Yes, you can do so with the following simple Python script. Simply copy it into a file named
regenerate_permissions.py in your home directory, and then run it as:
And here is the script:
VERBOSE = True # Print commands being run ("True") or print only errors ("False")
PERFORM_COMMANDS = False # Actually perform commands ("True") or just simulate ("False")
primary_user = os.getenv("USER")
home_dir = os.getenv("HOME")
users_and_apps = (
('user1',['app1','app2','app3']), # Secondary user named "user1" should have access to apps "app1", "app2", and "app3"
('user2',['app3','app4']), # Secondary user named "user2" should have access to apps "app3" and "app4"
('user3',['app5','app6','app7']), # Secondary user named "user3" should have access to apps "app5", "app6", and "app7"
do_cmd("setfacl -R -b %s/webapps" % home_dir) # Clear all ACL permissions first
for (user, apps) in users_and_apps:
do_cmd("setfacl -m u:%s:--x %s" % (user, home_dir)) # Give secondary user --x access to $HOME
do_cmd("setfacl -m u:%s:--- %s/webapps/*" % (user, home_dir)) # Remove access for secondary user from all apps
for app in apps:
do_cmd("setfacl -R -m u:%s:rwx %s/webapps/%s" % (user, home_dir, app)) # Give secondary user access to this app
do_cmd("setfacl -R -m d:u:%s:rwx %s/webapps/%s" % (user, home_dir, app)) # Give secondary user access to new files created in this app
do_cmd("chmod g+s %s/webapps/%s" % (home_dir, app)) # Cause binaries executed in this app to run as the primary user
do_cmd("setfacl -R -m d:u:%s:rwx %s/webapps/%s" % (primary_user, home_dir, app)) # Give primary user acccess to new files created in this app
Hope that helps!
Be sure to set
PERFORM_COMMANDS = True after testing the output so that the commands are actually run instead of merely printed to the screen.
Note: This won't help you if you actually have directories and files owned by users besides your primary user, and then you try to change the permissions on those files to be something different than they were. In that case, the only option is to open a support ticket and ask us to
chown all of your webapps to your primary user. That's no problem.
This shouldn't typically be an issue - it's only needed when you're trying to change permissions on a directory which is owned by another user. Typically, you're just adding new users or adding new applications for an existing user, and not making changes to an existing application.
Disclaimer: this script comes with no warranty, so read and understand it before using it.
Jun 15 '12 at 04:37