NFSv4 ACL permissions setting

Doug Sampson dougs at dawnsign.com
Thu Sep 6 00:34:56 UTC 2012 

> >>> #!/bin/sh
> >>> # run this script where you wish to effect the changes
> >>> # reset perms to default
> >>> find . -type d -print0 | xargs -0 setfacl -b *
> >>
> >> Why the asterisk?  Also, using "-m" with NFSv4 ACLs is not a very good
> >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does
> >> matter,
> >> and "-m" simply modifies the ACL entry in place, while the effect of
> the
> >> entry might depend e.g. on "deny" entries before it.  Use "-a" instead.
> >>
> >
> > Forgive me- I am not particularly strong when it comes to shell
> scripting. I will modify so that the -a parameter is used instead of -m
> when setting new entries.
> 
> Ok.  It's simply a matter of replacing '-m' with '-a0'.
> 

I did not realize that one could add a numeral to the "-a" parameter to indicate the desired order. I just did a 'man setfacl' and indeed it is described as such. Good to know!

Is there a preferred way of ordering? I.e. owner@ at line 0 followed by group@ at line 1 followed by everyone@ at line 2 then followed by the two groups described in my original mail (e.g. dsp-production & dsp-marketing)? Or is that totally dependent on how I want to structure the permissions so that the desired effect is achieved? For example like this:

dougs at dorado:/data# getfacl ADS-New/
# file: ADS-New/
# owner: root
# group: DSP-production
group:DSP-production:rwxpDdaARWcCos:fd----:allow
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:------a-R-c--s:------:allow
dougs at dorado:/data#

where anyone who is a member of the dsp-production group will ALWAYS have full_set permissions simply because that is indicated at line 0 and thus meets the test of line 0? Processing stops at line 0 as long as the user is a member of that group, right?

Does a user who does not belong to any of the groups indicated above and isn't an owner have the ability to modify the directory? I assume that would be the everyone@ group...

> Btw, the bug in setfacl(1) command has been fixed in HEAD and will
> be merged into STABLE in a month from now.

What exactly was the bug? Did I uncover it inadvertently?

> > What would you use in place of the asterisk when you want to apply the
> "setfacl -b" command to either all files or all directories? The period?
> 
> Directories:
> 
> find . -type d -print0 | xargs -0 setfacl -b
> 
> Files:
> 
> find . -type f -print0 | xargs -0 setfacl -b
> 
> The whole point of xargs here is to take the list of files it gets from
> find
> and turn it into a series of arguments for setfacl.  So, in the example
> above,
> the actual invocation of setfacl would read "setfacl -b first-file second-
> file"
> etc.  With the asterisk, it would be "setfacl -b * first-file second-
> file";
> this means setfacl would modify not only the files passed by find, but
> also
> all the files in the current directory.

Ah, interesting.

I'm going to test the changes to the scripts. Thanks for the feedback.


~Doug

More information about the freebsd-questions mailing list