Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
permissions rules format
# Default Linux filesystem permission rules.
#
# This is an experimental configuration format for applying filesystem permissions
# after pushing fs data from git. Since git doesn't support more than very simple permissions
# something like this is needed afterwards. The goals here are to be terse, parseable at a glance,
# and comprehensive for basic unix. The "unix" prefix is there so that other models like "pacl"
# (POSIX ACL) can be added in later if it becomes necessary.
#
# format: unix <path>:<dir mode>:<file mode>:<owner>:<group>:<depth>
# path, required, a path on the filesystem, must start with /
# directory mode, optional, in octal
# file mode, optional, in octal
# owner, optional - default root, user id or name, multiple names can be separated by pipes
# group, optional - default root, group id or name, multiple names can be separated by pipes
# depth, optional - default 1, * means recursive, within a single filesystem
#
# * multiple names are looked up in order via NSS until one exists and that one is used, always in order
# * whitespace is stripped - if you need some, use %20
# * rules are _always_ processed in order and will be condensed ahead of time so permissions don't flap
# * permissions are checked before applying to prevent unnecessary inode writes
# ** this also makes logging changes for audit a natural outcome
# * filesystem boundaries are never crossed on recurse (where detectable, and every effort is made to do so)
#
unix / 555::0:0:
unix /lost+found 700:400:0:0:*
unix /bin 755:755:0:0:*
unix /sbin 755:755:0:0:*
unix /lib 755:755:0:0:*
unix /lib64 755:755:0:0:*
unix /lib32 755:755:0:0:*
unix /lib/firmware 755:644:0:0:*
unix /usr/bin 755:755:0:0:*
unix /usr/sbin 755:755:0:0:*
unix /usr/lib 755:755:0:0:*
unix /usr/lib64 755:755:0:0:*
unix /usr/lib32 755:755:0:0:*
unix /usr/local/bin 755:755:0:0:*
unix /usr/local/sbin 755:755:0:0:*
unix /usr/local/lib 755:755:0:0:*
unix /usr/local/lib64 755:755:0:0:*
unix /usr/local/lib32 755:755:0:0:*
unix /etc 755:644:0:0:*
unix /etc/ssl/private 700:600:0:0
unix /etc/sudoers.d 750:640:0:sre|root:*
unix /etc/skel/.ssh 700:600:0:0:*
unix /etc/shadow :400:0:0:
unix /tmp 1777: :0:0:1
unix /usr 755:644:0:0:*
unix /opt 755: :0:0:1
unix /proc 555: :0:0:1
unix /root 700: :0:0:1
unix /root/.ssh 750: :0:sre|wheel|admin:1
unix /root/.ssh/authorized_keys :600:0:0:
unix /srv 755::0:0:1
unix /var 755:644:0:0:*
unix /var/tmp 1777::0:0:1
unix /var/lock 775::0:0:1
unix /var/db/sudo 700:0:0
unix /var/cache/ldconfig 700:0:0
unix /var/lib/xend/storage 700:0:0
unix /var/lib/xend/domains 700:0:0
unix /var/lib/ntp 755:ntp:ntp
unix /var/run/xend 700:0:0
unix /var/run/openldap 755:ldap|openldap:ldap|openldap
unix /var/run/screen 775:0:eng|sre|wheel|admin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment