Is that really sufficient for the ACLs? Won’t people want a lot more flexibility?

I frankly have no idea, since I’ve not used ACLs.

I’m not sure what additional flexibility would be required. the above example is an explicit acl string, the acl itself is broken up into parts (basically delimited by the :’s)

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html

It seems like low-hanging fruit to add an attribute to set an explicit acl on a file object, if there’s more flexibility needed it should come out as people use it and the explicit acl s insufficient.

I’d also like to see this integrated into puppet.

Remember that there a two diffent types of filesystem ACLs:

• default ACLs on folders (they are inherited)
• ACLs on files and folders (actual permissions)

And of course you can set this as the “standard ACL” which represents owner/group/other, but as well for users and groups. A fully fledged FS ACLs could look like:

getfacl: Removing leading ‘/’ from absolute path names

file: srv/ftp/web/press¶

owner: press¶

group: ftpusers¶

user::rwx user:ftpadmin:rwx user:customer0:rwx user:pres:r— group::r-x mask::rwx other::r-x default:user::rwx default:user:ftpadmin:rwx default:user:customer0:rwx default:user:press:r— default:group::r-x default:mask::rwx default:other::r-x

Note that ZFS uses NFSv4 FACLs, and I’ve heard speculation that this will overtake the posix draft facls. It would be probably be better to have facls as a separate type, because of that, and sometimes you want to use a facl restore file. I do this often, setfacl —restore=/perms.bak say will restore from your working directory all facls. That way you could point to some local file that is filled with the recursive facl listing for a directory, and update any differences between your proper permissions and the machine.

By ‘local’ I meant local to the master.

Hi all

I was looking forward for this feature too, and discovered this thread. Would be nice to have acl integrated to puppet. But I had to do something for right now, exec wasn’t just good enough. So I had to write a puppet module to manage acl in a better way. I hope it is useful for someone. If you find it useful give me a feedback. Thanks

Example of use:

 acl_user { "avalos_rw_rc.local" :
     id => avalos,
     mode => "rw-",
     path => "/etc/rc.local",
 }

Please read the README to more info

Puppet-acl module

Another workaround, assuming the file’s parent directory has the correct permissions and a recent version of Windows, is simply to reset the file(s) permissions. Yes, it’s still exec, but it solves the simple use case. Note that icacls properly orders file permissions, an important consideration that any solution should guarantee. For example:

        # Copy the file
        file { "C:\\Temp\\dest.txt":
            source  => "C:\\Temp\\source.txt",
            ensure  => present,
        }
        # Reset the ACLs on the file since Puppet mangles them
        exec { "icacls-reset-dest":
            path        => "${::systemroot}\\system32",
            command     => "icacls C:\\Temp\\dest.txt /reset",
            subscribe   => File["C:\\Temp\\dest.txt"],
            refreshonly => true,
        }