permissions_acl_entry

Verify that an ace is present on a file or directory. This method will append the given aces to the current POSIX ACLs of the target.

⚙️ Compatible targets: Linux

Parameters

NameDocumentation
pathPath of the file or directory.

This parameter is required.
recursiveRecursive Should ACLs cleanup be recursive, "true" or "false" (defaults to "false").

Choices:
  • true
  • false

This parameter is optional.
userUser acls, comma separated, like: bob:+rwx, alice:-w.

This parameter must match `^$
groupGroup acls, comma separated, like: wheel:+wx, anon:-rwx.

This parameter must match `^$
otherOther acls, like -x.

This parameter must match `^$

Outcome conditions

You need to replace ${path} with its actual canonified value.

  • ✅ Ok: permissions_acl_entry_${path}_ok
    • ☑️ Already compliant: permissions_acl_entry_${path}_kept
    • 🟨 Repaired: permissions_acl_entry_${path}_repaired
  • ❌ Error: permissions_acl_entry_${path}_error

Example

method: permissions_acl_entry
params:
  other: OPTIONAL_VALUE
  recursive: 'true'
  group: OPTIONAL_VALUE
  user: OPTIONAL_VALUE
  path: VALUE

Documentation

The permissions_*acl_* manage the POSIX ACL on files and directories.

Please note that the mask will be automatically recalculated when editing ACLs.

Parameters

Path

Path can be a regex with the following format:

  • * matches any filename or directory at one level, e.g. *.cf will match all files in one directory that end in .cf but it won't search across directories. */*.cf on the other hand will look two levels deep.
  • ? matches a single letter
  • [a-z] matches any letter from a to z
  • {x,y,anything} will match x or y or anything.
Recursive

Can be:

  • true to apply the given aces to folder and sub-folders and files.
  • or false to apply to the strict match of Path

If left blank, recursivity will automatically be set to false

User and Group

ACE for user and group can be left blank if they do not need any specification. If fulfill, they must respect the format:

<username|groupname>:<operator><mode>

with:

  • username being the Linux account name
  • groupname the Linux group name
  • Current owner user and owner group can be designed by the character *

The operator can be:

  • + to add the given ACE to the current ones.
  • - to remove the given ACE to the current ones.
  • = to force the given ACE to the current ones.

You can define multiple ACEs by separating them with commas.

Other

ACE for other must respect the classic:

  • [+-=]r?w?x? It can also be left blank to let the Other ACE unchanged.

Example

Given a file with the following getfacl output:

root@server# getfacl /tmp/myTestFile
getfacl: Removing leading '/' from absolute path names
# file: tmp/myTestFile
# owner: root
# group: root
user::rwx
user:bob:rwx
group::r--
mask::rwx
other::---

Applying this method with the following parameters:

  • path: /tmp/myTestFile
  • recursive: false
  • user: *:-x, bob:
  • group: *:+rw
  • other: =r

Will transform the previous ACLs in:

root@server# getfacl /tmp/myTestFile
getfacl: Removing leading '/' from absolute path names
# file: tmp/myTestFile
# owner: root
# group: root
user::rw-
user:bob:---
group::rw-
mask::rw-
other::r--

This method can not remove a given ACE, see here how the user bob ACE is handled.