Safety-first tool to snapshot and restore filesystem ownership and permissions.
Project description
chguard
chguard is a safety-first command-line tool that snapshots and restores filesystem ownership and permissions.
Think of it as a guardrail around chmod and chown:
it records the current state, shows you exactly what would change, and only
applies changes after explicit confirmation.
Features
Snapshots ownership and permissions
Records numeric uid, gid, and file mode for files and directories.
Preview before restore
Always shows a clear, readable table of differences before applying changes.
Interactive confirmation
A single confirmation prompt at the end of a restore (default: No).
Dry-run mode
Preview restore operations without prompting or applying changes.
Scope control
Restore:
- both ownership and permissions (default)
- permissions only
- ownership only
Safe by design
- Never creates, deletes, or moves files
- Missing files are ignored
- New files are ignored
- Symbolic links are skipped entirely
- Requires sudo only when necessary
Non-Goals
chguard deliberately does not:
- restore deleted files
- remove newly created files
- track file contents or checksums
- manage ACLs or extended attributes
- provide full “undo” semantics
It only concerns itself with ownership and permissions.
Installation
From GuardUtils package repo
This is the preferred method of installation.
Debian/Ubuntu
1) Import the GPG key
sudo mkdir -p /usr/share/keyrings
curl -fsSL https://repo.sysmd.uk/guardutils/guardutils.gpg | sudo gpg --dearmor -o /usr/share/keyrings/guardutils.gpg
The GPG fingerprint is 0032C71FA6A11EF9567D4434C5C06BD4603C28B1.
2) Add the APT source
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/guardutils.gpg] https://repo.sysmd.uk/guardutils/debian stable main" | sudo tee /etc/apt/sources.list.d/guardutils.list
3) Update and install
sudo apt update
sudo apt install chguard
Fedora/RHEL
1) Import the GPG key
sudo rpm --import https://repo.sysmd.uk/guardutils/guardutils.gpg
2) Add the repository configuration
sudo tee /etc/yum.repos.d/guardutils.repo > /dev/null << 'EOF'
[guardutils]
name=GuardUtils Repository
baseurl=https://repo.sysmd.uk/guardutils/rpm/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://repo.sysmd.uk/guardutils/guardutils.gpg
EOF
4) Update and install
sudo dnf upgrade --refresh
sudo dnf install chguard
From PyPI
pip install chguard
From this repository
git clone https://git.sysmd.uk/guardutils/chguard.git
cd chguard/
poetry install
This installs the chguard CLI into the Poetry environment.
Usage
Save a state
chguard --save /srv/app --name app-baseline
If the path contains root-owned files, saving requires sudo.
List saved states
chguard --list
Example output:
app-baseline /srv/app 2025-12-20 18:11:08 +00:00
Restore a state (preview only)
chguard --restore app-baseline
This shows a table of ownership and permission differences.
Restore with confirmation
chguard --restore app-baseline
You will be prompted:
Do you want to restore this state? (y/N)
The default answer is No.
Dry-run
chguard --restore app-baseline --dry-run
Restore only permissions or only ownership
chguard --restore app-baseline --permissions
chguard --restore app-baseline --owner
Privilege model
chguard never escalates privileges automatically
- Saving fails if root-owned files are present and the user is not root
- Restoring fails if changes require elevated privileges
- Preview and dry-run operations never require sudo
Storage
Snapshots are stored in a local SQLite database containing:
- relative path
- file type (file or directory)
- numeric uid / gid
- numeric mode
Usernames and permission strings are resolved only for display.
TAB completion
Add this to your .bashrc
eval "$(register-python-argcomplete chguard)"
And then
source ~/.bashrc
pre-commit
This project uses pre-commit to run automatic formatting and security checks before each commit (Black, Bandit, and various safety checks).
To enable it:
poetry install
poetry run pre-commit install
This ensures consistent formatting, catches common issues early, and keeps the codebase clean.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file chguard-0.2.2.tar.gz.
File metadata
- Download URL: chguard-0.2.2.tar.gz
- Upload date:
- Size: 22.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.13.11 Linux/6.17.13-200.fc42.x86_64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dc6b1e45384c4b41701d78cbc822982110bc46025fc3eb3c42d4dd247cf534cc
|
|
| MD5 |
4f1a52aaa45f79e13a431cf662fe1af0
|
|
| BLAKE2b-256 |
648d1468d58587a688b0c6f6fdd684dbbcbdb0e305e37ea064221113bcbe3749
|
File details
Details for the file chguard-0.2.2-py3-none-any.whl.
File metadata
- Download URL: chguard-0.2.2-py3-none-any.whl
- Upload date:
- Size: 22.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.13.11 Linux/6.17.13-200.fc42.x86_64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3e14efe46e4a67a404c3d5411bc128dd12e6bac3555e262721501aed35be90bf
|
|
| MD5 |
a494c0e056c00ea48f56b3eb353d3eca
|
|
| BLAKE2b-256 |
f6f37e52f776e5508a86133409614a32fd8e8732ca1abe1fc59eb53e50a7eed8
|
