guardutils/chguard
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 10 Wiki Activity

Compare commits

base: guardutils/chguard:0.3.2
Branches Tags
guardutils/chguard:main
guardutils/chguard:0.4.0 guardutils/chguard:0.3.4 guardutils/chguard:0.3.3 guardutils/chguard:0.3.2 guardutils/chguard:0.3.1 guardutils/chguard:0.3.0 guardutils/chguard:0.2.2 guardutils/chguard:0.2.1 guardutils/chguard:0.2.0 guardutils/chguard:0.1.0
...
compare: guardutils/chguard:f07cbe06c8d2fb75cf6b388d63b2a9bea171f75a
Branches Tags
guardutils/chguard:main
guardutils/chguard:0.4.0 guardutils/chguard:0.3.4 guardutils/chguard:0.3.3 guardutils/chguard:0.3.2 guardutils/chguard:0.3.1 guardutils/chguard:0.3.0 guardutils/chguard:0.2.2 guardutils/chguard:0.2.1 guardutils/chguard:0.2.0 guardutils/chguard:0.1.0

15 Commits
0.3.2 ... f07cbe06c8

Author SHA1 Message Date
mdaleo404 f07cbe06c8 Merge pull request 'Add --prune-states + root path fix' (#10) from restore-root-folder into main 
Reviewed-on: #10
 2026-05-23 10:37:01 +00:00
mdaleo404 4abc89def9 Add prune state option
Lint & Security / precommit-and-security (pull_request) Successful in 2m27s
Details
2026-05-23 11:26:16 +01:00
mdaleo404 5c63675ef5 Record the root path in the state for restoring, make pre-commit black use generic python3 version 2026-05-23 10:28:53 +01:00
mdaleo404 88b2dfd1a5 Merge pull request 'Poetry update' (#7) from poetry-update-2.3.3 into main
Security Scan / security-scan (push) Successful in 1m20s
Details 
Reviewed-on: #7
 2026-04-03 07:24:44 +00:00
mdaleo404 ee80306d9a Version bump
Lint & Security / precommit-and-security (pull_request) Successful in 1m2s
Details
2026-04-03 08:21:12 +01:00
mdaleo404 cc97d3d7f1 Update Pygments
Lint & Security / precommit-and-security (pull_request) Successful in 1m1s
Details
2026-04-03 08:19:40 +01:00
mdaleo404 9bf5ef1d7d Black formatting
Lint & Security / precommit-and-security (pull_request) Failing after 1m1s
Details
2026-04-03 08:16:56 +01:00
mdaleo404 24696af083 Poetry update
Lint & Security / precommit-and-security (pull_request) Failing after 44s
Details
2026-04-03 08:14:37 +01:00
mdaleo404 fcef549eba Exclude unfixed vulnerabilities from security workflow results
Security Scan / security-scan (push) Successful in 1m17s
Details
2026-03-25 16:31:27 +00:00
mdaleo404 049273a13c Switch Trivy scan to Syft and Grype 2026-03-25 16:10:01 +00:00
mdaleo404 d00407bb33 Disable trivy scan workflow 2026-03-23 08:02:12 +00:00
mdaleo404 a8dbe675f5 Update pre-commit hooks version
Trivy Scan / security-scan (push) Successful in 27s
Details
2026-03-21 07:25:11 +00:00
mdaleo404 cc2b1fe791 Ping Trivy docker image to 0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c 2026-03-21 07:05:33 +00:00
mdaleo404 db60b4e42b Merge pull request 'Fix list view to be a rich table' (#6) from fix_list_view into main
Trivy Scan / security-scan (push) Successful in 27s
Details 
Reviewed-on: #6
 2026-01-24 09:24:39 +00:00
mdaleo404 afc964a076 Fix list view to be a rich table
Lint & Security / precommit-and-security (pull_request) Successful in 1m50s
Details
2026-01-24 09:21:51 +00:00
9 changed files with 552 additions and 259 deletions
Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+188
View File
@@ -0,0 +1,188 @@
name: Security Scan
on:
schedule:
- cron: 27 8 * * *
workflow_dispatch:
jobs:
security-scan:
runs-on: running-man
env:
TARGET_DIR: .
COSIGN_VERSION: v3.0.5
SYFT_VERSION: v1.42.3
GRYPE_VERSION: v0.110.0
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Cosign (bootstrap)
run: |
set -euo pipefail
FILE="cosign-linux-amd64"
curl -fLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}
chmod +x ${FILE}
mv ${FILE} /usr/local/bin/cosign
cosign version
- name: Install Syft (verified)
run: |
set -euo pipefail
VERSION_NO_V="${SYFT_VERSION#v}"
FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
curl -fLO ${BASE_URL}/${FILE}
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
cosign verify-blob \
--signature syft_${VERSION_NO_V}_checksums.txt.sig \
--certificate syft_${VERSION_NO_V}_checksums.txt.pem \
--certificate-identity-regexp "https://github.com/anchore/syft" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
syft_${VERSION_NO_V}_checksums.txt
CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
if [ -z "$CHECKSUM_LINE" ]; then
echo "Missing checksum entry for ${FILE}"
exit 1
fi
echo "$CHECKSUM_LINE" | sha256sum -c -
tar -xzf ${FILE}
mv syft /usr/local/bin/
syft version
- name: Install Grype (verified)
run: |
set -euo pipefail
VERSION_NO_V="${GRYPE_VERSION#v}"
FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
curl -fLO ${BASE_URL}/${FILE}
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
cosign verify-blob \
--signature grype_${VERSION_NO_V}_checksums.txt.sig \
--certificate grype_${VERSION_NO_V}_checksums.txt.pem \
--certificate-identity-regexp "https://github.com/anchore/grype" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
grype_${VERSION_NO_V}_checksums.txt
CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
if [ -z "$CHECKSUM_LINE" ]; then
echo "Missing checksum entry for ${FILE}"
exit 1
fi
echo "$CHECKSUM_LINE" | sha256sum -c -
tar -xzf ${FILE}
mv grype /usr/local/bin/
grype version
- name: Generate SBOM
working-directory: ${{ env.TARGET_DIR }}
run: |
syft dir:. -o json > sbom.json
- name: Show SBOM contents
working-directory: ${{ env.TARGET_DIR }}
run: |
echo "Packages discovered by Syft:"
jq -r '.artifacts[] | "\(.name)@\(.version) [\(.type)]"' sbom.json | sort
- name: Run Grype scan (JSON)
id: audit
continue-on-error: true
working-directory: ${{ env.TARGET_DIR }}
run: |
grype sbom:sbom.json -o json > grype.json
echo "Vulnerabilities (fixable only):"
jq -r '
.matches[]
| select((.vulnerability.fix.versions | length) > 0)
| "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
' grype.json
# Fail only on fixable MEDIUM/HIGH/CRITICAL
jq -e '
[
.matches[]?
| select(
(
.vulnerability.severity == "Medium" or
.vulnerability.severity == "High" or
.vulnerability.severity == "Critical"
)
and
(
(.vulnerability.fix.versions | length) > 0
)
)
]
| length == 0
' grype.json
- name: Show full Grype table
working-directory: ${{ env.TARGET_DIR }}
run: |
echo "Full Grype report:"
grype sbom:sbom.json -o table
- name: Notify Node-RED on vulnerabilities
if: steps.audit.outcome == 'failure'
working-directory: ${{ env.TARGET_DIR }}
run: |
jq '
{
repo: "guardutils/chguard",
summary: (
"Total: " +
(
[
.matches[]
| select((.vulnerability.fix.versions | length) > 0)
] | length | tostring
)
),
vulnerabilities: [
.matches[]
| select((.vulnerability.fix.versions | length) > 0)
| {
library: .artifact.name,
cve: .vulnerability.id,
severity: .vulnerability.severity,
installed: .artifact.version,
fixed: (.vulnerability.fix.versions[0]),
title: .vulnerability.description,
url: .vulnerability.dataSource
}
]
}
' grype.json \
| curl -s -X POST https://nodered.sysmd.uk/vulns-alert \
-H "Content-Type: application/json" \
--data-binary @-
- name: Fail workflow if vulnerabilities found
if: steps.audit.outcome == 'failure'
run: exit 1
.gitea/workflows/trivy-scan.yml
-61
View File
@@ -1,61 +0,0 @@
---
name: Trivy Scan
on:
schedule:
- cron: 17 8 * * *
workflow_dispatch:
jobs:
security-scan:
runs-on: running-man
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Trivy scan via Docker
id: trivy
continue-on-error: true
run: |
docker run --rm \
--volumes-from "$HOSTNAME" \
aquasec/trivy:latest \
fs /workspace/guardutils/chguard \
--scanners vuln \
--pkg-types library \
--include-dev-deps \
--severity MEDIUM,HIGH,CRITICAL \
--ignore-unfixed \
--format json \
--output /workspace/guardutils/chguard/trivy.json \
--exit-code 1
- name: Notify Node-RED on vulnerabilities
if: steps.trivy.outcome == 'failure'
run: |
jq -r '
{
repo: "guardutils/chguard",
summary: (
"Total: " +
((.Results[].Vulnerabilities | length) | tostring)
),
vulnerabilities: [
.Results[].Vulnerabilities[] | {
library: .PkgName,
cve: .VulnerabilityID,
severity: .Severity,
installed: .InstalledVersion,
fixed: .FixedVersion,
title: .Title,
url: .PrimaryURL
}
]
}
' trivy.json \
| curl -s -X POST https://nodered.sysmd.uk/trivy-alert \
-H "Content-Type: application/json" \
--data-binary @-
- name: Fail workflow if vulnerabilities found
if: steps.trivy.outcome == 'failure'
run: exit 1
.pre-commit-config.yaml
+4 -4
View File
@@ -1,19 +1,19 @@
repos:
- repo: https://github.com/PyCQA/bandit
rev: 1.7.9
rev: 1.9.4
hooks:
- id: bandit
files: ^src/mirro/
args: ["-lll", "-iii", "-s", "B110,B112"]
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 25.11.0
rev: 26.3.1
hooks:
- id: black
language_version: python3.13
language_version: python3
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v6.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
README.md
+20
View File
@@ -203,6 +203,26 @@ chguard --restore app-baseline --permissions
chguard --restore app-baseline --owner
```
### Remove old states
```
chguard --prune-states
```
This removes states older than the number of days set in `CHGUARD_STATES_LIFE`
### Remove states older than _N_ days
```
chguard --prune-states=14
```
This removes all states older than 14 days.
### Remove all states
```
chguard --prune-states=all
```
### Environment Variable
`CHGUARD_STATES_LIFE`controls the default number of days to keep when using `chguard --prune-states`.
### Wrapper mode
Use `--` to separate `chguard` arguments from the wrapped command:
chguard/cli.py
+248 -156
View File
@@ -2,33 +2,37 @@ from __future__ import annotations
import argparse
import argcomplete
import grp
import importlib.metadata
import os
import sys
import stat
import pwd
import grp
import stat
import subprocess
import sys
from collections import Counter, defaultdict
from datetime import datetime, timedelta, timezone
from pathlib import Path
from datetime import datetime
from rich import box
from rich.console import Console
from rich.table import Table
from rich import box
from chguard.db import (
connect,
init_db,
create_state,
delete_state,
get_state,
init_db,
prune_all_states,
prune_states_before,
state_exists,
)
from chguard.restore import apply_restore, plan_restore
from chguard.scan import scan_tree
from chguard.restore import plan_restore, apply_restore
from chguard.util import normalize_root
PRUNE_STATES_FROM_ENV = "__CHGUARD_PRUNE_STATES_FROM_ENV__"
def get_version():
try:
@@ -88,6 +92,49 @@ def _is_root() -> bool:
return os.geteuid() == 0
def _parse_prune_states_value(value: str | None) -> int | str:
if value is None:
value = os.environ.get("CHGUARD_STATES_LIFE")
if not value:
raise SystemExit(
"Missing prune age. Use --prune-states=N or set "
"CHGUARD_STATES_LIFE."
)
value = value.strip().lower()
if value == "all":
return "all"
try:
days = int(value)
except ValueError as exc:
raise SystemExit(
"Invalid prune age. Use an integer number of days or 'all'."
) from exc
if days < 0:
raise SystemExit("Invalid prune age. Value must be >= 0.")
return days
def _confirm_or_abort(*, yes: bool, prompt: str) -> None:
if yes:
return
if not sys.stdin.isatty():
raise SystemExit(
"Refusing to continue without confirmation (no TTY).\n"
"Use --yes to force."
)
answer = input(f"\n{prompt} (y/N) ").strip().lower()
if answer not in ("y", "yes"):
raise SystemExit("Aborted.")
def complete_state_names(prefix, parsed_args, **kwargs):
try:
conn = connect(
@@ -113,27 +160,12 @@ def _extract_paths_from_command(cmd: list[str]) -> list[Path]:
def main() -> None:
"""
Entry point for the CLI.
Behavior summary:
- --save snapshots ownership and permissions
- --restore previews changes, then asks for confirmation
- Root privileges are required only when necessary
- Symlinks are skipped during scanning
"""
wrapper_cmd = None
if "--" in sys.argv:
idx = sys.argv.index("--")
wrapper_cmd = sys.argv[idx + 1 :]
sys.argv = sys.argv[:idx]
parser = argparse.ArgumentParser(
prog="chguard",
description="Snapshot and restore filesystem ownership and permissions.",
)
parser = argparse.ArgumentParser(
prog="chguard",
description="Snapshot and restore filesystem ownership and permissions.",
@@ -158,75 +190,53 @@ def main() -> None:
)
actions.add_argument(
"--save",
metavar="PATH",
help="Save state for PATH",
"--save", metavar="PATH", help="Save state for PATH"
).completer = argcomplete.FilesCompleter()
actions.add_argument(
"--restore",
action="store_true",
help="Restore a saved state",
"--restore", action="store_true", help="Restore a saved state"
)
actions.add_argument(
"--list", action="store_true", help="List saved states"
)
actions.add_argument(
"--list",
action="store_true",
help="List saved states",
)
actions.add_argument(
"--delete",
metavar="STATE",
help="Delete a saved state",
"--delete", metavar="STATE", help="Delete a saved state"
).completer = complete_state_names
# positional STATE
parser.add_argument(
"state",
actions.add_argument(
"--prune-states",
nargs="?",
help="State name (required with --restore)",
).completer = complete_state_names
const=PRUNE_STATES_FROM_ENV,
metavar="N",
help=(
"Delete states older than N days. If N is omitted, "
"CHGUARD_STATES_LIFE is used. Use 'all' to delete all states."
),
)
parser.add_argument("state", nargs="?", help="State name").completer = (
complete_state_names
)
parser.add_argument("--name", help="State name")
parser.add_argument(
"--name",
help="State name (required with --save)",
"--overwrite", action="store_true", help="Overwrite existing state"
)
parser.add_argument(
"--permissions", action="store_true", help="Restore MODE only"
)
parser.add_argument(
"--owner", action="store_true", help="Restore OWNER only"
)
parser.add_argument(
"--dry-run", action="store_true", help="Preview only; do not apply"
)
parser.add_argument(
"--yes", action="store_true", help="Apply without confirmation"
)
parser.add_argument(
"--overwrite",
action="store_true",
help="Overwrite existing state",
)
parser.add_argument(
"--permissions",
action="store_true",
help="Restore MODE only",
)
parser.add_argument(
"--owner",
action="store_true",
help="Restore OWNER only",
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Preview only; do not apply",
)
parser.add_argument(
"--yes",
action="store_true",
help="Apply without confirmation",
)
parser.add_argument(
"--root",
metavar="PATH",
help="Override restore root",
"--root", metavar="PATH", help="Override restore root"
).completer = argcomplete.FilesCompleter()
parser.add_argument(
@@ -237,9 +247,7 @@ def main() -> None:
).completer = argcomplete.FilesCompleter()
parser.add_argument(
"--db",
metavar="PATH",
help="Override database path",
"--db", metavar="PATH", help="Override database path"
).completer = argcomplete.FilesCompleter()
argcomplete.autocomplete(parser)
@@ -250,7 +258,6 @@ def main() -> None:
raise SystemExit("No command provided after '--'")
cmd = Path(wrapper_cmd[0]).name
if cmd not in ("chown", "chmod", "chgrp"):
raise SystemExit(
"Wrapper mode only supports chown, chmod, and chgrp"
@@ -263,12 +270,14 @@ def main() -> None:
if wrapper_cmd:
paths = _extract_paths_from_command(wrapper_cmd)
if paths:
auto_name = f"auto-{datetime.now().strftime('%Y%m%d-%H%M%S')}"
root_path = paths[0].resolve()
with conn:
root_path = str(Path(paths[0]).resolve())
state_id = create_state(
conn, auto_name, root_path, os.getuid(), commit=False
conn, auto_name, str(root_path), os.getuid(), commit=False
)
for path in paths:
@@ -281,7 +290,8 @@ def main() -> None:
)
conn.execute(
"""
INSERT INTO entries (state_id, path, type, mode, uid, gid)
INSERT INTO entries
(state_id, path, type, mode, uid, gid)
VALUES (?, ?, ?, ?, ?, ?)
""",
(
@@ -300,15 +310,32 @@ def main() -> None:
"This command affects root-owned files.\n"
"Please re-run with sudo."
)
if stat.S_ISLNK(st.st_mode):
typ = "symlink"
elif stat.S_ISREG(st.st_mode):
typ = "file"
elif stat.S_ISDIR(st.st_mode):
typ = "dir"
else:
continue
rel = (
""
if path.resolve() == root_path
else str(path.resolve().relative_to(root_path))
)
conn.execute(
"""
INSERT INTO entries (state_id, path, type, mode, uid, gid)
INSERT INTO entries
(state_id, path, type, mode, uid, gid)
VALUES (?, ?, ?, ?, ?, ?)
""",
(
state_id,
str(path),
"file",
rel,
typ,
stat.S_IMODE(st.st_mode),
st.st_uid,
st.st_gid,
@@ -322,22 +349,106 @@ def main() -> None:
proc = subprocess.run(wrapper_cmd)
sys.exit(proc.returncode)
if args.prune_states is not None:
value = (
None
if args.prune_states == PRUNE_STATES_FROM_ENV
else args.prune_states
)
life = _parse_prune_states_value(value)
if life == "all":
rows = conn.execute("""
SELECT name, root_path, created_at
FROM states
ORDER BY created_at
""").fetchall()
cutoff_iso = None
else:
cutoff = datetime.now(timezone.utc) - timedelta(days=life)
cutoff_iso = cutoff.isoformat(timespec="seconds")
rows = conn.execute(
"""
SELECT name, root_path, created_at
FROM states
WHERE created_at < ?
ORDER BY created_at
""",
(cutoff_iso,),
).fetchall()
if not rows:
console.print("No states matched.")
return
console.print(
f"\nThe following {len(rows)} state(s) will be deleted:\n"
)
table = Table(box=box.SIMPLE, header_style="bold")
table.add_column("State")
table.add_column("Root path")
table.add_column("Created")
for name, root, created in rows:
state_name = (
f"[bright_cyan]{name}[/bright_cyan]"
if name.startswith("auto-")
else name
)
table.add_row(
state_name,
f"[bright_magenta]{root}[/bright_magenta]",
f"[bright_cyan]{created}[/bright_cyan]",
)
console.print(table)
if args.dry_run:
console.print(
"\n[yellow]Dry-run only. No states were deleted.[/yellow]"
)
return
_confirm_or_abort(yes=args.yes, prompt="Delete these states?")
if life == "all":
deleted = prune_all_states(conn)
else:
deleted = prune_states_before(conn, cutoff_iso)
console.print(f"\nDeleted {deleted} state(s).")
return
if args.list:
rows = conn.execute(
"SELECT name, root_path, created_at FROM states ORDER BY created_at DESC"
).fetchall()
rows = conn.execute("""
SELECT name, root_path, created_at
FROM states
ORDER BY created_at DESC
""").fetchall()
if not rows:
console.print("No saved states.")
return
table = Table(box=box.SIMPLE, header_style="bold")
table.add_column("State")
table.add_column("Root path")
table.add_column("Created")
for name, root, created in rows:
dt = datetime.fromisoformat(created)
ts = dt.strftime("%Y-%m-%d %H:%M:%S %z")
if name.startswith("auto-"):
console.print(f"[cyan]{name}[/cyan]\t{root}\t{ts}")
else:
console.print(f"{name}\t{root}\t{ts}")
state_name = (
f"[bright_cyan]{name}[/bright_cyan]"
if name.startswith("auto-")
else name
)
table.add_row(
state_name,
f"[bright_magenta]{root}[/bright_magenta]",
f"[bright_cyan]{created}[/bright_cyan]",
)
console.print(table)
return
if args.delete:
@@ -352,49 +463,43 @@ def main() -> None:
root = normalize_root(args.save)
try:
with conn: # start transaction
if state_exists(conn, args.name):
if not args.overwrite:
raise SystemExit(
f"State '{args.name}' already exists (use --overwrite)"
)
# if the new save fails, this delete_state step will also roll back
delete_state(conn, args.name, commit=False)
with conn:
if state_exists(conn, args.name):
if not args.overwrite:
raise SystemExit(
f"State '{args.name}' already exists (use --overwrite)"
)
delete_state(conn, args.name, commit=False)
state_id = create_state(
conn, args.name, str(root), os.getuid(), commit=False
)
state_id = create_state(
conn, args.name, str(root), os.getuid(), commit=False
)
# Abort early if root-owned files exist and user is not root.
# This prevents creating snapshots that cannot be meaningfully restored.
for entry in scan_tree(root, excludes=args.exclude):
if entry.uid == 0 and not _is_root():
raise SystemExit(
"This path contains root-owned files.\n"
"Saving this state requires sudo."
)
conn.execute(
"""
INSERT INTO entries (state_id, path, type, mode, uid, gid)
VALUES (?, ?, ?, ?, ?, ?)
""",
(
state_id,
entry.path,
entry.type,
entry.mode,
entry.uid,
entry.gid,
),
for entry in scan_tree(root, excludes=args.exclude):
if entry.uid == 0 and not _is_root():
raise SystemExit(
"This path contains root-owned files.\n"
"Saving this state requires sudo."
)
console.print(f"Saved state '{args.name}' for {root}")
return
conn.execute(
"""
INSERT INTO entries
(state_id, path, type, mode, uid, gid)
VALUES (?, ?, ?, ?, ?, ?)
""",
(
state_id,
entry.path,
entry.type,
entry.mode,
entry.uid,
entry.gid,
),
)
except SystemExit:
raise
console.print(f"Saved state '{args.name}' for {root}")
return
if args.restore:
if not args.state:
@@ -407,7 +512,6 @@ def main() -> None:
snapshot_root = Path(state.root_path)
target_root = normalize_root(args.root) if args.root else snapshot_root
# Default restore behavior is OWNER + MODE unless narrowed explicitly.
restore_permissions = args.permissions or (
not args.permissions and not args.owner
)
@@ -430,7 +534,6 @@ def main() -> None:
needs_root = False
current_uid = os.geteuid()
# Build a per-path view of owner/mode changes and detect privilege needs.
for ch in changes:
if ch.kind not in ("owner", "mode"):
continue
@@ -450,8 +553,11 @@ def main() -> None:
] = f"{_format_owner(bu, bg)}{_format_owner(au, ag)}"
counts["owner"] += 1
if ch.path.stat().st_uid != current_uid:
needs_root = True
try:
if ch.path.stat().st_uid != current_uid:
needs_root = True
except FileNotFoundError:
pass
elif ch.kind == "mode" and restore_permissions:
b, a = ch.detail.split(" -> ")
@@ -480,9 +586,7 @@ def main() -> None:
for path in sorted(per_path):
row = per_path[path]
table.add_row(
str(path),
row.get("owner", ""),
row.get("mode", ""),
str(path), row.get("owner", ""), row.get("mode", "")
)
console.print(table)
@@ -503,21 +607,9 @@ def main() -> None:
"Please re-run the command with sudo."
)
if not args.yes:
if not sys.stdin.isatty():
raise SystemExit(
"Refusing to apply changes without confirmation (no TTY).\n"
"Use --yes to force."
)
answer = (
input("\nDo you want to restore this state? (y/N) ")
.strip()
.lower()
)
if answer not in ("y", "yes"):
console.print("\nAborted.")
return
_confirm_or_abort(
yes=args.yes, prompt="Do you want to restore this state?"
)
apply_restore(
root=target_root,
chguard/db.py
+29 -7
View File
@@ -4,8 +4,8 @@ import sqlite3
from dataclasses import dataclass
from datetime import datetime, timezone
from pathlib import Path
from platformdirs import user_data_dir
from platformdirs import user_data_dir
APP_NAME = "chguard"
@@ -24,8 +24,7 @@ def connect(db_path: Path | None = None) -> sqlite3.Connection:
def init_db(conn: sqlite3.Connection) -> None:
conn.executescript(
"""
conn.executescript("""
CREATE TABLE IF NOT EXISTS states (
id INTEGER PRIMARY KEY,
name TEXT UNIQUE NOT NULL,
@@ -46,8 +45,7 @@ def init_db(conn: sqlite3.Connection) -> None:
);
CREATE INDEX IF NOT EXISTS idx_entries_state_id ON entries(state_id);
"""
)
""")
conn.commit()
@@ -69,7 +67,8 @@ def create_state(
commit: bool = True,
) -> int:
cur = conn.execute(
"INSERT INTO states (name, root_path, created_at, created_by_uid) VALUES (?, ?, ?, ?)",
"INSERT INTO states (name, root_path, created_at, created_by_uid) "
"VALUES (?, ?, ?, ?)",
(name, root_path, utc_now_iso(), created_by_uid),
)
if commit:
@@ -86,6 +85,28 @@ def delete_state(
return cur.rowcount
def prune_states_before(
conn: sqlite3.Connection,
cutoff_iso: str,
*,
commit: bool = True,
) -> int:
cur = conn.execute(
"DELETE FROM states WHERE created_at < ?",
(cutoff_iso,),
)
if commit:
conn.commit()
return cur.rowcount
def prune_all_states(conn: sqlite3.Connection, *, commit: bool = True) -> int:
cur = conn.execute("DELETE FROM states")
if commit:
conn.commit()
return cur.rowcount
@dataclass(frozen=True)
class State:
id: int
@@ -97,7 +118,8 @@ class State:
def get_state(conn: sqlite3.Connection, name: str) -> State | None:
cur = conn.execute(
"SELECT id, name, root_path, created_at, created_by_uid FROM states WHERE name = ?",
"SELECT id, name, root_path, created_at, created_by_uid "
"FROM states WHERE name = ?",
(name,),
)
row = cur.fetchone()
chguard/scan.py
+37 -21
View File
@@ -27,9 +27,43 @@ def _is_excluded(rel: str, excludes: Iterable[str]) -> bool:
return False
def _entry_for_path(p: Path, root: Path) -> Entry | None:
try:
st = p.lstat() # never follow symlinks
except FileNotFoundError:
return None
if stat.S_ISDIR(st.st_mode):
typ = "dir"
elif stat.S_ISREG(st.st_mode):
typ = "file"
elif stat.S_ISLNK(st.st_mode):
typ = "symlink"
else:
# skip special files (devices, sockets, fifos) in v0.1
return None
rel = "" if p == root else str(p.relative_to(root))
return Entry(
path=rel,
type=typ,
mode=stat.S_IMODE(st.st_mode),
uid=st.st_uid,
gid=st.st_gid,
)
def scan_tree(root: Path, excludes: Iterable[str] = ()) -> Iterator[Entry]:
root = root.resolve()
root_entry = _entry_for_path(root, root)
if root_entry is not None:
yield root_entry
if not root.is_dir():
return
for dirpath, dirnames, filenames in os.walk(root, followlinks=False):
# prune excluded directories early
rel_dir = (
@@ -56,24 +90,6 @@ def scan_tree(root: Path, excludes: Iterable[str] = ()) -> Iterator[Entry]:
# record dirs and files
for name in list(dirnames) + list(files):
p = Path(dirpath) / name
try:
st = p.lstat() # never follow symlinks
except FileNotFoundError:
continue
rel = str(p.relative_to(root))
if stat.S_ISDIR(st.st_mode):
typ = "dir"
elif stat.S_ISREG(st.st_mode):
typ = "file"
elif stat.S_ISLNK(st.st_mode):
typ = "symlink"
else:
# skip special files (devices, sockets, fifos) in v0.1
continue
mode = stat.S_IMODE(st.st_mode)
yield Entry(
path=rel, type=typ, mode=mode, uid=st.st_uid, gid=st.st_gid
)
entry = _entry_for_path(p, root)
if entry is not None:
yield entry
poetry.lock
Generated
+24 -8
View File
@@ -1,4 +1,4 @@
# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
# This file is automatically @generated by Poetry 2.3.3 and should not be changed by hand.
[[package]]
name = "argcomplete"
@@ -6,6 +6,7 @@ version = "3.6.3"
description = "Bash tab completion for argparse"
optional = false
python-versions = ">=3.8"
groups = ["main"]
files = [
{file = "argcomplete-3.6.3-py3-none-any.whl", hash = "sha256:f5007b3a600ccac5d25bbce33089211dfd49eab4a7718da3f10e3082525a92ce"},
{file = "argcomplete-3.6.3.tar.gz", hash = "sha256:62e8ed4fd6a45864acc8235409461b72c9a28ee785a2011cc5eb78318786c89c"},
@@ -20,6 +21,7 @@ version = "3.5.0"
description = "Validate configuration and produce human readable error messages."
optional = false
python-versions = ">=3.10"
groups = ["dev"]
files = [
{file = "cfgv-3.5.0-py2.py3-none-any.whl", hash = "sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0"},
{file = "cfgv-3.5.0.tar.gz", hash = "sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132"},
@@ -31,6 +33,7 @@ version = "0.4.0"
description = "Distribution utilities"
optional = false
python-versions = "*"
groups = ["dev"]
files = [
{file = "distlib-0.4.0-py2.py3-none-any.whl", hash = "sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16"},
{file = "distlib-0.4.0.tar.gz", hash = "sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d"},
@@ -42,6 +45,7 @@ version = "3.20.3"
description = "A platform independent file lock."
optional = false
python-versions = ">=3.10"
groups = ["main", "dev"]
files = [
{file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
{file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
@@ -53,6 +57,7 @@ version = "2.6.15"
description = "File identification library for Python"
optional = false
python-versions = ">=3.9"
groups = ["dev"]
files = [
{file = "identify-2.6.15-py2.py3-none-any.whl", hash = "sha256:1181ef7608e00704db228516541eb83a88a9f94433a8c80bb9b5bd54b1d81757"},
{file = "identify-2.6.15.tar.gz", hash = "sha256:e4f4864b96c6557ef2a1e1c951771838f4edc9df3a72ec7118b338801b11c7bf"},
@@ -67,6 +72,7 @@ version = "4.0.0"
description = "Python port of markdown-it. Markdown parsing, done right!"
optional = false
python-versions = ">=3.10"
groups = ["main"]
files = [
{file = "markdown_it_py-4.0.0-py3-none-any.whl", hash = "sha256:87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147"},
{file = "markdown_it_py-4.0.0.tar.gz", hash = "sha256:cb0a2b4aa34f932c007117b194e945bd74e0ec24133ceb5bac59009cda1cb9f3"},
@@ -90,6 +96,7 @@ version = "0.1.2"
description = "Markdown URL utilities"
optional = false
python-versions = ">=3.7"
groups = ["main"]
files = [
{file = "mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8"},
{file = "mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"},
@@ -101,6 +108,7 @@ version = "1.10.0"
description = "Node.js virtual environment builder"
optional = false
python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
groups = ["dev"]
files = [
{file = "nodeenv-1.10.0-py2.py3-none-any.whl", hash = "sha256:5bb13e3eed2923615535339b3c620e76779af4cb4c6a90deccc9e36b274d3827"},
{file = "nodeenv-1.10.0.tar.gz", hash = "sha256:996c191ad80897d076bdfba80a41994c2b47c68e224c542b48feba42ba00f8bb"},
@@ -112,6 +120,7 @@ version = "4.5.1"
description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`."
optional = false
python-versions = ">=3.10"
groups = ["main", "dev"]
files = [
{file = "platformdirs-4.5.1-py3-none-any.whl", hash = "sha256:d03afa3963c806a9bed9d5125c8f4cb2fdaf74a55ab60e5d59b3fde758104d31"},
{file = "platformdirs-4.5.1.tar.gz", hash = "sha256:61d5cdcc6065745cdd94f0f878977f8de9437be93de97c1c12f853c9c0cdcbda"},
@@ -128,6 +137,7 @@ version = "3.8.0"
description = "A framework for managing and maintaining multi-language pre-commit hooks."
optional = false
python-versions = ">=3.9"
groups = ["dev"]
files = [
{file = "pre_commit-3.8.0-py2.py3-none-any.whl", hash = "sha256:9a90a53bf82fdd8778d58085faf8d83df56e40dfe18f45b19446e26bf1b3a63f"},
{file = "pre_commit-3.8.0.tar.gz", hash = "sha256:8bb6494d4a20423842e198980c9ecf9f96607a07ea29549e180eef9ae80fe7af"},
@@ -142,13 +152,14 @@ virtualenv = ">=20.10.0"
[[package]]
name = "pygments"
version = "2.19.2"
version = "2.20.0"
description = "Pygments is a syntax highlighting package written in Python."
optional = false
python-versions = ">=3.8"
python-versions = ">=3.9"
groups = ["main"]
files = [
{file = "pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b"},
{file = "pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887"},
{file = "pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176"},
{file = "pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f"},
]
[package.extras]
@@ -160,6 +171,7 @@ version = "6.0.3"
description = "YAML parser and emitter for Python"
optional = false
python-versions = ">=3.8"
groups = ["dev"]
files = [
{file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"},
{file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"},
@@ -242,6 +254,7 @@ version = "14.2.0"
description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
optional = false
python-versions = ">=3.8.0"
groups = ["main"]
files = [
{file = "rich-14.2.0-py3-none-any.whl", hash = "sha256:76bc51fe2e57d2b1be1f96c524b890b816e334ab4c1e45888799bfaab0021edd"},
{file = "rich-14.2.0.tar.gz", hash = "sha256:73ff50c7c0c1c77c8243079283f4edb376f0f6442433aecb8ce7e6d0b92d1fe4"},
@@ -260,6 +273,8 @@ version = "4.15.0"
description = "Backported and Experimental Type Hints for Python 3.9+"
optional = false
python-versions = ">=3.9"
groups = ["dev"]
markers = "python_version == \"3.10\""
files = [
{file = "typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548"},
{file = "typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466"},
@@ -271,6 +286,7 @@ version = "20.36.1"
description = "Virtual Python Environment builder"
optional = false
python-versions = ">=3.8"
groups = ["dev"]
files = [
{file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
{file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
@@ -284,9 +300,9 @@ typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""
[package.extras]
docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"]
test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"]
test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8) ; platform_python_implementation == \"PyPy\" or platform_python_implementation == \"GraalVM\" or platform_python_implementation == \"CPython\" and sys_platform == \"win32\" and python_version >= \"3.13\"", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10) ; platform_python_implementation == \"CPython\""]
[metadata]
lock-version = "2.0"
lock-version = "2.1"
python-versions = ">=3.10,<4.0"
content-hash = "8cfa38f4e2f17dba430ea08f7be3c91890a0c7a4535b69d9565b84d714f589bc"
content-hash = "c1c99dd4ff6557dd08b58f3a8c50b893e68acabcb8b08a48ca78f7319a361635"
pyproject.toml
+2 -2
View File
@@ -1,6 +1,6 @@
[tool.poetry]
name = "chguard"
version = "0.3.2"
version = "0.4.0"
description = "Safety-first tool to snapshot and restore filesystem ownership and permissions."
authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
license = "GPL-3.0-or-later"
@@ -18,7 +18,7 @@ filelock = ">=3.15.4"
[tool.poetry.scripts]
chguard = "chguard.cli:main"
[tool.poetry.dev-dependencies]
[tool.poetry.group.dev.dependencies]
pre-commit = "^3.8"
[tool.black]