Setting ACLs recursively - howto?

[Conzales]

Greetings,


I was just wondering if I can set or lists acls recursively on specific
directories? Could find an easy answer to this in the man pages or on the internet.

I couldn't find the usual '-R' option for setfacl
Is there another way to do this; if possible easily? I'm using ACLs on UFS, not on NFSv4.

The only way i found was this:
# find . -type f -exec setfacl -m xxx {} \;
or
# find . -type d -exec setfacl -d -m u::,g::,o::,g:rrr:rwx {} \;

The reason I want to be able to do this is because ACL permissions are only inerhited while copying a file to a directory that has this set already. When moving files permissions will not be set automatically obviously. Copying large files takes a long time. I use ACL permissions on FreeBSD9 for my NAS system. various directories are shared for DLNA purposes for example. The miniDLNA program user needs user rights on the files shared. I don't want to run miniDLNA as root, by default it's using 'dlna' on FreeBSD.

Thanks,
Conzales

 

[SirDice]

The reason I want to be able to do this is because ACL permissions are only inherited while copying a file to a directory that has this set already. When moving files permissions will not be set automatically obviously. Copying large files takes a long time.

One way would be to create hardlinks instead of copies. But this only works if both are on the same filesystem.

# ln /path/to/original/file /path/to/copy

 

[Conzales]

Thanks for the quick answer.

That would be possible; files are on the same filesystem. However that would get messy very quickly, because I don't want all the files I download for example to show up in the shared directories. As I understand your answer, creating a link will set file permissions?

 

[SirDice]

As I understand your answer, creating a link will set file permissions?

Yes, as it's basically a 'new' file. Moving files doesn't change the permissions because only the reference to the file is moved.

 

[jkhilmer]

Sorry for resurrecting this, but I haven't found a good solution anywhere else and this is one of the top hits when searching this topic.

Based on my limited understanding, there are multiple problems with the find/exec approach:
1.) Although you can add new ACLs, you can't easily remove them (assuming variable existing ACLs).
2.) You can't bulk-add multiple ACLs ( setfacl -a is only good for one at a time): you can only bulk-modify them ( setfacl -M).

These combine to give two problem areas:
1.) Even via root, it's a slow multi-step process to bulk-wipe ACLs ( chmod then setfacl -b) and then replace them with new ones.
2.) A user without root can't trivially write a new set of ACLs: a bulk remove-then-write (itself inefficient) could end up locking themself out.

I wrote a script to get around this by calling setfacl multiple times, but it seems like a really inefficient approach:
1.) Use getfacl to find the permissions that will be removed.
2.) Give a new ACL via setfacl -a 0.
3.) Add new ACLs one ACE at a time via setfacl -a 0.
4.) Remove the old ACL (from step #1).
5.) Remove the temp ACL entry from step #2.

This has the advantage of never denying access to the user even momentarily, but it's a lot of looping and calling setfacl repeatedly: there must be a better way! Does anyone have any ideas?

 

[da1]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=155163

I've tried it on 9.1-STABLE (r246451) and it worked (see comment #2) and someone else reported that it's working against 11-CURRENT (comment 5).

I think this answered the OP's question.