NFSv4 ACL permissions setting

Polytropon freebsd at edvax.de
Thu Sep 6 00:17:33 UTC 2012 

On Thu, 6 Sep 2012 01:20:38 +0200, Edward Tomasz Napierała wrote:
> Wiadomość napisana przez Doug Sampson w dniu 6 wrz 2012, o godz. 01:13:
> >> Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42:
> >> 
> >> [..]
> >> 
> >>> group:DSP-production:rwxpDdaARWcCos:fd----:allow               <<<<<----
> >> -
> >>> group:DSP-production:rwxpDdaARWcCos:fd----:allow               <<<<<----
> >> -
> >> 
> >> This itself looks like a bug in setfacl(1).  I'll look into it.
> >> However...
> >> 
> >> [..]
> >> 
> >>> #!/bin/sh
> >>> # run this script where you wish to effect the changes
> >>> # reset perms to default
> >>> find . -type d -print0 | xargs -0 setfacl -b *
> >> 
> >> Why the asterisk?  Also, using "-m" with NFSv4 ACLs is not a very good
> >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does
> >> matter,
> >> and "-m" simply modifies the ACL entry in place, while the effect of the
> >> entry might depend e.g. on "deny" entries before it.  Use "-a" instead.
> >> 
> > 
> > Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries.
> 
> Ok.  It's simply a matter of replacing '-m' with '-a0'.
> 
> Btw, the bug in setfacl(1) command has been fixed in HEAD and will
> be merged into STABLE in a month from now.
> 
> > What would you use in place of the asterisk when you want to apply the "setfacl -b" command to either all files or all directories? The period?
> 
> Directories:
> 
> find . -type d -print0 | xargs -0 setfacl -b
> 
> Files:
> 
> find . -type f -print0 | xargs -0 setfacl -b
> 
> The whole point of xargs here is to take the list of files it gets from find
> and turn it into a series of arguments for setfacl.  So, in the example above,
> the actual invocation of setfacl would read "setfacl -b first-file second-file"
> etc.  With the asterisk, it would be "setfacl -b * first-file second-file";
> this means setfacl would modify not only the files passed by find, but also
> all the files in the current directory.

Note that the parameter lists constructed by xargs and passed
to setfacl might grow quite long and possibly exceed the
respective buffer. In that case, you could modify the command
to process one result at a time:

	# find . -type f -exec /bin/setfacl -b {} \;

for all files, and

	# find . -type d -exec /bin/setfacl -b {} \;

for all directories. Not tested. :-)



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list