NFSv4 ACL permissions setting
dougs at dawnsign.com
Thu Sep 6 00:34:56 UTC 2012
> >>> #!/bin/sh
> >>> # run this script where you wish to effect the changes
> >>> # reset perms to default
> >>> find . -type d -print0 | xargs -0 setfacl -b *
> >> Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good
> >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does
> >> matter,
> >> and "-m" simply modifies the ACL entry in place, while the effect of
> >> entry might depend e.g. on "deny" entries before it. Use "-a" instead.
> > Forgive me- I am not particularly strong when it comes to shell
> scripting. I will modify so that the -a parameter is used instead of -m
> when setting new entries.
> Ok. It's simply a matter of replacing '-m' with '-a0'.
I did not realize that one could add a numeral to the "-a" parameter to indicate the desired order. I just did a 'man setfacl' and indeed it is described as such. Good to know!
Is there a preferred way of ordering? I.e. owner@ at line 0 followed by group@ at line 1 followed by everyone@ at line 2 then followed by the two groups described in my original mail (e.g. dsp-production & dsp-marketing)? Or is that totally dependent on how I want to structure the permissions so that the desired effect is achieved? For example like this:
dougs at dorado:/data# getfacl ADS-New/
# file: ADS-New/
# owner: root
# group: DSP-production
dougs at dorado:/data#
where anyone who is a member of the dsp-production group will ALWAYS have full_set permissions simply because that is indicated at line 0 and thus meets the test of line 0? Processing stops at line 0 as long as the user is a member of that group, right?
Does a user who does not belong to any of the groups indicated above and isn't an owner have the ability to modify the directory? I assume that would be the everyone@ group...
> Btw, the bug in setfacl(1) command has been fixed in HEAD and will
> be merged into STABLE in a month from now.
What exactly was the bug? Did I uncover it inadvertently?
> > What would you use in place of the asterisk when you want to apply the
> "setfacl -b" command to either all files or all directories? The period?
> find . -type d -print0 | xargs -0 setfacl -b
> find . -type f -print0 | xargs -0 setfacl -b
> The whole point of xargs here is to take the list of files it gets from
> and turn it into a series of arguments for setfacl. So, in the example
> the actual invocation of setfacl would read "setfacl -b first-file second-
> etc. With the asterisk, it would be "setfacl -b * first-file second-
> this means setfacl would modify not only the files passed by find, but
> all the files in the current directory.
I'm going to test the changes to the scripts. Thanks for the feedback.
More information about the freebsd-questions