Feature #45266

Add cloneacl CLI utility

Added by Andrew Walker over 2 years ago. Updated over 2 years ago.

No priority
Andrew Walker
Target version:
Estimated time:
Reason for Closing:
Reason for Blocked:
Needs QA:
Needs Doc:
Needs Merging:
Needs Automation:
Support Suite Ticket:
Hardware Configuration:


Occasionally support and users get into a situation where they need to quickly set a complex ACL recursively on a share. Examples would be loss of idmap settings from winbindd_idmap.tdb, cleanup after data migration, previous mistakes in trying to set ACLs, etc.


cloneacl -s <source> -p <destination>
. Sets the destination ACL to be the source ACL. Can also run
cloneacl -p <destination>
in which case the destination's ACL is just pushed down to all subdirectories and files.

This will allow support to be able to use setfacl to fix ACLs at the root of a samba share (i.e.) setfacl -m g:"domain admins":full_set:fd:allow,g:"domain users":modify_set:fd:allow,g:"marketing":rxaRc:fd:allow /mnt/dozer/share, then apply the ACL recursively via "cloneacl -p /mnt/dozer/share".


#1 Updated by Bug Clerk over 2 years ago

  • Status changed from Unscreened to In Progress

#2 Updated by Andrew Walker over 2 years ago

Master PR -

winacl in its original form could set the values of the owner@, group@, everyone@ ACEs while removing non-trivial ACEs (e.g. user:wilbur:rwxaRc:fd:allow). While this is useful, it also limited. Recursively resetting ACLs on a samba share was still a multi-step process.

This adds new action to winacl:
winacl -a clone -s source -p destination

It simply takes the ACL of the source file and applies it to the destination. If "-r" is used, then the action is recursive. If the "-v" flag is used it gives verbose output.

winacl -a clone -r -p destination

If no source is explicitly specified, then we use the ACL from the destination. This allows the following workflow for resetting the ACL on an existing samba share:
  1. setfacl <path/to/share> [fine-tune the ACL to get it exactly the way you want it].
  2. winacl -a clone -r -p <path/to/share> [once it's fine-tuned, apply ACL recursively]

This also introduces new command cloneacl, which is identical to winacl -a clone -r. It takes and presents fewer possible options/flags than winacl. This means that (2) above could also be written as cloneacl -p <path/to/share>.

root@FreeBSD11_samba:/usr/home/awalker # cloneacl
Usage: cloneacl [OPTIONS] ...
Where option is:
    -s <path>                    # source for ACL. If none specified then ACL taken from -p
    -p <path>                    # path to recursively set ACL
    -v                           # verbose

root@FreeBSD11_samba:/usr/home/awalker # winacl
Usage: winacl [OPTIONS] ...
Where option is:
    -a <append|clone|update|remove|reset>     # action to perform
    -o <owner permission>                # owner ACL entry
    -g <group permission>                # group ACL entry
    -e <everyone permission>             # everyone ACL entry
    -O <owner>                           # change owner
    -G <group>                           # change group
    -s <source>                          # source (if cloning ACL)
    -p <path>                            # path to set
    -i <index>                           # Index
    -f                                   # only set files
    -d                                   # only set directories
    -r                                   # recursive
    -v                                   # verbose
    -x                                   # remove DOSATTRIB EA

#3 Updated by Dru Lavigne over 2 years ago

  • Assignee changed from Release Council to Andrew Walker
  • Target version changed from Backlog to 11.2-RC1

#4 Updated by Bug Clerk over 2 years ago

  • Status changed from In Progress to Ready for Testing

#5 Updated by Dru Lavigne over 2 years ago

  • Subject changed from Expand winacl functionality to allow recursively setting non-trivial ACLs to Add cloneacl CLI utility
  • Needs Merging changed from Yes to No

#7 Updated by Joe Maloney over 2 years ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

#8 Updated by Dru Lavigne over 2 years ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF