I am looking for a UNIX shell script which can help me for access restriction.
1) /home/ram, there are number file with .txt extension, which should be only owned "ram" user.
like as below
ls -lrt *.txt
-rwx------ 1 ram dba 11 Jan 4 2015 PASS1.txt
-rwx------ 1 ram dba 10 Jan 4 2015 PASS2.txt
-rwx------ 1 ram dba 10 May 10 2015 PASS3.txt
-rwx------ 1 ram dba 13 Jan 10 03:37 PASS4.txt
2) In case ram user, fortunately/unfortunately make any permission change, immediately email group should get alert.
3) Immediately file permission for .txt extension file again should come on same file permission like (-rwx------), it means ram user will only have "rwx" no one else.
Let me explain you by example
ls -lrt *.txt
-rwx------ 1 ram dba 11 Jan 4 2015 PASS1.txt
-rwx------ 1 ram dba 10 Jan 4 2015 PASS2.txt
-rwx------ 1 ram dba 10 May 10 2015 PASS3.txt
-rwx------ 1 ram dba 13 Jan 10 03:37 PASS4.txt
If you see as of now ram user only having 'rwx', now unfortunately ram execute chmod 777 *.txt, then all *.txt will have 777 permission,
If any .txt file change permission command (apart from Ram --> "rwx") execute on particular directory
then immediately email group should get alert, as well as file permission should get change with only "-rwx------"
Let's make things clear
1) a shell script is NOT a monitoring tool
2) You cannot stop a user type chmod 777 *.txt unless you restrict that user with a chroot or restricted shell or... OR that user is generic and no one is to use that account
And for that even if we gave you a script, except that specific user, only root can do that, and since that user can do the job why write a script to type chmod 700 *.txt ?
Thanks for reply, Let me again try to explain more about the issue,
With the 'ram' user only we all dba login and do our dba administration activity.
now let take if we are 5 dba in that any one of dba unfortunately fire "chmod * .txt" command under /home/ram directory where those 4 txt file exist.
now in this case what would happen, all user,group members have read,write,execution privilege.
I am looking for any script which execute in regular interval time frame by crone job schedule and check in case those .txt file found with any other permission then other dba can able to get an alert immediately so DBA could able to take appropriate action ASAP.
Regards,
---------- Post updated at 04:41 PM ---------- Previous update was at 04:34 PM ----------
it my understanding, I am thinking like lets make a kind of shell script which can monitor those 4 file by cron job, in case if some change permission, we could minimum able to get email alert, so we could able to take appropriate action.
Looking your advice which can help us to fight with this kind of issue, We are OK with the resolution and will try to apply it accordingly so please test the case and advice it according.
If I were the admin, you would all have your own account and would have to use sudo to that user... I generally then have scripts to log the activity in .sh_history per user ( OK its not perfect and I cannot stop people bypassing or lets say I dont have the time do go and keep on modifying things... and it work in 85%)
Maybe if you explained more what makes those files so special, why they need 700 perms etc.. We could try to think of some alternatives /solutions...
You didnt say what perms were on that home directory too...So we can have a more complete understanding...
That's true, We login with our personal account and then after by below connect as below
sudo su - ram for our dba activity.
password : ****
now in case any one of dba fire chmod 777 or 755 *.txt under the perticular directory then file permission will get change, I want incase any one change the file permission for *.txt under perticular directory then on dba_group@xxx.com email come as an alert.
What is so special about those files? You worry about perms changes and not content change? ( weird...)
We cant help you in thinking of a possible solution with just the little information you gave so far...
1) what are those files?
2) are the DBAs to modify/read/write to them ( because of the perms you want...)
3) if its a software that does, cant they be put elsewhere where more safe?
...
I need your help for UNIX Shell scripting, I need to prepare and execute script by unix crontab to check for file's and directoires permissions and change the permissions if necessary.
under /u01/ram/ there are number of file, in which few file are .txt extension files, like as below.
normally, those *.txt should always have 700 permission, but sometime by some user who is part of dba group, by mistake change file perssion like anything 755 or 777 etc.
my need is, under /u01/ram/ folder if *.txt file permission get change then
shell script should perform below action
----------------------------------------
give output like what are the files got change (which is not 700 permission)
then
change the file permission as 700 for thsoe file which have wrong permission.
and then send output by mail for those file with the current file permission.
You did not reply to my previous post ( #7 )...
Before wrting a cron job to change those files, you must know what they are and how import tant they are ( content) as we just ses files with txt extension...
What about your cron does change the perms, only the files are not the same, how are you going to trace? certainly will it be too late as cron did what you wanted adn the time you find you are in trouble you have no more logs to look at..
Reply to post 7 first so we can suggest an adequate solution