4

I found the setfacl from this link:

https://stackoverflow.com/questions/39397548/how-to-give-non-root-user-in-docker-container-access-to-a-volume-mounted-on-the

sudo setfacl -m u:$(id -u):rwx -R /some/folder

But it will set all file permissions into rwx which is different from my requirement.

Here is the test folder:

rm -rf /test
mkdir -p /test/hello/world


echo "hello" > /test/hello.txt


echo "hi" > /test/hi.sh
chmod 755 /test/hi.sh


echo "foo" > /test/foo.sh
chmod 400 /test/foo.sh


echo "bar" > /test/bar.sh
chmod 700 /test/bar.sh

Here is the file permissions:

# ls -l /test


-rwx------ 1 root root    4 Jun  1 12:20 bar.sh
-r-------- 1 root root    4 Jun  1 12:20 foo.sh
drwxr-xr-x 3 root root 4096 Jun  1 12:20 hello
-rw-r--r-- 1 root root    6 Jun  1 12:20 hello.txt
-rwxr-xr-x 1 root root    3 Jun  1 12:20 hi.sh

I want to grant user 1234 the same permission as root:

sudo setfacl -m u:1234:(???) -R /test

Here is the expected permission for user 1234 (not changing the owner here, just use 1234 in here for explaining the detail permissions as the same as user root):

# ls -l /test


-rwx------ 1 1234 root    4 Jun  1 12:20 bar.sh
-r-------- 1 1234 root    4 Jun  1 12:20 foo.sh
drwxr-xr-x 3 1234 root 4096 Jun  1 12:20 hello
-rw-r--r-- 1 1234 root    6 Jun  1 12:20 hello.txt
-rwxr-xr-x 1 1234 root    3 Jun  1 12:20 hi.sh

How to write this sudo setfacl -m u:1234:(???) -R /test?

Raffa
  • 35,113
stackbiz
  • 497
  • If -R is not possible in one command, is it possible to get "r" "w" "x" for each file one by one, and then setfacl one by one in a for loop? – stackbiz Jun 01 '24 at 08:50
  • Please update the question with edit and add the missing details. Is this a docker install? What is the Ubuntu OS version and type being used. – David DE Jun 01 '24 at 10:01
  • 1
    Please note that ls -l is not the right way of listing ACLs ... Use getfacl for that purpose instead. – Raffa Jun 01 '24 at 10:54

1 Answers1

3

Just a pointer as I consider this a bit clumsy ... But, you'll get the point.

In a shell loop:

for i in /test/*; do
  p="$(getfacl "$i" | awk -F'::' '/user::/{printf $2}')"
  setfacl --test -m u:1234:"$p" "$i"
done

That was a dry-run ... When satisfied with the output, remove --test and re-run it again to actually modify ACLs.

Raffa
  • 35,113
  • Not important in this case and mostly a form improvement, as I don't think the current version could break anything here, but you can filter by field / exact match in awk (awk -F'::' '$1=="user"{printf $2}') (and since we're nitting: you don't need double quotes when storing the result of a command substitution in a variable, and likewise, if we assume we parsed correctly on the previous line, $p won't break anything either so that could be left unquoted as well). Again, all nits, nothing really important, everything should work as is – kos Jun 01 '24 at 11:29
  • 1
    @kos Yep, command substitution is run in a sub-shell and its output gets passed to the current shell as a null ended C style string and newer Bash versions will ignore extra null bytes if present in that output so safe without quoting in this case but adding quotes is per habit and shouldn’t harm … It’s performance that I consider clumsy though and I didn’t have enough time to examine other means … Nits appreciated :) – Raffa Jun 01 '24 at 11:58
  • Reminder: if your docker image does not know extended file permission, this might lead to unexpected results. – Marco Jun 01 '24 at 12:32