Add cloneacl CLI utility
Occasionally support and users get into a situation where they need to quickly set a complex ACL recursively on a share. Examples would be loss of idmap settings from winbindd_idmap.tdb, cleanup after data migration, previous mistakes in trying to set ACLs, etc.
cloneacl -s <source> -p <destination>. Sets the destination ACL to be the source ACL. Can also run
cloneacl -p <destination>in which case the destination's ACL is just pushed down to all subdirectories and files.
This will allow support to be able to use setfacl to fix ACLs at the root of a samba share (i.e.) setfacl -m g:"domain admins":full_set:fd:allow,g:"domain users":modify_set:fd:allow,g:"marketing":rxaRc:fd:allow /mnt/dozer/share, then apply the ACL recursively via "cloneacl -p /mnt/dozer/share".
#2 Updated by Andrew Walker about 2 years ago
Master PR - https://github.com/freenas/freenas/pull/1767/
winacl in its original form could set the values of the owner@, group@, everyone@ ACEs while removing non-trivial ACEs (e.g. user:wilbur:rwxaRc:fd:allow). While this is useful, it also limited. Recursively resetting ACLs on a samba share was still a multi-step process.
This adds new action to winacl:
winacl -a clone -s source -p destination
It simply takes the ACL of the source file and applies it to the destination. If "-r" is used, then the action is recursive. If the "-v" flag is used it gives verbose output.
winacl -a clone -r -p destinationIf no source is explicitly specified, then we use the ACL from the destination. This allows the following workflow for resetting the ACL on an existing samba share:
- setfacl <path/to/share> [fine-tune the ACL to get it exactly the way you want it].
- winacl -a clone -r -p <path/to/share> [once it's fine-tuned, apply ACL recursively]
This also introduces new command cloneacl, which is identical to winacl -a clone -r. It takes and presents fewer possible options/flags than winacl. This means that (2) above could also be written as cloneacl -p <path/to/share>.
root@FreeBSD11_samba:/usr/home/awalker # cloneacl Usage: cloneacl [OPTIONS] ... Where option is: -s <path> # source for ACL. If none specified then ACL taken from -p -p <path> # path to recursively set ACL -v # verbose
root@FreeBSD11_samba:/usr/home/awalker # winacl Usage: winacl [OPTIONS] ... Where option is: -a <append|clone|update|remove|reset> # action to perform -o <owner permission> # owner ACL entry -g <group permission> # group ACL entry -e <everyone permission> # everyone ACL entry -O <owner> # change owner -G <group> # change group -s <source> # source (if cloning ACL) -p <path> # path to set -i <index> # Index -f # only set files -d # only set directories -r # recursive -v # verbose -x # remove DOSATTRIB EA
#6 Updated by Dru Lavigne almost 2 years ago
- Needs Doc changed from Yes to No