diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/checks similarity index 90% rename from cdist/conf/type/__acl/explorer/missing_users_groups rename to cdist/conf/type/__acl/explorer/checks index b4af614c..a2fcf44d 100755 --- a/cdist/conf/type/__acl/explorer/missing_users_groups +++ b/cdist/conf/type/__acl/explorer/checks @@ -18,7 +18,7 @@ # along with cdist. If not, see . # -[ ! -e "/$__object_id" ] && exit 0 +# TODO check if filesystem has ACL turned on etc for parameter in user group do @@ -40,7 +40,8 @@ do if ! getent "$getent_db" "$check" > /dev/null then - echo "missing $parameter '$check'" + echo "missing $parameter '$check'" >&2 + exit 1 fi done \ < "$__object/parameter/$parameter" diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index a0f25a15..f5b0474f 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -20,15 +20,7 @@ file_is="$( cat "$__object/explorer/file_is" )" -[ "$file_is" = 'missing' ] && exit 0 - -missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )" - -if [ -n "$missing_users_groups" ] -then - echo "$missing_users_groups" >&2 - exit 1 -fi +[ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0 os="$( cat "$__global/explorer/os" )" @@ -56,7 +48,7 @@ do then [ "$file_is" = 'directory' ] && rep=x || rep=- - acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" + acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )" fi echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=: @@ -72,7 +64,7 @@ setfacl_exec='setfacl' if [ -f "$__object/parameter/recursive" ] then - if echo "$os" | grep -Eq 'macosx|freebsd' + if echo "$os" | grep -Fq 'freebsd' then echo "$os setfacl do not support recursive operations" >&2 else @@ -82,41 +74,33 @@ fi if [ -f "$__object/parameter/remove" ] then - if echo "$os" | grep -Fq 'solaris' - then - # Solaris setfacl behaves differently. - # We will not support Solaris for now, because no way to test it. - # But adding support should be easy (use -s instead of -m on modify). - echo "$os setfacl do not support -x flag for ACL remove" >&2 - else - echo "$acl_is" | while read -r acl - do - # Skip wanted ACL entries which already exist - # and skip mask and other entries, because we - # can't actually remove them, but only change. - if echo "$acl_should" | grep -Eq "^$acl" \ - || echo "$acl" | grep -Eq '^(default:)?(mask|other)' - then continue - fi + echo "$acl_is" | while read -r acl + do + # Skip wanted ACL entries which already exist + # and skip mask and other entries, because we + # can't actually remove them, but only change. + if echo "$acl_should" | grep -Eq "^$acl" \ + || echo "$acl" | grep -Eq '^(default:)?(mask|other)' + then continue + fi - if echo "$os" | grep -Eq 'macosx|freebsd' - then - remove="$acl" - else - remove="$( echo "$acl" | sed 's/:...$//' )" - fi + if echo "$os" | grep -Fq 'freebsd' + then + remove="$acl" + else + remove="$( echo "$acl" | sed 's/:...$//' )" + fi - echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" - echo "removed '$remove'" >> "$__messages_out" - done - fi + echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" + echo "removed '$remove'" >> "$__messages_out" + done fi for acl in $acl_should do if ! echo "$acl_is" | grep -Eq "^$acl" then - if echo "$os" | grep -Eq 'macosx|freebsd' \ + if echo "$os" | grep -Fq 'freebsd' \ && echo "$acl" | grep -Eq '^default:' then echo "setting default ACL in $os is currently not supported. sorry :(" >&2 diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index 092eb555..d066aae5 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -10,11 +10,7 @@ DESCRIPTION ----------- ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. -Fully supported on Linux (tested on Debian and CentOS). - -Partial support for FreeBSD, OSX and Solaris. - -OpenBSD and NetBSD support is not possible. +Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD. See ``setfacl`` and ``acl`` manpages for more details.