[ACCEPTED]-How to recursively change the owner and group on a directory with Chef?-file-permissions

You can set the default action to nothing 8 then have resources that may screw things 7 up notify the perm fixer:

execute "chown-data-www" do
  command "chown -R www-data:www-data /var/www/myfoler"
  user "root"
  action :nothing
end

resource "that may screw up perms" do
  stuff "one two three"
  notifies :run, execute "chown-data-www"
end

with more options 6 you could have the action :run but not if 5 the parent folder is already the correct 4 perms. You could alter this to include 3 a deeper/problem file/directory, or with 2 a find command similar to this

execute "chown-data-www" do
  command "chown -R www-data:www-data /var/www/myfoler"
  user "root"
  action :run
  not_if '[ $(stat -c %U /var/www/myfolder) = "www-data" ]'
end

Edit: fix to reflect 1 comment below

We could write a chef resource which iterates 42 through your directory hierarchy and creates 41 a file or directory resource for every file 40 that it finds and then set it up to manage 39 the owner and group on those files. You 38 won't like that, however, since if you have 37 a thousand files in that directory then 36 you'll get a thousand chef resources and 35 your converges will be slow.

If you want 34 to you can, in fact, roll your own code 33 which does something like that which I wrote 32 in the ticket tickets.opscode.com/browse/CHEF-690 which @name referenced, but 31 I wouldn't recommend it.

If you're trying 30 to prevent "tampering" and fix 29 random corruption of user and group attributes 28 then your solution is probably correct. You'll 27 always execute that command on every chef 26 convergence and the resource will always 25 show as being updated, but the command will 24 run as fast as possible (chown -R is basically 23 convergent and idempotent as it checks the 22 perms before trying to set the perms). You 21 will not get reporting back on fixed perms 20 which is the only downside.

If you are just 19 trying to fix the perms once on building 18 a server, then you should throw a not_if 17 conditional in there to check that if the 16 root directory has the correct perms you 15 don't run it every time. That will give 14 you idempotent behavior and will not execute 13 the command on every run, but the downside 12 is clearly that if one of the files under 11 that directory structure has its perms mangled 10 by someone or something in the future, then 9 it will not get corrected.

There's a possible 8 use case here for a single resource which 7 behaves like chown -R and then reports what 6 it fixed (and array of files that had perms 5 changed) which would be useful for cases 4 like SOX and PCI-DSS reporting, but we don't 3 currently cover that use case.

tl;dr is that 2 your solution is fine and you can add a 1 not_if guard if you like

If this as a one-off to fix permissions 7 your shortest path might be just knife ssh. (I 6 just did that after ending up here on my 5 own search.)

knife ssh 'name:*' "sudo chown -R $user:$group /full/path/to/directory"

knife ssh 'name:*' "sudo chmod -R 770 /full/path/to/directory"

If I were setting this up from 4 scratch I think I'd need to set up the directory path 3 and proper permissions with one line (NOTE: explicitly 2 apply the perms to each parent in the path)

%w[ /foo /foo/bar /foo/bar/baz ].each do |path|
  directory path do
    owner 'root'
    group 'root'
    mode '0755'
  end

and 1 then create each individual file as a cookbook_file.

https://stackoverflow.com/a/28283020/11822923

Answer met my need but there is an issue 5 with grep command, even if the user is apache2 or apach the 4 grep exit code will be 0, but I needed the 3 user to exactly be apache (Apache web server user 2 on CentOS 7.7).

Here is my recipe:

node["apache"]["sites"].each do |sitename, data|
  document_root = "/content/sites/#{sitename}"

  directory document_root do
    action :create
    mode "0755"
    recursive true
    owner "apache"
    group "apache"
  end

  execute "chown_to_apache_user" do
    command "chown -R apache:apache /content"
    user "root"
    action :run
    not_if '[ $(stat -c %U /content/) = "apache" ]'
  end

  template "/etc/httpd/conf.d/#{sitename}.conf" do
    source "vhost.erb"
    mode "0644"
    variables(
      :document_root => document_root,
      :port => data["port"],
      :domain => data["domain"]
    )
    notifies :restart, "service[httpd]"
  end

end

For comparison:

P.S.: to 1 check group as well:

node["apache"]["sites"].each do |sitename, data|
  document_root = "/content/sites/#{sitename}"

  directory document_root do
    action :create
    mode "0755"
    recursive true
    owner "apache"
    group "apache"
  end

  execute "chown_to_apache_user" do
    command "chown -R apache:apache /content"
    user "root"
    action :run
    not_if '[ $(stat -c %U /content/) = "apache" ] && [ $(stat -c %G /content/) = "apache" ]'
  end

  template "/etc/httpd/conf.d/#{sitename}.conf" do
    source "vhost.erb"
    mode "0644"
    variables(
      :document_root => document_root,
      :port => data["port"],
      :domain => data["domain"]
    )
    notifies :restart, "service[httpd]"
  end

end

I would use plain resource directory with action :create. Per documentation:

:create
Default. Create a directory. If a directory already exists (but does not match), update that directory to match

https://docs.chef.io/resource_directory.html

0