permissions_group_acl_present

Verify that an ace is present on a file or directory for a given group. This method will make sure the given ace is present in the POSIX ACL of the target for the given group.

⚙️ Compatible targets: Linux

Parameters

NameDocumentation
pathPath of the file or directory.

This parameter is required.
recursiveRecursive Should ACLs cleanup be recursive, "true" or "false" (defaults to "false").

Choices:
  • true
  • false

This parameter is optional.
groupGroup name.

This parameter is required.
aceACE to enforce for the given group.

This parameter must match ^[+-=]?(?=.*[rwx])r?w?x?$.
This parameter is required.

Outcome conditions

You need to replace ${path} with its actual canonified value.

  • ✅ Ok: permissions_group_acl_present_${path}_ok
    • ☑️ Already compliant: permissions_group_acl_present_${path}_kept
    • 🟨 Repaired: permissions_group_acl_present_${path}_repaired
  • ❌ Error: permissions_group_acl_present_${path}_error

Example

method: permissions_group_acl_present
params:
  path: VALUE
  group: VALUE
  ace: VALUE
  recursive: 'true'

Documentation

The permissions_*acl_* manage the POSIX ACL on files and directories.

Please note that the mask will be automatically recalculated when editing ACLs.

Parameters

Path

Path can be a regex with the following format:

  • * matches any filename or directory at one level, e.g. *.cf will match all files in one directory that end in .cf but it won't search across directories. */*.cf on the other hand will look two levels deep.
  • ? matches a single letter
  • [a-z] matches any letter from a to z
  • {x,y,anything} will match x or y or anything.
Recursive

Can be:

  • true to apply the given aces to folder and sub-folders and files.
  • or false to apply to the strict match of Path

If left blank, recursivity will automatically be set to false

Group

Group to enfoorce the ace, being the Linux account name. This method can only handle one groupname.

ACE

The operator can be:

  • + to add the given ACE to the current ones.
  • - to remove the given ACE to the current ones.
  • = to force the given ACE to the current ones.
  • empty if no operator is specified, it will be interpreted as =.

ACE must respect the classic:

  • ^[+-=]?(?=.*[rwx])r?w?x?$

Example

Given a file with the following getfacl output:

root@server# getfacl /tmp/myTestFile 
getfacl: Removing leading '/' from absolute path names
# file: tmp/myTestFile
# owner: root
# group: root
user::rwx
group::r--
group:bob:rwx
mask::rwx
other::---

Applying this method with the following parameters:

  • path: /tmp/myTestFile
  • recursive: false
  • group: bob
  • ace: -rw

Will transform the previous ACLs in:

root@server# getfacl /tmp/myTestFile 
getfacl: Removing leading '/' from absolute path names
# file: tmp/myTestFile
# owner: root
# group: root
user::rwx
group::r--
group:bob:--x
mask::r-x
other::---