Project

General

Profile

Feature #45266

Add cloneacl CLI utility

Added by Andrew Walker about 2 years ago. Updated almost 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

Occasionally support and users get into a situation where they need to quickly set a complex ACL recursively on a share. Examples would be loss of idmap settings from winbindd_idmap.tdb, cleanup after data migration, previous mistakes in trying to set ACLs, etc.

Usage:

cloneacl -s <source> -p <destination>
. Sets the destination ACL to be the source ACL. Can also run
cloneacl -p <destination>
in which case the destination's ACL is just pushed down to all subdirectories and files.

This will allow support to be able to use setfacl to fix ACLs at the root of a samba share (i.e.) setfacl -m g:"domain admins":full_set:fd:allow,g:"domain users":modify_set:fd:allow,g:"marketing":rxaRc:fd:allow /mnt/dozer/share, then apply the ACL recursively via "cloneacl -p /mnt/dozer/share".

History

#1 Updated by Bug Clerk about 2 years ago

  • Status changed from Unscreened to In Progress

#2 Updated by Andrew Walker about 2 years ago

Master PR - https://github.com/freenas/freenas/pull/1767/

winacl in its original form could set the values of the owner@, group@, everyone@ ACEs while removing non-trivial ACEs (e.g. user:wilbur:rwxaRc:fd:allow). While this is useful, it also limited. Recursively resetting ACLs on a samba share was still a multi-step process.

This adds new action to winacl:
winacl -a clone -s source -p destination

It simply takes the ACL of the source file and applies it to the destination. If "-r" is used, then the action is recursive. If the "-v" flag is used it gives verbose output.

winacl -a clone -r -p destination

If no source is explicitly specified, then we use the ACL from the destination. This allows the following workflow for resetting the ACL on an existing samba share:
  1. setfacl <path/to/share> [fine-tune the ACL to get it exactly the way you want it].
  2. winacl -a clone -r -p <path/to/share> [once it's fine-tuned, apply ACL recursively]

This also introduces new command cloneacl, which is identical to winacl -a clone -r. It takes and presents fewer possible options/flags than winacl. This means that (2) above could also be written as cloneacl -p <path/to/share>.

root@FreeBSD11_samba:/usr/home/awalker # cloneacl
Usage: cloneacl [OPTIONS] ...
Where option is:
    -s <path>                    # source for ACL. If none specified then ACL taken from -p
    -p <path>                    # path to recursively set ACL
    -v                           # verbose

vs.
root@FreeBSD11_samba:/usr/home/awalker # winacl
Usage: winacl [OPTIONS] ...
Where option is:
    -a <append|clone|update|remove|reset>     # action to perform
    -o <owner permission>                # owner ACL entry
    -g <group permission>                # group ACL entry
    -e <everyone permission>             # everyone ACL entry
    -O <owner>                           # change owner
    -G <group>                           # change group
    -s <source>                          # source (if cloning ACL)
    -p <path>                            # path to set
    -i <index>                           # Index
    -f                                   # only set files
    -d                                   # only set directories
    -r                                   # recursive
    -v                                   # verbose
    -x                                   # remove DOSATTRIB EA

#3 Updated by Dru Lavigne about 2 years ago

  • Assignee changed from Release Council to Andrew Walker
  • Target version changed from Backlog to 11.2-RC1

#4 Updated by Bug Clerk almost 2 years ago

  • Status changed from In Progress to Ready for Testing

#5 Updated by Dru Lavigne almost 2 years ago

  • Subject changed from Expand winacl functionality to allow recursively setting non-trivial ACLs to Add cloneacl CLI utility
  • Needs Merging changed from Yes to No

#7 Updated by Joe Maloney almost 2 years ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

#8 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF