[TOP TIP] Hot inotify events (execute scripts based on filesystem changes)
Sizzling hot inotify events! Yes that is what I meant, inotify events. What are these hot inotify events? It is something that, if you haven't heard of before, then you are in for a tasty surprise!
Ever wonder how to take events from a simple website that runs as a normal unix user and make those events actions under root? But without any security implications and without running the website as root? Hot inotify events are the answer!
Ever wonder how to run cron jobs that aren't time-based? Hot inotify events are the answer!
Ever wonder how to initiate file system synchronisation on file/directory change? Hot inotify events are the answer!
Installation
yum install incron
systemctl enable incrond
systemctl start incrond
Once installed, you should end up with a configuration file at /etc/incron.conf but we do not need to make any changes, since the default options are enough for most uses.
A more important file, is the configuration for the users who are allowed to run events with incron, so create and edit the file /etc/incron.allow with a single line:
root
If you want, you may add normal users and not root, but that depends on your type of setup.
Event example - user to root
Lets create an example as described at the start of this port. A simple website running under a normal user but needs to initiate a set of root commands.
In this scenario, we have a server that has its SSH access permanently stopped for security reasons. In our case, the user website has a start/stop button, which allows us to start and stop the SSH daemon.
First, we create a quick and simple PHP script named secret-ssh.php and place it under the public_html directory, with the following contents:
running. [Stop!](?stop=true)';
else
echo 'The top secret SSH daemon service is **not running**. [Start!](?start=true)';
?>
Now create the two "hot" files with touch and set proper ownership with chown:
touch /home/user/start-ssh
chown user:user /home/user/start-ssh
touch /home/user/stop-ssh
chown user:user /home/user/stop-ssh
Finally, run the incrontab -e command as root with the following contents:
/home/user/start-ssh IN_MODIFY,IN_ATTRIB,IN_NO_LOOP /usr/bin/systemctl start sshd.service
/home/user/stop-ssh IN_MODIFY,IN_ATTRIB,IN_NO_LOOP /usr/bin/systemctl stop sshd.service
In all of the above, please make sure to modify the user part with your own unix user. If incrontab produces the error "editor finished with error: No such file or directory" then edit the /etc/incrontab.conf file and set another default editor, or install the vim.
Now if you access secret-ssh.php with a web browser, you will be able to safely start and stop the SSH daemon service, without being root. In practice, any time the two hot files change their attributes or contents, the equivalent action will be executed, so you can try this from the shell by running "touch /home/user/start-ssh".
Enjoy the ribs!