1

Let's say we have the following directory structure


a
  b1
    c1
    c2
  b2
    c3
    c4

And I want to use setfacl to give a user frank access to c1, I can do something like

setfacl -m u:frank:rX a/b1/c1

However this doesn't give him access to a and b1 automatically.

The -R option does solve this because it applies the ACL to c1's children if there is any.

DrizzleX
  • 125
  • 3

1 Answers1

1

You have to specify the list of directories you want the ACLs applied to, that's the same for all commands that can modify file metadata like chown, chmod, chattr, setfattr, touch whether they have recursive mode of operations or not... Here, you'd also want to make sure none of the path components are symlinks.

So:

setfacl -m u:frank:rX a a/b1 a/b1/c1

Or in shells with support for csh-like brace expansion:

setfacl -m u:frank:rX a{,/b1{,/c1}}

If your shell is zsh, you can define a function like:

upward() until [[ $argv[-1] = . ]] { "$@"; argv[-1]=$argv[-1]:h; }

Then:

$ upward echo setfacl -m u:frank:rX a/b1/c1
setfacl -m u:frank:rX a/b1/c1
setfacl -m u:frank:rX a/b1
setfacl -m u:frank:rX a

(remove the echo to actually run setfacl).

Or you could define a:

ancestry() until [[ $REPLY = . ]] { reply+=($REPLY); REPLY=$REPLY:h; }

function to be used as a glob qualifier:

$ echo setfacl -m u:frank:rX a/b1/c1(+ancestry)
setfacl -m u:frank:rX a a/b1 a/b1/c1

Or for a depth-first order:

$ echo setfacl -m u:frank:rX a/b1/c1(od+ancestry)
setfacl -m u:frank:rX a/b1/c1 a/b1 a

In any case, note that as soon as you grand frank search access to a, that may open up his access to a/b2 if that directory access wasn't restricted on the ground that access was restricted above.

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501