Skip to main content
Start a Conversation

Unsolved

seb192

10 Posts

1444

September 8th, 2020 11:00

Reverting ACL changes (revert to synthetic?)

I started applying an ACE to a directory that would grant a specific user read-only access to all files and folders, and I made this ACE inheritable (object_inherit,container_inherit). Unfortunately it seems that when a file is created within a directory with this ACE, the file only inherits this ACE, and not the default OWNER@, GROUP@ entries that grant the user and group their normal permissions. Previously the ACL was synthetic and we just used POSIX permissions. After applying this ACE, the ACL is real. Removing this entry still leaves a real ACL in place. How can I go back to a synthetic ACL that allows us to just use POSIX permissions to manage the files?

Phil.Lam

3 Apprentice

 • 

625 Posts

September 8th, 2020 12:00

@seb192 

try   chmod  -b

seb192

10 Posts

September 8th, 2020 12:00

So if the POSIX permissions were rwxr-x--- before, I'd run chmod -R -b rwxr-x--- [dirname] Is that right? The issue is that the POSIX permissions weren't the same in all instances, so I want to just revert, but I don't want to apply a new set of POSIX permissions to everything.

Phil.Lam

3 Apprentice

 • 

625 Posts

September 9th, 2020 08:00

@seb192,

Since most files have permissioned inherited, it should be ok, unless someone changes the permission.

chmod -Rb 750  

tenortim

36 Posts

September 15th, 2020 08:00

Hi @seb192 ,

as you point out, as soon as you add inheritable ACEs to a directory, any new files created are created with an ACL formed from the inheritable ACEs on the parent. If you added those using "chmod +a ..." the original POSIX modes will have been converted to ACE entries.You could recursively remove those inheritable ACEs. You will still have ACLs but they should then match the previous POSIX permissions. 

I do have a question. Do you want to revert to POSIX permissions or do you want to use ACLs and have the owner/group have permissions when they create new files? If so, you simply need to add additional inheritable ACEs to the directories of the form:
chmod +a creator_owner allow generic_all,object_inherit,container_inherit,inherit_only d1
chmod +a creator_group allow generic_read,generic_exec,object_inherit,container_inherit,inherit_only d1
That adds two inheritable ACEs that will grant specific permissions to the owner and group on create. Obviously, you'd need to recursively apply those to directories below the top of tree.


seb192

10 Posts

September 15th, 2020 09:00

I'd like to revert to POSIX altogether.

Was this post helpful?

View All

No Events found!

Top