#!/usr/bin/env bash
# Author:  Oliver Ladner <oli@lugh.ch>
# License: LGPL
#
# Checks the webroot for files being owned by www daemon and
# writable at the same time. This is only needed by some files
# so we'll check with a whitelist.
# Requires bash 3.2

WWWROOT=/var/www/
WWWUSER=www-data
WHITELIST="(mpd.lugh.ch/music|\
foo.example.org/cache|\
/wp-content/cache|\
/piwik/config/config.ini.php|\
sitemap.xml*
)" 
listcount=0
whitelist_matches=0

while IFS="" read -r matchedentry; do
    if [[ "$matchedentry" =~ $WHITELIST ]]; then
        whitelist_matches=$((whitelist_matches+1))
    else
        echo -e "$matchedentry\r"
        listcount=$((listcount+1))
    fi
done < <(find "$WWWROOT"  ! -type l -perm /u+w -user $WWWUSER -o -perm /g+w -group $WWWUSER)

if [ $listcount -gt 0 ]; then
        echo "Finished: $listcount items are writable by '$WWWUSER' ($whitelist_matches whitelisted)."
else
        echo "No writable items found ($whitelist_matches whitelisted)."
fi