You are not logged in.
Edit : New version - https://bbs.archlinux.org/viewtopic.php?id=176379 (29/1/2014)
Hello everyone,
setfacl is very useful, but I find setting files individually very frustrating, especially when you have to set a lot of files/folders, and you might have to do it again after an update.
I discovered setfacl a while ago, but due to the above reason, I don't rely on it too much.
Until recently, I came up with the idea of having a script to process a config file of restrictions, hence the script and file I want to share, and hope you find it useful.
There are basically two files, _setfacl.sh is the script, setfacl_file_list is the config.
_setfacl.sh has 582 lines, so I will just leave the pastebin page here : http://pastebin.com/Ls54eE8G
setfacl_file_list is a short one, nonetheless, here's the pastebin page : http://pastebin.com/1gP1NFTn
I will demonstrate the use of the script below.
Assume you put the two files in same directory, and chmod u+x _setfacl.sh, then run it
(_setfacl.sh will not execute actual setfacl command yet, currently it will only show generated command)
You will see the following
$ ./_setfacl.sh
0 Warning
No config error detected
setfacl -m u:user2:--- file1
setfacl -m u:user3:--- file1
setfacl -m u:user4:--- file1
setfacl -m g:group2:--- file1
setfacl -m u:user2:rwx file2
setfacl -m u:user3:rwx file2
setfacl -m u:user4:rwx file2
setfacl -m g:group2:rwx file2
setfacl -x u:user2 file3
setfacl -x g:group1 file3How does that work? Lets take a look at the config file, shall we?
# NO will change the action, '-m' to '-x'
# ALL implies all users/groups
# RESTRICT USER/GROUP and EXCLUDE USER/GROUP can be used once within one ACL block
# One ACL block = NO/RESTRICT...END
# In other words,ACL blocks must start with NO or RESTRICT and ends with END
# RESTRICT,PERM and END must be present, NO and EXCLUDE are optional.
# PERM specifies the default permission for a single segment
# However, you can also specify it individually, like shown below (line 16)
# The script will ignore comments, empty lines or lines filled with spaces
RESTRICT USER ALL # The script will ignore inline comments as well, like this one
RESTRICT GROUP group2
EXCLUDE USER user1
PERM rwx
file1 --- # At here, --- replaces rwx, so file1 has permission of ---
file2
END
NO # Since this ACL block starts with NO, the generated operation
RESTRICT USER user2 # will be "setfacl -x ..." instead of "setfacl -m ..."
RESTRICT GROUP group1
PERM 5 # You can also use number instead of string to specify permission
file3
ENDI think the comments inside of it explains pretty well, so I will only make additional explanation on top of those comments.
The number of warnings shown means the number of non-critical mistakes you have,
for instance, you will have to specify an array of users and groups in _setfacl.sh,
if you type in a user or a group which does not exist in those arrays, it will give you a warning, but it will not stop working.
Hence, "No config error detected", no critical errors detected, it will process the config.
Since it continues to run, it generates the setfacl commands.
setfacl -m u:user2:--- file1
setfacl -m u:user3:--- file1
setfacl -m u:user4:--- file1
setfacl -m g:group2:--- file1
setfacl -m u:user2:rwx file2
setfacl -m u:user3:rwx file2
setfacl -m u:user4:rwx file2
setfacl -m g:group2:rwx file2
setfacl -x u:user2 file3
setfacl -x g:group1 file3I will only examine the first ACL block here, just to demonstrate the logic of the config.
At the first ACL block of config, ( refer to comments in config file for definition of ACL block)
it starts with "RESTRICT", so the option of setfacl will be "-m"
"RESTRICT USER ALL", the array contains user1 to user4, so all are selected.
"RESTRICT GROUP group2", the array contains group1 to group2, so it accepts this input.
"EXCLUDE USER user1", here it removes user1 from the previous RESTRICT statement,
so you can't see "setfacl -m u:user1:--- file1" in the generated output,
but you can see "setfacl -m u:user2:--- file1" to "setfacl -m u:user4:--- file1"
file1 has individually specified permission, hence "---" for setfacl permission
file2 doesn't have specified permission, so it will use default permission of the ACL block,
"PERM rwx", default permission is "rwx" for this ACL block, so file2 has "rwx" for its related permission.
The script will try to detect syntax/input errors, so feel free to make the config file incorrect and see how it reacts.
I spent two days on this script, so it's poorly documented and might lack certain features.
It may also contain bugs at the error detection as well.
Please let me know what you think about it or report any bug of it.
Thank you for your time,
Darren
Edit : The script will handle normal file names, but furtherwork is needed in case your config include asterisk(*) or your file name is "END". I am working on those and will clean up my script a bit while I'm at it. (14/12/2013)
Last edited by darrenldl (2014-01-28 18:09:08)
Offline