ungleich-public/cdist
ungleich-public
/
cdist
7
3
Fork 10
Code Issues 57 Pull Requests 12 Projects Releases Wiki Activity

Merge branch '__acl_improvements_vol2' into 'master' 

__acl improvements vol 2

See merge request ungleich-public/cdist!780
This commit is contained in:
poljakowski 2019-05-25 16:06:46 +02:00
parent 811ed151fc e30d76014a
commit bd27d432b1
3 changed files with 26 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cdist/conf/type/__acl/explorer/missing_users_groups → cdist/conf/type/__acl/explorer/checks
View File

@ -18,7 +18,7 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
[ ! -e "/$__object_id" ] && exit 0 # TODO check if filesystem has ACL turned on etc
for parameter in user group for parameter in user group
do do
@ -40,7 +40,8 @@ do
if ! getent "$getent_db" "$check" > /dev/null if ! getent "$getent_db" "$check" > /dev/null
then then
echo "missing $parameter '$check'" echo "missing $parameter '$check'" >&2
exit 1
fi fi
done \ done \
< "$__object/parameter/$parameter" < "$__object/parameter/$parameter"

60
cdist/conf/type/__acl/gencode-remote
View File

@ -20,15 +20,7 @@
file_is="$( cat "$__object/explorer/file_is" )" file_is="$( cat "$__object/explorer/file_is" )"
[ "$file_is" = 'missing' ] && exit 0 [ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0
missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )"
if [ -n "$missing_users_groups" ]
then
echo "$missing_users_groups" >&2
exit 1
fi
os="$( cat "$__global/explorer/os" )" os="$( cat "$__global/explorer/os" )"
@ -56,7 +48,7 @@ do
then then
[ "$file_is" = 'directory' ] && rep=x || rep=- [ "$file_is" = 'directory' ] && rep=x || rep=-
acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )"
fi fi
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=: echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
@ -72,7 +64,7 @@ setfacl_exec='setfacl'
if [ -f "$__object/parameter/recursive" ] if [ -f "$__object/parameter/recursive" ]
then then
if echo "$os" | grep -Eq 'macosx|freebsd' if echo "$os" | grep -Fq 'freebsd'
then then
echo "$os setfacl do not support recursive operations" >&2 echo "$os setfacl do not support recursive operations" >&2
else else
@ -82,41 +74,33 @@ fi
if [ -f "$__object/parameter/remove" ] if [ -f "$__object/parameter/remove" ]
then then
if echo "$os" | grep -Fq 'solaris' echo "$acl_is" | while read -r acl
then do
# Solaris setfacl behaves differently. # Skip wanted ACL entries which already exist
# We will not support Solaris for now, because no way to test it. # and skip mask and other entries, because we
# But adding support should be easy (use -s instead of -m on modify). # can't actually remove them, but only change.
echo "$os setfacl do not support -x flag for ACL remove" >&2 if echo "$acl_should" | grep -Eq "^$acl" \
else || echo "$acl" | grep -Eq '^(default:)?(mask|other)'
echo "$acl_is" | while read -r acl then continue
do fi
# Skip wanted ACL entries which already exist
# and skip mask and other entries, because we
# can't actually remove them, but only change.
if echo "$acl_should" | grep -Eq "^$acl" \
|| echo "$acl" | grep -Eq '^(default:)?(mask|other)'
then continue
fi
if echo "$os" | grep -Eq 'macosx|freebsd' if echo "$os" | grep -Fq 'freebsd'
then then
remove="$acl" remove="$acl"
else else
remove="$( echo "$acl" | sed 's/:...$//' )" remove="$( echo "$acl" | sed 's/:...$//' )"
fi fi
echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
echo "removed '$remove'" >> "$__messages_out" echo "removed '$remove'" >> "$__messages_out"
done done
fi
fi fi
for acl in $acl_should for acl in $acl_should
do do
if ! echo "$acl_is" | grep -Eq "^$acl" if ! echo "$acl_is" | grep -Eq "^$acl"
then then
if echo "$os" | grep -Eq 'macosx|freebsd' \ if echo "$os" | grep -Fq 'freebsd' \
&& echo "$acl" | grep -Eq '^default:' && echo "$acl" | grep -Eq '^default:'
then then
echo "setting default ACL in $os is currently not supported. sorry :(" >&2 echo "setting default ACL in $os is currently not supported. sorry :(" >&2

6
cdist/conf/type/__acl/man.rst
View File

@ -10,11 +10,7 @@ DESCRIPTION
----------- -----------
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
Fully supported on Linux (tested on Debian and CentOS). Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
Partial support for FreeBSD, OSX and Solaris.
OpenBSD and NetBSD support is not possible.
See ``setfacl`` and ``acl`` manpages for more details. See ``setfacl`` and ``acl`` manpages for more details.