Merge pull request #760 from 4nd3r/__acl_improvements
__acl improvements
This commit is contained in:
commit
e32982a648
6 changed files with 169 additions and 38 deletions
|
@ -18,9 +18,14 @@
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ -e "/$__object_id" ]
|
[ ! -e "/$__object_id" ] && exit 0
|
||||||
|
|
||||||
|
if ! command -v getfacl > /dev/null
|
||||||
then
|
then
|
||||||
getfacl "/$__object_id" 2>/dev/null \
|
echo 'getfacl not available' >&2
|
||||||
| grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
|
exit 1
|
||||||
|| true
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
getfacl "/$__object_id" 2>/dev/null \
|
||||||
|
| grep -Eo '^(default:)?(user|group|(mask|other):):[^:][[:graph:]]+' \
|
||||||
|
|| true
|
||||||
|
|
31
cdist/conf/type/__acl/explorer/file_is
Executable file
31
cdist/conf/type/__acl/explorer/file_is
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ -e "/$__object_id" ]
|
||||||
|
then
|
||||||
|
if [ -d "/$__object_id" ]
|
||||||
|
then echo directory
|
||||||
|
elif [ -f "/$__object_id" ]
|
||||||
|
then echo regular
|
||||||
|
else echo other
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo missing
|
||||||
|
fi
|
47
cdist/conf/type/__acl/explorer/missing_users_groups
Executable file
47
cdist/conf/type/__acl/explorer/missing_users_groups
Executable file
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
[ ! -e "/$__object_id" ] && exit 0
|
||||||
|
|
||||||
|
for parameter in user group
|
||||||
|
do
|
||||||
|
if [ ! -f "$__object/parameter/$parameter" ]
|
||||||
|
then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
while read -r acl
|
||||||
|
do
|
||||||
|
check="$( echo "$acl" | awk -F: '{print $1}' )"
|
||||||
|
|
||||||
|
if [ "$parameter" = 'user' ]
|
||||||
|
then
|
||||||
|
getent_db=passwd
|
||||||
|
else
|
||||||
|
getent_db="$parameter"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! getent "$getent_db" "$check" > /dev/null
|
||||||
|
then
|
||||||
|
echo "missing $parameter '$check'"
|
||||||
|
fi
|
||||||
|
done \
|
||||||
|
< "$__object/parameter/$parameter"
|
||||||
|
done
|
|
@ -18,43 +18,61 @@
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
os="$( cat "$__global/explorer/os" )"
|
file_is="$( cat "$__object/explorer/file_is" )"
|
||||||
|
|
||||||
acl_path="/$__object_id"
|
[ "$file_is" = 'missing' ] && exit 0
|
||||||
|
|
||||||
|
missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )"
|
||||||
|
|
||||||
|
if [ -n "$missing_users_groups" ]
|
||||||
|
then
|
||||||
|
echo "$missing_users_groups" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
os="$( cat "$__global/explorer/os" )"
|
||||||
|
|
||||||
acl_is="$( cat "$__object/explorer/acl_is" )"
|
acl_is="$( cat "$__object/explorer/acl_is" )"
|
||||||
|
|
||||||
acl_should="$( for parameter in user group
|
acl_path="/$__object_id"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ]
|
||||||
|
then
|
||||||
|
set_default=1
|
||||||
|
else
|
||||||
|
set_default=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
acl_should="$( for parameter in user group mask other
|
||||||
do
|
do
|
||||||
if [ ! -f "$__object/parameter/$parameter" ]
|
if [ ! -f "$__object/parameter/$parameter" ]
|
||||||
then continue
|
|
||||||
fi
|
|
||||||
while read -r l
|
|
||||||
do
|
|
||||||
echo "$parameter:$l"
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/default" ]
|
|
||||||
then echo "default:$parameter:$l"
|
|
||||||
fi
|
|
||||||
done < "$__object/parameter/$parameter"
|
|
||||||
done
|
|
||||||
if [ -f "$__object/parameter/mask" ]
|
|
||||||
then
|
then
|
||||||
l=$( cat "$__object/parameter/mask" )
|
continue
|
||||||
|
|
||||||
echo "mask::$l"
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/default" ]
|
|
||||||
then echo "default:mask::$l"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
while read -r acl
|
||||||
|
do
|
||||||
|
if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
|
||||||
|
then
|
||||||
|
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
||||||
|
|
||||||
|
acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )"
|
||||||
fi
|
fi
|
||||||
)"
|
|
||||||
|
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
|
||||||
|
|
||||||
|
echo "$parameter$sep$acl"
|
||||||
|
|
||||||
|
[ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
|
||||||
|
done \
|
||||||
|
< "$__object/parameter/$parameter"
|
||||||
|
done )"
|
||||||
|
|
||||||
setfacl_exec='setfacl'
|
setfacl_exec='setfacl'
|
||||||
|
|
||||||
if [ -f "$__object/parameter/recursive" ]
|
if [ -f "$__object/parameter/recursive" ]
|
||||||
then
|
then
|
||||||
if echo "$os" | grep -Eq 'macosx|netbsd|freebsd|openbsd'
|
if echo "$os" | grep -Eq 'macosx|freebsd'
|
||||||
then
|
then
|
||||||
echo "$os setfacl do not support recursive operations" >&2
|
echo "$os setfacl do not support recursive operations" >&2
|
||||||
else
|
else
|
||||||
|
@ -73,13 +91,23 @@ then
|
||||||
else
|
else
|
||||||
echo "$acl_is" | while read -r acl
|
echo "$acl_is" | while read -r acl
|
||||||
do
|
do
|
||||||
if echo "$acl_should" | grep -Fq "$acl"
|
# Skip wanted ACL entries which already exist
|
||||||
|
# and skip mask and other entries, because we
|
||||||
|
# can't actually remove them, but only change.
|
||||||
|
if echo "$acl_should" | grep -Eq "^$acl" \
|
||||||
|
|| echo "$acl" | grep -Eq '^(default:)?(mask|other)'
|
||||||
then continue
|
then continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )"
|
if echo "$os" | grep -Eq 'macosx|freebsd'
|
||||||
|
then
|
||||||
|
remove="$acl"
|
||||||
|
else
|
||||||
|
remove="$( echo "$acl" | sed 's/:...$//' )"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
|
echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
|
||||||
|
echo "removed '$remove'" >> "$__messages_out"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -87,6 +115,14 @@ fi
|
||||||
for acl in $acl_should
|
for acl in $acl_should
|
||||||
do
|
do
|
||||||
if ! echo "$acl_is" | grep -Eq "^$acl"
|
if ! echo "$acl_is" | grep -Eq "^$acl"
|
||||||
then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
|
then
|
||||||
|
if echo "$os" | grep -Eq 'macosx|freebsd' \
|
||||||
|
&& echo "$acl" | grep -Eq '^default:'
|
||||||
|
then
|
||||||
|
echo "setting default ACL in $os is currently not supported. sorry :(" >&2
|
||||||
|
else
|
||||||
|
echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
|
||||||
|
echo "added '$acl'" >> "$__messages_out"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
@ -3,20 +3,20 @@ cdist-type__acl(7)
|
||||||
|
|
||||||
NAME
|
NAME
|
||||||
----
|
----
|
||||||
cdist-type__acl - Basic wrapper around `setfacl`
|
cdist-type__acl - Set ACL entries
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
|
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
|
||||||
|
|
||||||
See setfacl(1) and acl(5) for more details.
|
Fully supported on Linux (tested on Debian and CentOS).
|
||||||
|
|
||||||
|
Partial support for FreeBSD, OSX and Solaris.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OpenBSD and NetBSD support is not possible.
|
||||||
-------------------
|
|
||||||
mask
|
See ``setfacl`` and ``acl`` manpages for more details.
|
||||||
Add mask ACL entry.
|
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
OPTIONAL MULTIPLE PARAMETERS
|
||||||
|
@ -28,16 +28,26 @@ group
|
||||||
Add group ACL entry.
|
Add group ACL entry.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
mask
|
||||||
|
Add mask ACL entry.
|
||||||
|
|
||||||
|
other
|
||||||
|
Add other ACL entry.
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
recursive
|
recursive
|
||||||
Operate recursively (Linux only).
|
Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
|
||||||
|
|
||||||
default
|
default
|
||||||
Add default ACL entries.
|
Add default ACL entries (FreeBSD not supported).
|
||||||
|
|
||||||
remove
|
remove
|
||||||
Remove undefined ACL entries (Solaris not supported).
|
Remove undefined ACL entries (Solaris not supported).
|
||||||
|
ACL entries for ``mask`` and ``other`` can't be removed.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
|
@ -53,7 +63,8 @@ EXAMPLES
|
||||||
--user bob:r-x \
|
--user bob:r-x \
|
||||||
--group project-group:rwx \
|
--group project-group:rwx \
|
||||||
--group some-other-group:r-x \
|
--group some-other-group:r-x \
|
||||||
--mask r-x
|
--mask r-x \
|
||||||
|
--other r-x
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
mask
|
mask
|
||||||
|
other
|
||||||
|
|
Loading…
Reference in a new issue