#!/bin/bash # ##### Replace les droits dans les differents repertoires importants pour le serveur ##### # ### $Id: permse3 8406 2015-01-24 22:56:28Z keyser $ ### # if [ "$1" == "--help" -o "$1" == "-h" ] then echo "Aide : Replace les droits dans les differents repertoires" echo "Syntaxe : --full afin de remettre les droits sur tous les repertoires et sous repertoires" echo "Sans argument afin de remettre les droits sur les dossiers les plus importants uniquement." exit 0 fi if [ "$1" == "--full" ]; then OPTION="-R" else OPTION="" fi dbhost=$(expr "$(grep mysqlServerIp /etc/SeConfig.ph)" : ".*'\(.*\)'.*") dbuser=$(expr "$(grep mysqlServerUsername /etc/SeConfig.ph)" : ".*'\(.*\)'.*") dbpass=$(expr "$(grep mysqlServerPw /etc/SeConfig.ph)" : ".*'\(.*\)'.*") dbname=$(expr "$(grep connexionDb /etc/SeConfig.ph)" : ".*'\(.*\)'.*") function SETNETLOGON { #droits sur /home/netlogon if [ -e /home/netlogon ]; then find /home/netlogon/machine/ -name gpoPASSWD -delete chmod -R 755 /home/netlogon chown -R admin:admins /home/netlogon/ chmod g+s /home/netlogon setfacl -b /home/netlogon/ if [ -e /home/netlogon/domscripts/ ]; then chmod 664 /home/netlogon/domscripts/* fi setfacl -R -m u:adminse3:rx /var/se3/Progs/install setfacl -R -m d:u:adminse3:rx /var/se3/Progs/install # Droits sur CPAU chown root:admins /home/netlogon/CPAU.exe chmod 775 /home/netlogon/CPAU.exe fi } if [ "$1" == "netlogon" ]; then SETNETLOGON exit 0 fi chmod 400 /root/.my.cnf # Apache chmod 544 /etc/default/apache2 # Droits sur LDAP chmod 600 /etc/ldap.secret chown root:root /etc/ldap.secret chmod 640 /etc/ldap/slapd.conf chmod 644 /etc/ldap/slapd.pem chmod 644 /etc/pam_ldap.conf chown root:root /etc/pam_ldap.conf chmod 644 /etc/libnss-ldap.conf chown root:root /etc/libnss-ldap.conf chown openldap:openldap /var/run/slapd/ chown -R openldap:openldap /etc/ldap chown -R openldap:openldap /var/lib/ldap # Droits sur admind chown root.root /usr/sbin/admind chmod 750 /usr/sbin/admind # Droits sur les scripts chmod 550 /usr/share/se3/scripts/* chown www-se3.root /usr/share/se3/scripts/* chmod 550 /usr/share/se3/sbin/* chown www-se3.root /usr/share/se3/sbin/* chmod 550 /usr/share/se3/scripts-alertes/* chown www-se3.root /usr/share/se3/scripts-alertes/* chmod 750 /usr/share/se3/scripts/tarCreate chmod 750 /usr/share/se3/includes/* chown www-se3.root /usr/share/se3/includes/* # Droits sudo chmod 0440 /etc/sudoers # Droits CGI chown www-se3.root /usr/lib/cgi-binse/gep*.cgi chown www-se3.root /usr/lib/perl5/Se.pm # Droits sur la sauvegarde chmod -R 750 /etc/save chgrp -R admins /var/se3/save # Droits sur ssmtp chown -R www-se3 /etc/ssmtp # Droits sur cups chown -R www-se3.lpadmin /etc/samba/printers_se3 chmod 770 /etc/samba/printers_se3 chmod -R 775 /var/lib/samba/printers chown -R admin:admins /var/lib/samba/printers chmod 777 /var/spool/samba # Droits sur drivers chown -R admin:root /var/se3/drivers # Droits sur les rep www chown -R www-se3 /var/www/se3 chmod 750 -R /var/www/se3 chmod 400 /var/www/se3/includes/config.inc.php [ -e /var/www/se3/includes/dbconfig.inc.php ] && chmod 400 /var/www/se3/includes/dbconfig.inc.php if [ -e /var/www/se3/includes/privateKey.pyc ] then chmod 440 /var/www/se3/includes/privateKey.pyc chown www-se3.www-data /var/www/se3/includes/privateKey.pyc fi chmod 770 /var/se3/Docs/deploy chown admin.www-data /var/se3/Docs/deploy # Droits sur la cle chown www-se3.root /var/remote_adm chmod 770 /var/remote_adm chmod -R 700 /var/remote_adm/.ssh chown -R www-se3.www-data /var/remote_adm/.ssh if [ -f /var/remote_adm/.ssh/id_rsa.pub ] then chmod 600 /var/remote_adm/.ssh/id_rsa chmod 640 /var/remote_adm/.ssh/id_rsa.pub fi # droits sur /var/log if [ -L /var/log ]; then LOGS_DIR="/var/se3/log" else LOGS_DIR="/var/log" fi chown root ${LOGS_DIR} chown root ${LOGS_DIR}/* chown -R news ${LOGS_DIR}/news chown -R mysql ${LOGS_DIR}/mysql* chown -R www-se3 ${LOGS_DIR}/se3 chmod -R 750 ${LOGS_DIR}/se3 if [ -e ${LOGS_DIR}/clamav ]; then chown -R clamav ${LOGS_DIR}/clamav fi if [ -e ${LOGS_DIR}/squid ]; then chown -R proxy ${LOGS_DIR}/squid fi if [ -e ${LOGS_DIR}/squid3 ]; then chown -R proxy ${LOGS_DIR}/squid3 fi if [ -e ${LOGS_DIR}/dansguardian ]; then chown -R dansguardian /var/log/dansguardian fi if [ -e ${LOGS_DIR}/ocsinventory-NG ]; then chown -R www-se3 ${LOGS_DIR}/ocsinventory-NG fi # mise en place droits sur /home/netlogon SETNETLOGON if [ -e /home/templates ]; then # droits sur les templates chmod 775 /home/templates chown admin:admins /home/templates -R [ ! -e /home/templates/skeluser ] && ln -s /etc/skel/user /home/templates/skeluser chown -R www-se3 /etc/skel/user setfacl -R -m u:www-se3:rwx /home/templates/ 2> /dev/null setfacl -R -m d:u:www-se3:rwx /home/templates/ 2> /dev/null fi #droits pour nut mkdir -p /etc/nut chown -R www-se3 /etc/nut chgrp nut /var/run/nut chgrp nut /var/lib/nut #droits de base sur var/se3 (sauf public enleve volontairement) # setfacl -m d:g::rwx /var/se3/Docs/public chown admin:admins /var/se3 chmod 755 /var/se3 #partage Progs mkdir -p /var/se3/Progs chmod 775 /var/se3/Progs chown $OPTION admin:admins /var/se3/Progs setfacl $OPTION -m g:admins:rwx /var/se3/Progs setfacl $OPTION -m d:g:admins:rwx /var/se3/Progs #ro chown admin:lcs-users /var/se3/Progs/ro chmod 755 /var/se3/Progs/ro setfacl -m d:u::rwx /var/se3/Progs/ro setfacl -m d:g::rx /var/se3/Progs/ro setfacl -m d:o::rx /var/se3/Progs/ro setfacl -m g:admins:rwx /var/se3/Progs/ro setfacl -m d:g:admins:rwx /var/se3/Progs/ro #rw chown admin:admins /var/se3/Progs/rw chmod 775 /var/se3/Progs/rw setfacl -m d:u::rwx /var/se3/Progs/rw setfacl -m d:g::rwx /var/se3/Progs/rw #setfacl -m d:o::rwx /var/se3/Progs/rw # droit sur /var/se3/Progs/install if [ -e /var/se3/Progs/install ]; then chown admin:admins /var/se3/Progs/install [ ! -e /var/se3/Progs/install/domscripts ] && ln -s /home/netlogon/domscripts /var/se3/Progs/install/domscripts setfacl $OPTION -m u:www-se3:rx /var/se3/Progs/install setfacl $OPTION -m d:u:www-se3:rx /var/se3/Progs/install setfacl -R -m u:adminse3:rx /var/se3/Progs/install setfacl -R -m d:u:adminse3:rx /var/se3/Progs/install setfacl -R -m g:admins:rwx /var/se3/Progs/install setfacl -R -m d:g:admins:rwx /var/se3/Progs/install # accès a CPAU pour installation initiale de : inventaire, wpkg... setfacl -m other:x /var/se3/Progs/install fi # inventaire if [ -e /var/se3/Progs/ro/inventory ]; then chown -R admin:admins /var/se3/Progs/ro/inventory setfacl -R -m m:rwx /var/se3/Progs/ro/inventory fi #partage Classes mkdir -p /var/se3/Classes chown www-se3:admins /var/se3/Classes chgrp $OPTION admins /var/se3/Classes chmod 755 /var/se3/Classes #partage Docs mkdir -p /var/se3/Docs chown $OPTION admin:admins /var/se3/Docs chmod 775 /var/se3/Docs chmod 700 /var/se3/Docs/trombine chown admin.admins /var/se3/Docs/trombine # Droits fond ecran, on empeche les petits camarades de voir les fonds des autres (trombi) chmod o=x /var/se3/Docs/media/fonds_ecran chown admin.admins /var/se3/Docs/media/fonds_ecran setfacl $OPTION -m g:admins:rwx /var/se3/Docs setfacl $OPTION -m d:g:admins:rwx /var/se3/Docs setfacl -m g:admins:rwx /var/se3/Docs/trombine setfacl -m g:profs:rx /var/se3/Docs/trombine setfacl -m d:g:admins:rwx /var/se3/Docs/trombine setfacl -m d:g:profs:rx /var/se3/Docs/trombine setfacl -m u:www-se3:rx /var/se3/Docs/trombine setfacl -m d:u:www-se3:rx /var/se3/Docs/trombine setfacl -m d:g::rwx /var/se3/Docs/public #partage Prof mkdir -p /var/se3/prof chown admin.Profs /var/se3/prof chmod 770 /var/se3/prof setfacl -m g:Profs:rwx /var/se3/prof setfacl -m d:g:Profs:rwx /var/se3/prof #unnatended - wpkg chmod 755 /var/se3/unattended chown admin /var/se3/unattended chgrp -R admins /var/se3/unattended chown -R www-se3:admins /var/se3/unattended/install setfacl -R -m u:www-se3:rwx -m d:u:www-se3:rwx /var/se3/unattended/install getent passwd adminse3 >/dev/null && [ -e /var/se3/unattended/install/wpkg/rapports ] && setfacl -R -m u:adminse3:rwx -m d:u:adminse3:rwx /var/se3/unattended/install/wpkg/rapports getent passwd adminse3 >/dev/null && [ -e /var/se3/unattended/install/italc_keys ] && setfacl -R -m u:adminse3:rwx -m d:u:adminse3:rwx /var/se3/unattended/install/italc_keys setfacl -R -m u::rwx -m g::rx -m o::rx -m d:m:rwx -m d:u::rwx -m d:g::rx -m d:o::rx /var/se3/unattended/install if [ -e /var/www/se3/wpkg ]; then chown -R www-se3:www-data /var/www/se3/wpkg chmod 775 /var/www/se3/wpkg/bin/* fi getent passwd unattended >/dev/null && [ -e /var/se3/unattended/install/packages ] && ( setfacl -R -m u:unattend:rx /var/se3/unattended/install/packages setfacl -R -m d:u:unattend:rx /var/se3/unattended/install/packages setfacl -R -m u:www-se3:rx /var/se3/unattended/install/packages setfacl -R -m d:u:www-se3:rx /var/se3/unattended/install/packages ) # Creation si necessaire du dossier d'upload des fichiers XML de l'import de comptes: chmod 770 /var/lib/se3/import_comptes chown www-se3:root /var/lib/se3/import_comptes # Modification du proprio pour permettre une suppression de config specifique pour un poste par www-se3 if [ -e "/tftpboot/pxelinux.cfg" ]; then chown www-se3:root /tftpboot/pxelinux.cfg fi # Droits du dossier de mise a disposition des CSV (optionnel) lors de la generation de comptes: mkdir -p /var/www/se3/setup/csv chmod 770 /var/www/se3/setup/csv chown www-se3:root /var/www/se3/setup/csv # Droits si necessaire du dossier www-tools... utilise a la place de /var/remote_adm dans plusieurs scripts: mkdir -p /etc/se3/www-tools chmod 770 /etc/se3/www-tools chown www-se3:root /etc/se3/www-tools # Droits si necessaire du dossier tmp necessaires aux scripts profils FF / TB mkdir -p /var/www/se3/tmp chmod 770 /var/www/se3/tmp chown www-se3:root /var/www/se3/tmp # Droits necessaires a l'interface fonds d'ecran if [ -e /etc/se3/fonds_ecran ]; then chmod 755 /etc/se3/fonds_ecran chmod 644 /etc/se3/fonds_ecran/* chown -R www-se3:root /etc/se3/fonds_ecran fi exit 0