From #cfengine on irc.freenode.net:
How can I clear the POSIX ACLs from a file?
To clear the POSIX ACLs from a file, you specify the ACL with no permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
bundle agent main
{
vars:
"file" string => "/tmp/myFileWithAces";
files:
"$(file)"
create => "true";
methods:
"Set POSIX ACL and report"
usebundle => SetAndReport( $(file) );
"UnSet POSIX ACL and report"
usebundle => UnSetAndReport( $(file) );
}
bundle agent SetAndReport( file )
{
files:
"$(file)"
acl => my_posix_aces;
reports:
"In $(this.bundle)$(const.n)$(with)" with => execresult( "getfacl $(file)", useshell);
}
bundle agent UnSetAndReport( file )
{
files:
"$(file)"
acl => no_posix_aces;
reports:
# Yes, it is intentional that there is a space at the end of this
# execresult. It's there so that this identical function call does not
# return the cached result. Alternatively, I could havd disabled function
# caching globally.
"In $(this.bundle)$(const.n)$(with)" with => execresult( "getfacl $(file) ", useshell);
}
body acl my_posix_aces
# @brief Settings some aces here
{
acl_method => "overwrite";
acl_type => "posix";
aces => { "user:*:rx", "group:*:rx", "all:r", "mask:rx" };
}
body acl no_posix_aces
# @brief I want to remove current aces of the file
{
acl_method => "overwrite";
acl_type => "posix";
aces => { "user:*:", "group:*:", "all:", "mask:" };
}
|
The example policy above produces the following output:
R: In SetAndReport
getfacl: Removing leading '/' from absolute path names
# file: tmp/myFileWithAces
# owner: nickanderson
# group: nickanderson
user::r-x
group::r-x
mask::r-x
other::r--
R: In UnSetAndReport
getfacl: Removing leading '/' from absolute path names
# file: tmp/myFileWithAces
# owner: nickanderson
# group: nickanderson
user::---
group::---
mask::---
other::---
For more information about file refer to the documentation on acl bodies in the
reference manual.