RE: NFSv4 ACL permissions setting
Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: [..] group:DSP-production:rwxpDdaARWcCos:fd:allow - group:DSP-production:rwxpDdaARWcCos:fd:allow - This itself looks like a bug in setfacl(1). I'll look into it. However... [..] #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using -m with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and -m simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on deny entries before it. Use -a instead. Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries. What would you use in place of the asterisk when you want to apply the setfacl -b command to either all files or all directories? The period? ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFSv4 ACL permissions setting
Wiadomość napisana przez Doug Sampson w dniu 6 wrz 2012, o godz. 01:13: Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: [..] group:DSP-production:rwxpDdaARWcCos:fd:allow - group:DSP-production:rwxpDdaARWcCos:fd:allow - This itself looks like a bug in setfacl(1). I'll look into it. However... [..] #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using -m with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and -m simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on deny entries before it. Use -a instead. Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries. Ok. It's simply a matter of replacing '-m' with '-a0'. Btw, the bug in setfacl(1) command has been fixed in HEAD and will be merged into STABLE in a month from now. What would you use in place of the asterisk when you want to apply the setfacl -b command to either all files or all directories? The period? Directories: find . -type d -print0 | xargs -0 setfacl -b Files: find . -type f -print0 | xargs -0 setfacl -b The whole point of xargs here is to take the list of files it gets from find and turn it into a series of arguments for setfacl. So, in the example above, the actual invocation of setfacl would read setfacl -b first-file second-file etc. With the asterisk, it would be setfacl -b * first-file second-file; this means setfacl would modify not only the files passed by find, but also all the files in the current directory. -- If you cut off my head, what would I say? Me and my head, or me and my body? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFSv4 ACL permissions setting
On Thu, 6 Sep 2012 01:20:38 +0200, Edward Tomasz Napierała wrote: Wiadomość napisana przez Doug Sampson w dniu 6 wrz 2012, o godz. 01:13: Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: [..] group:DSP-production:rwxpDdaARWcCos:fd:allow - group:DSP-production:rwxpDdaARWcCos:fd:allow - This itself looks like a bug in setfacl(1). I'll look into it. However... [..] #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using -m with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and -m simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on deny entries before it. Use -a instead. Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries. Ok. It's simply a matter of replacing '-m' with '-a0'. Btw, the bug in setfacl(1) command has been fixed in HEAD and will be merged into STABLE in a month from now. What would you use in place of the asterisk when you want to apply the setfacl -b command to either all files or all directories? The period? Directories: find . -type d -print0 | xargs -0 setfacl -b Files: find . -type f -print0 | xargs -0 setfacl -b The whole point of xargs here is to take the list of files it gets from find and turn it into a series of arguments for setfacl. So, in the example above, the actual invocation of setfacl would read setfacl -b first-file second-file etc. With the asterisk, it would be setfacl -b * first-file second-file; this means setfacl would modify not only the files passed by find, but also all the files in the current directory. Note that the parameter lists constructed by xargs and passed to setfacl might grow quite long and possibly exceed the respective buffer. In that case, you could modify the command to process one result at a time: # find . -type f -exec /bin/setfacl -b {} \; for all files, and # find . -type d -exec /bin/setfacl -b {} \; for all directories. Not tested. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: NFSv4 ACL permissions setting
#!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using -m with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and -m simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on deny entries before it. Use -a instead. Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries. Ok. It's simply a matter of replacing '-m' with '-a0'. I did not realize that one could add a numeral to the -a parameter to indicate the desired order. I just did a 'man setfacl' and indeed it is described as such. Good to know! Is there a preferred way of ordering? I.e. owner@ at line 0 followed by group@ at line 1 followed by everyone@ at line 2 then followed by the two groups described in my original mail (e.g. dsp-production dsp-marketing)? Or is that totally dependent on how I want to structure the permissions so that the desired effect is achieved? For example like this: dougs@dorado:/data# getfacl ADS-New/ # file: ADS-New/ # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd:allow group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:--a-R-c--s:--:allow dougs@dorado:/data# where anyone who is a member of the dsp-production group will ALWAYS have full_set permissions simply because that is indicated at line 0 and thus meets the test of line 0? Processing stops at line 0 as long as the user is a member of that group, right? Does a user who does not belong to any of the groups indicated above and isn't an owner have the ability to modify the directory? I assume that would be the everyone@ group... Btw, the bug in setfacl(1) command has been fixed in HEAD and will be merged into STABLE in a month from now. What exactly was the bug? Did I uncover it inadvertently? What would you use in place of the asterisk when you want to apply the setfacl -b command to either all files or all directories? The period? Directories: find . -type d -print0 | xargs -0 setfacl -b Files: find . -type f -print0 | xargs -0 setfacl -b The whole point of xargs here is to take the list of files it gets from find and turn it into a series of arguments for setfacl. So, in the example above, the actual invocation of setfacl would read setfacl -b first-file second- file etc. With the asterisk, it would be setfacl -b * first-file second- file; this means setfacl would modify not only the files passed by find, but also all the files in the current directory. Ah, interesting. I'm going to test the changes to the scripts. Thanks for the feedback. ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFSv4 ACL permissions setting
Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: [..] group:DSP-production:rwxpDdaARWcCos:fd:allow - group:DSP-production:rwxpDdaARWcCos:fd:allow - This itself looks like a bug in setfacl(1). I'll look into it. However... [..] #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using -m with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and -m simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on deny entries before it. Use -a instead. -- If you cut off my head, what would I say? Me and my head, or me and my body? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org