Yanz mini Shell

Action

[*] New File
[*] New Folder

Sensitive File

[*] /etc/passwd
[*] /etc/shadow
[*] /etc/resolv.conf

#!/bin/bash
# Script to fix permissions of accounts
# Original written by: Vanessa Vasile 5/13/10
# http://thecpaneladmin.com
# Added features by: awalilko@liquidweb.com
version=4.6

#ensure we are using bash
[ "$(ps h -p "$$" -o comm)" != "bash" ] && exec bash $0 $*

#set default mode
mode=pubhtml

#set acl storage folder
aclfolder=/tmp/fixperms/

helptext() {
	echo "fixperms version $version
Correct user account permissions to align to control panel standards.
Automatically detects proper server type and adjusts fixes performed.
Back up ACLs before running repairs to $aclfolder.

USAGE
On a cPanel or InterWorx server, usernames are accepted.
cPanel usage:
bash fixperms.sh [-d|-f|-m] [-a|username [username...]]

In a Plesk Linux server, domain names are accepted.
Plesk usage:
bash fixperms.sh [-d|-f|-m] [-a|domain [domain...]]

On a MWPv2 server, usernames in the format s[0-9]+ are accepted.
MWPv2 usage:
bash fixperms.sh [-a|username [username...]]

-h		display help text
	-a		all users
	-d		docroot mode, affect just site docroots (default)
	-m		mail mode, only affect mail-related files
	-f		full mode, affect entire user homedir
	-u filename.gz	'undo' mode, feed a filepath to restore ACLs
			no username required for undo mode.
"
}

if [ "$#" -lt "1" ]; then #no arguments passed
	helptext
	exit
fi

while getopts :fdmahu: opt; do #parse cli arguments
	case $opt in
	h)
		helptext
		exit
		;;
	a)
		allusers=1
		;;
	f)
		mode=full
		;;
	d)
		mode=pubhtml
		;;
	m)
		mode=mail
		;;
	u)
		undo=1
		file=$OPTARG
		;;
	\?)
		echo "Invalid option: -$OPTARG"
		helptext
		exit
		;;
	:)
		echo "Option -$OPTARG requires an argument!"
		helptext
		exit
		;;
	esac
done

cpaneluserlist() { #compile a userlist for cpanel servers
	if [ $allusers ]; then
		echo "Adding all users to userlist..."
		userlist=$(\ls -A /var/cpanel/users/ | egrep -v "\b(root|bin|nobody|cpanel|halt|system)\b")
	else
		shift $((OPTIND - 1))
		userlist=$(echo $@)
	fi
	if [ "$userlist" = "" ] || [[ $(echo $userlist | egrep "\b(root|bin|nobody|cpanel|halt|system)\b") ]]; then
		echo "Invalid user or no user specified."
		helptext
		exit
	fi
}

pleskuserlist() { #compile a userlist for plesk server
	if [ $allusers ]; then
		echo "Adding all users to userlist..."
		userlist=$(plesk bin subscription -l)
	else
		shift $((OPTIND - 1))
		userlist=$(echo $@)
	fi
	if [ "$userlist" = "" ]; then
		echo "Invalid user or no user specified."
		helptext
		exit
	fi
}

mwpv2userlist() { #compile a userlist for MWPv2 servers
	if [ $allusers ]; then
		echo "Adding all users to userlist..."
		userlist=$(egrep ^s[0-9]+ /etc/passwd | awk -F: '{print $1}')
	else
		shift $((OPTIND - 1))
		userlist=$(echo $@)
	fi
	if [ "$userlist" = "" ]; then
		echo "Invalid user or no user specified."
		helptext
		exit
	fi
}

iwxuserlist() { #compile userlist for iwx
	if [ $allusers ]; then
		echo "Adding all users to userlist..."
		userlist=$(nodeworx -u -c Siteworx -a listAccounts -n | awk '{print $2}' | sort)
	else
		shift $((OPTIND - 1))
		userlist=$(echo $@)
	fi
	if [ "$userlist" = "" ] || [[ $(echo $userlist | egrep "\b(root|bin|nobody|halt|system|iworx|vpopmail)\b") ]]; then
		echo "Invalid user or no user specified."
		helptext
		exit
	fi
}

cpanelexecute() { #cpanel fix execution
	for user in $userlist; do
		HOMEDIR=$(egrep ^${user}: /etc/passwd | cut -d: -f6)
		if [ ! -f /var/cpanel/users/$user ]; then
			echo "$user user file missing, likely an invalid user"
		elif [ "$HOMEDIR" == "" ]; then
			echo "Couldn't determine home directory for $user"
		else
			echo "Processing $user..."
			backupacl
			if [ "$mode" = "full" ]; then
				echo "Running full mode..."
				chown -hR $user:$user $HOMEDIR
				chgrp -h nobody $HOMEDIR/public_html $HOMEDIR/.htpasswds
				cpaneldocroot
				cpanelmail

find $HOMEDIR -type f ! -path "*/mail/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 644 {} \;
				find $HOMEDIR -type d ! -path "*/mail/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 755 {} \;
				find $HOMEDIR -type d ! -path "*/mail/*" ! -path "*/.ssh/*" -name cgi-bin -exec chmod 755 {} \;
				find $HOMEDIR -type f $ -name "*.pl" -o -name "*.perl" -o -name "*.cgi" $ ! -perm 000 ! -path "*/mail/*" ! -path "*/.ssh/*" -exec chmod 755 {} \;
				chmod 750 $HOMEDIR/public_html
				chmod 711 $HOMEDIR
				for docroot in $(grep \ $user\=\= /etc/userdatadomains | awk -F"==" '{print $5}' | grep $HOMEDIR); do
					chmod 750 $docroot
				done

if [ -d "$HOMEDIR/.cagefs" ]; then
					chmod 775 $HOMEDIR/.cagefs
					chmod 700 $HOMEDIR/.cagefs/tmp
					chmod 700 $HOMEDIR/.cagefs/var
					chmod 777 $HOMEDIR/.cagefs/cache
					chmod 777 $HOMEDIR/.cagefs/run
				fi

cpanelhtaccess
			elif [ "$mode" = "mail" ]; then
				echo "Running mail mode..."
				cpanelmail
			else #pubhtml mode
				echo "Running docroot mode..."
				cpaneldocroot

for docroot in $(grep \ $user\=\= /etc/userdatadomains | awk -F"==" '{print $5}' | grep $HOMEDIR); do
					find $docroot -type f ! -path "*/mail/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 644 {} \;
					find $docroot -type d ! -path "*/mail/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 755 {} \;
					find $docroot -type d ! -path "*/mail/*" ! -path "*/.ssh/*" -name cgi-bin -exec chmod 755 {} \;
					find $docroot -type f $ -name "*.pl" -o -name "*.perl" -o -name "*.cgi" $ ! -perm 000 -exec chmod 755 {} \;
					chmod 750 $docroot
				done

cpanelhtaccess
			fi
			echo "$user done!"
		fi
	done
}

cpaneldocroot() {
	for docroot in $(grep \ $user\=\= /etc/userdatadomains | awk -F"==" '{print $5}' | grep $HOMEDIR); do
		chown -hR $user:$user $docroot
		chgrp -h nobody $docroot
	done
}

cpanelmail() {
	chown -hR $user:$user $HOMEDIR/etc $HOMEDIR/mail
	chown -h $user:mail $HOMEDIR/etc $HOMEDIR/etc/*/shadow $HOMEDIR/etc/*/passwd
	find $HOMEDIR/mail/ -type d -exec chmod 751 {} \;
}

cpanelhtaccess() {
	for docroot in $(grep \ $user\=\= /etc/userdatadomains | awk -F"==" '{print $5}' | grep $HOMEDIR); do
		find $docroot -name .htaccess -exec sed -i 's/^\s*php_/#php_/g' {} \;
	done
}

pleskexecute() { #plesk fix execution
	for domain in $userlist; do
		user=$(plesk bin subscription -i $domain | grep FTP\ Login | awk '{print $3}')
		HOMEDIR=$(egrep ^${user}: /etc/passwd | cut -d: -f6)
		if [ "$HOMEDIR" == "" ]; then
			echo "Couldn't determine username or homedir for $domain"
		else
			echo "Processing $domain..."
			backupacl
			if [ "$mode" = "full" ]; then
				echo "Full mode not ready for plesk, running docroot and mail modes..."
				for docroot in $HOMEDIR/httpdocs/; do
					chown -hR $user:psacln $docroot
					chgrp -h psaserv $docroot
					find $docroot -type f ! -perm 000 -exec chmod 644 {} \;
					find $docroot -type d ! -perm 000 -exec chmod 755 {} \;
					chmod 750 $docroot
				done
				chown -R popuser:popuser /var/qmail/mailnames/$domain
			elif [ "$mode" = "mail" ]; then
				echo "Running mail mode..."
				chown -R popuser:popuser /var/qmail/mailnames/$domain
			else
				echo "Running docroot mode..."
				for docroot in $HOMEDIR/httpdocs/; do
					chown -hR $user:psacln $docroot
					chgrp -h psaserv $docroot
					find $docroot -type f ! -perm 000 -exec chmod 644 {} \;
					find $docroot -type d ! -perm 000 -exec chmod 755 {} \;
					chmod 750 $docroot
				done
			fi
			echo "$domain done!"
		fi
	done
}

mwpv2execute() { #MWPv2 fix execution
	for user in $userlist; do
		echo "Processing $user..."
		backupacl
		chown -R $user. /home/$user/html/
		chown $user:www-data /home/$user/html
		chown $user:www-data /home/$user/nginx
		chown -R root. /home/$user/html/wp-content/mu-plugins/
		chown root:$user /home/$user/html/wp-content/mu-plugins
		find /home/$user/html/ -type f -exec chmod 644 '{}' \;
		find /home/$user/html/ -type d -exec chmod 755 '{}' \;
		chmod 1775 /home/$user/html/wp-content/mu-plugins
		chmod 750 /home/$user/html /home/$user/nginx
		echo "$user done!"
	done
}

iwxexecute() { #interworx fix execution
	for user in $userlist; do
		HOMEDIR=$(egrep ^${user}: /etc/passwd | cut -d: -f6)
		if [ "$HOMEDIR" == "" ]; then
			echo "Couldn't determine homedir for $user"
		else
			echo "Processing $user..."
			domlist=$(sudo -u $user siteworx -u -c DomainsSlave -a list -n 2>/dev/null)
			[ ! "$domlist" ] && domlist=$(sudo -u $user siteworx -u -c Overview -a listMasterDomain -n 2>/dev/null)
			backupacl
			if [ "$mode" = "full" ]; then
				chown -fhR $user:$user $HOMEDIR
				[ -e $HOMEDIR/.pki ] && chmod 740 $HOMEDIR/.pki
				[ -e $HOMEDIR/cron ] && chmod 600 $HOMEDIR/cron
				iwxdocroot
				chmod 711 $HOMEDIR
				iwxvar
			elif [ "$mode" = "mail" ]; then
				iwxvar
			else #pubhtml mode
				iwxdocroot
				chown -fhR $user:$user $HOMEDIR/public_html
			fi
		fi
	done
}

iwxdocroot() {
	for dom in $domlist; do
		local path=/home/$user/$dom/html
		chown -fhR $user:$user $path
		chgrp -h nobody $path
		find $path -type f ! -path "*/.pki/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 644 {} \;
		find $path -type d ! -path "*/.pki/*" ! -path "*/.ssh/*" ! -perm 000 -exec chmod 755 {} \;
		chmod 2711 $path
	done
}

iwxvar() {
	for dom in $domlist; do
		/usr/local/interworx/bin/varpermsfix.pex --siteworx=$dom
	done
}

backupacl() { #store ACLs
	mkdir -p $aclfolder
	echo "Backing up ACL for $user into $aclfolder..."
	local timestamp=$(date +%d%b%Y.%H%M)
	case $servertype in
	cp | iwx)
		getfacl -R --absolute-names $HOMEDIR | gzip >$aclfolder/$user.$timestamp.facl.gz
		;;
	plesk)
		getfacl -R --absolute-names $HOMEDIR | gzip >$aclfolder/$domain.$timestamp.facl.gz
		;;
	mwpv2)
		getfacl -R --absolute-names /home/$user | gzip >$aclfolder/$user.$timestamp.facl.gz
		;;
	esac
}

#select undo mode (universal) or correct control panel automatially
if [ $undo ]; then
	# since you are restoring an acl file fixperms made, its assumed acl tools are already installed
	[ ! -f $file ] && echo "This doesn't look like a file... Make sure you pass a full path." && exit
	[[ ! "$file" =~ .*\.gz$ ]] && echo "This doesn't look like a .gz file... Be sure to not unzip it first!" && exit
	echo "Undoing!"
	pushd / &>/dev/null
	gunzip $file
	setfacl --restore ${file%.gz}
	gzip ${file%.gz}
	popd &>/dev/null
	exit
elif [ -f /etc/wwwacct.conf ]; then
	echo "cPanel server detected"
	! rpm --quiet -q acl && echo "Installing acl package..." && yum -y -q install acl
	servertype=cp
	cpaneluserlist $*
	cpanelexecute
elif [ -f /etc/psa/.psa.shadow ]; then
	echo "Plesk server detected"
	! rpm --quiet -q acl && echo "Installing acl package..." && yum -y -q install acl
	servertype=plesk
	pleskuserlist $*
	pleskexecute
elif [ -f /etc/debian_version ] && docker ps | grep -q liquidweb; then
	echo "MWPv2 server detected"
	! dpkg -s acl &>/dev/null && echo "Installing acl package..." && apt-get -y -qq install acl
	servertype=mwpv2
	mwpv2userlist $*
	mwpv2execute
elif [ -d /usr/local/interworx/ ]; then
	echo "InterWorx server detected"
	! rpm --quiet -q acl && echo "Installing acl package..." && yum -y -q install acl
	servertype=iwx
	iwxuserlist $*
	iwxexecute
else
	echo "Can't detect server type."
	helptext
fi