Date: Thu, 6 Sep 2012 00:34:54 +0000 From: Doug Sampson <dougs@dawnsign.com> To: 'Edward Tomasz Napierala' <trasz@freebsd.org> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: NFSv4 ACL permissions setting Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E780CF4D126@Draco.dawnsign.com> In-Reply-To: <7ACB9DDC-7CF2-4521-9234-35BA6441D0B3@freebsd.org> References: <E6B2517F8D6DBF4CABB8F38ACA367E780CF4582E@Draco.dawnsign.com> <60FD2657-0D3C-4E6C-ABD0-652DA424D9A2@freebsd.org> <E6B2517F8D6DBF4CABB8F38ACA367E780CF4CFD1@Draco.dawnsign.com> <7ACB9DDC-7CF2-4521-9234-35BA6441D0B3@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> >>> #!/bin/sh
> >>> # run this script where you wish to effect the changes
> >>> # reset perms to default
> >>> find . -type d -print0 | xargs -0 setfacl -b *
> >>
> >> Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good
> >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does
> >> matter,
> >> and "-m" simply modifies the ACL entry in place, while the effect of
> the
> >> entry might depend e.g. on "deny" entries before it. Use "-a" instead.
> >>
> >
> > Forgive me- I am not particularly strong when it comes to shell
> scripting. I will modify so that the -a parameter is used instead of -m
> when setting new entries.
>
> Ok. It's simply a matter of replacing '-m' with '-a0'.
>
I did not realize that one could add a numeral to the "-a" parameter to indicate the desired order. I just did a 'man setfacl' and indeed it is described as such. Good to know!
Is there a preferred way of ordering? I.e. owner@ at line 0 followed by group@ at line 1 followed by everyone@ at line 2 then followed by the two groups described in my original mail (e.g. dsp-production & dsp-marketing)? Or is that totally dependent on how I want to structure the permissions so that the desired effect is achieved? For example like this:
dougs@dorado:/data# getfacl ADS-New/
# file: ADS-New/
# owner: root
# group: DSP-production
group:DSP-production:rwxpDdaARWcCos:fd----:allow
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
dougs@dorado:/data#
where anyone who is a member of the dsp-production group will ALWAYS have full_set permissions simply because that is indicated at line 0 and thus meets the test of line 0? Processing stops at line 0 as long as the user is a member of that group, right?
Does a user who does not belong to any of the groups indicated above and isn't an owner have the ability to modify the directory? I assume that would be the everyone@ group...
> Btw, the bug in setfacl(1) command has been fixed in HEAD and will
> be merged into STABLE in a month from now.
What exactly was the bug? Did I uncover it inadvertently?
> > What would you use in place of the asterisk when you want to apply the
> "setfacl -b" command to either all files or all directories? The period?
>
> Directories:
>
> find . -type d -print0 | xargs -0 setfacl -b
>
> Files:
>
> find . -type f -print0 | xargs -0 setfacl -b
>
> The whole point of xargs here is to take the list of files it gets from
> find
> and turn it into a series of arguments for setfacl. So, in the example
> above,
> the actual invocation of setfacl would read "setfacl -b first-file second-
> file"
> etc. With the asterisk, it would be "setfacl -b * first-file second-
> file";
> this means setfacl would modify not only the files passed by find, but
> also
> all the files in the current directory.
Ah, interesting.
I'm going to test the changes to the scripts. Thanks for the feedback.
~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E6B2517F8D6DBF4CABB8F38ACA367E780CF4D126>