Ask Your Question
1

Is there a supported method for managing POSIX ACLs on file resources on Linux?

asked 2016-06-23 10:32:18 -0500

Spitfire1900 gravatar image

We have had some challenges with individuals/processes moving files from one directory to another, modifying the ACLs of an existing directory in the process. Even if we switch to copying files instead of moving files it is still possible that an end user or process may modify ACLs in such a way that another user does not have the access they need to complete their task. The file resource in Puppet can define the owner and owning group of a resource as well as mode, but is there support for POSIX ACLs?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2016-06-24 10:14:19 -0500

Nizen gravatar image

updated 2016-06-24 10:46:50 -0500

What I've done to resolve similar issues is execute a command to change acls:

  exec { 'setfacl_cron':
    command => 'setfacl -m g:support:r /var/spool/cron/root',
    path => '/usr/bin',
    onlyif => 'test -f /var/spool/cron/root',
  }

Basically, if you just automate the acls to execute every time, it may resolve your issues. I know the situation is a little different, but if puppet makes sure the the ACLs are always correct on your files, then it may be of assistance.

edit flag offensive delete link more
0

answered 2016-06-24 06:08:21 -0500

Emerson Prado gravatar image

What about a supported module?
puppetlabs/acl

edit flag offensive delete link more

Comments

The module mentions nothing about Linux compatibility. It appears to be supported exclusively on Windows systems.

Spitfire1900 gravatar imageSpitfire1900 ( 2016-06-24 10:11:25 -0500 )edit

You're correct, I just forgot to check the basics about the module. This other module claims compatibility with Linux: https://forge.puppet.com/thias/fooacl I suggest check and, if needed improving, an existing module than to begin from scratch.

Emerson Prado gravatar imageEmerson Prado ( 2016-06-26 11:35:19 -0500 )edit

I was looking at that module earlier, unfortunately it hasn't been updated in awhile and does not support Puppet versions >4.0.0

Spitfire1900 gravatar imageSpitfire1900 ( 2016-06-28 13:43:07 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2016-06-23 10:32:18 -0500

Seen: 159 times

Last updated: Jun 24 '16