit access. It is also un-necessary to provide write access to the user account’s group – only read is necessary. Therefore chmod 640 is optimal.

But the readme files says I must chmod 644 or 666 or worse!

Regardless – many php scripts are distributed with readme files that assume the file is going onto a server running PHP in DSO or other mode that requires the nobody account to have greater privileges to the php scripts. When running under suPHP, you can be almost certain (always test!) that chmod 640 is ample.

And finally…

These scripts and advice are offered entirely without warranty of any kind. Don’t fool about in a production environment!

Oh, and the script… of course!

#!/bin/bash
IFS="$"
###################################################################
##  Simple suPHP permissions checker                             ##
###################################################################
##  ALL RIGHTS RESERVED  --  Free Use of this script is          ##
##  permitted as long as long as this script is not commercially ##
##  sold and this header is retained.                            ##
##                                                               ##
##  Users of this script accept all liability for its use.       ##
###################################################################
###########################
##  Assign temp file etc ##
###########################
TMPFILE="/tmp/healthchk.$$.tmp"
if [ -f ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi
 
# Setup time delay as integer
typeset -i DELAY=1
# set pwd to tmp
cd /tmp
 
###########################
##  Create temp file     ##
###########################
setup_temp_file() {
  if [ -e $1 ]; then
     rm -f $1
  fi
  /bin/touch $1
  /bin/chown root:root $1
  /bin/chmod 0600 $1
}
 
##########################################################
##  SCRIPT BEGINS HERE                                  ##
##########################################################
 
echo "This script will check all home directories for bad folder and php file permissions..."
 
unset CPUSER CPHOME
 
/bin/ls -- /var/cpanel/users | /bin/grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do
   CPHOME="$(/bin/grep "${CPUSER}:" /etc/passwd | cut -d':' -f6)/public_html"
   echo -e "\nChecking user ${CPUSER} - home directory = ${CPHOME}"
   sleep ${DELAY}   # Slow things down so you can see dialog message
   echo "Checking ${CPHOME} ... "
   if [ -d ${CPHOME} ]; then
 
     ###########################################
     ## Fix Folders with BAD Permissions      ##
     ###########################################
     setup_temp_file ${TMPFILE}
 
     echo "Looking for BAD Folder Permissions for ${CPUSER}"
     /usr/bin/find ${CPHOME} -type d -perm /022 >> ${TMPFILE} 2> /dev/null
     /bin/cat -- ${TMPFILE} | while read TARGET; do
       echo "Updating Folder: ${TARGET}"
       /bin/chmod 755 "${TARGET}"
     done
     # sleep 1
 
     ###########################################
     ## Fix PHP Scripts with BAD Permissions  ##
     ###########################################
     setup_temp_file ${TMPFILE}
 
     echo "Looking for BAD Script Permissions for ${CPUSER}"
     /usr/bin/find ${CPHOME} -type f -perm /137 -name '*.php' >> ${TMPFILE} 2> /dev/null
     /bin/cat -- ${TMPFILE} | while read TARGET; do
       echo "Updating PHP Script: ${TARGET}"
       /bin/chmod 640 "${TARGET}"
     done
     # sleep 1
   fi
done
##  Clean up any trace
if [ -e ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi

Tags: , , , ,

4 Responses to “Bash Script to scan folders and PHP files for bad permissions”

  1. Matt September 14, 2010 at 2:40 pm #

    Hi Steve, Thanks for the script. Is there any chance you could adjust this for non-cpanel servers? i mean just to scan all FTP folders? Thanks!

    • steve September 14, 2010 at 3:39 pm #

      I suppose you could maybe grab a list of users from /etc/passwd, and trim it down to just the usernames, but you would probably also want an exclude list as well, as there will be many accounts that won’t have a public_html set up for apache.

      Maybe changing the opening line of the while loop to something like:

      /bin/cat /etc/passwd | /bin/grep -v “\`\|root\|mysql\|nobody\|anotherexcludeduser” | cut -d’:’ -f1 | while read THEUSER; do
      FTPHOME=”$(/bin/grep “${THEUSER}:” /etc/passwd | cut -d’:’ -f6)/public_html”

      Obviously go through the rest of the script and change the variable names to suit… Hope that helps.

  2. nazanin June 24, 2010 at 6:33 am #

    Hello my friend

    i need this code to change the permission of my folders on our hos,but i can’t work with your code,please describe for me,how does it work,as soon as possible.

    very thanks

    • Steve Sant June 24, 2010 at 7:09 am #

      What bit of the code are you having difficulty with?

Leave a Reply


7 + = sixteen