#!/bin/sh
# Made by Light Olli for settting correct permissions on clients dirs.
# Easy & simplest.
# License: GNU-like.
# Contacts: olli@digger.org.ru

###### variables..
# set to "-V" if wanna verbose operations
#verbosity="-V"
verbosity=

chrootdir=/users/userchroot
virtservers=$chrootdir/usr/local/apache/conf/virtual_servers

########## work begins here:

# executable binaries must be chattred.
# user home dirs should be left untouched. Excluding home.
# we should proceed var separately, excluding spool. Excluding var.
FINDPATH=`ls -1 $chrootdir | grep -v proc | grep -v home | grep -v var | grep -v tmp | awk -- '{print " /users/userchroot/" $0;}'| tr -d '\n'`
find $FINDPATH -type f -a \( -perm +4111 -o -perm +2111 \) \
 -exec chattr $verbosity +i {} \;
# proceeding var: excluding cache & spool
FINDPATH=`ls -1 $chrootdir/var | grep -v spool | grep -v cache | awk -- '{print " /users/userchroot/var/" $0;}'| tr -d '\n'`
# all (not only in ~) .bash_history must be set as append-only.
find $FINDPATH -type f -name .bash_history -exec chattr $verbosity +a {} \;
# apache configs should be readbale by all & chattred.
find $chrootdir/usr/local/apache/conf -type f -exec chattr $verbosity -i {} \;
find $virtservers -type f -exec chmod a+r {} \;
chmod a+r $chrootdir/usr/local/apache/conf/httpd.conf
find $chrootdir/usr/local/apache/conf -type f -exec chattr $verbosity +i {} \;
# system configs should be chattred.
find $chrootdir/etc -type f -exec chattr +i {} \;
# those must have no extended atribbutes:
chattr $verbosity -i $chrootdir/etc/mtab $chrootdir/etc
# dirs & files containing binaries should be chattred.
find $chrootdir/bin $chrootdir/sbin $chrootdir/usr/bin $chrootdir/usr/sbin \
 \( -type f -o -type d \) -exec chattr $verbosity +i {} \;
# dirs containing libs should be chattred.
# In $chrootdir/home lib may be only a users ~ - excluding home.
# In $chrootdir/tmp lib may be only a temp-dir - excluding tmp.
# $chrootdir/lib/lib is not the thing we're looking for - excluding lib.
# errors are only from unexisting dirs - thus route them to /dev/null.
FINDPATH=`ls -1 $chrootdir | grep -v proc | grep -v home | grep -v tmp | \
 grep -v lib | awk -- '{print " /users/userchroot/" $0 "/lib";}'| tr -d '\n'`
# adding $chrootdir/lib .
find $FINDPATH $chrootdir/lib \( -type d -o -type f \)  -exec chattr +i {} \; 1>/dev/null \
2>>/dev/null 3>/dev/null
# user ~ binaries should'n't be in chattr
find $chrootdir/home -type f -exec chattr $verbosity -i {} \;

###
# we already made all work under chroot. Excluding /users.
# we must proceed w/ /var separately (spool files shouldn't be touched).
# Excluding /var.
FINDPATH=`ls -1 / | grep -v proc | grep -v users | grep -v var |grep -v tmp| awk -- '{print " /" $0;}'| tr -d '\n'`
find $FINDPATH -type f -a \( -perm +4111 -o -perm +2111 \) \
 -exec chattr $verbosity +i {} \;
# proceeding var: excluding cache & spool
FINDPATH=`ls -1 /var | grep -v spool | grep -v cache | awk -- '{print " /var/" $0;}'| tr -d '\n'`
find $FINDPATH -type f -a \( -perm +4111 -o -perm +2111 \) \
 -exec chattr $verbosity +i {} \;
find /etc -type f -exec chattr +i {} \;
chattr -i /etc /etc/mtab
find /bin /sbin /usr/bin /usr/sbin  \( -type d -o -type f \) -exec chattr $verbosity +i {} \;
# all (not only in ~) .bash_history must be set as append-only.
find $FINDPATH -type f -name .bash_history -exec chattr $verbosity +a {} \;

# All user ~ configs for bash & so on should be mode 440.
find $chrootdir/home -type f -name .bash_profile -exec chmod $verbosity 440 {} \;
find $chrootdir/home -type f -name .bashrc -exec chmod $verbosity 440 {} \;
find $chrootdir/home -type f -name .bash_logout -exec chmod $verbosity 440 {} \;
find $chrootdir/home -type f -name .screenrc -exec chmod $verbosity 440 {} \;