From 2cde09648cc9be18a1d857d994c270ca2e1b52c2 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 14:15:48 +0300 Subject: [PATCH 01/28] __acl: check if getfacl is available --- cdist/conf/type/__acl/explorer/acl_is | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index e2ae0932..bb1db89d 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -18,6 +18,12 @@ # along with cdist. If not, see . # +if ! command -v getfacl 2>/dev/null +then + echo 'getfacl not available' >&2 + exit 1 +fi + if [ -e "/$__object_id" ] then getfacl "/$__object_id" 2>/dev/null \ From d71eb3d8bdbd46848bc9c53b2523be050b083410 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 14:20:13 +0300 Subject: [PATCH 02/28] __acl: (open|net)bsd do not have (get|set)facl --- cdist/conf/type/__acl/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 8ab7b566..2ea01524 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -54,7 +54,7 @@ setfacl_exec='setfacl' if [ -f "$__object/parameter/recursive" ] then - if echo "$os" | grep -Eq 'macosx|netbsd|freebsd|openbsd' + if echo "$os" | grep -Eq 'macosx|freebsd' then echo "$os setfacl do not support recursive operations" >&2 else From ef8ff06b5f20a73c744769aecc047ff7c05e5fbb Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 14:39:45 +0300 Subject: [PATCH 03/28] __acl: only directories can have default ACLs --- cdist/conf/type/__acl/explorer/file_type | 28 ++++++++++++++++++++++++ cdist/conf/type/__acl/gencode-remote | 8 +++++-- 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100755 cdist/conf/type/__acl/explorer/file_type diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/file_type new file mode 100755 index 00000000..0d1edb7d --- /dev/null +++ b/cdist/conf/type/__acl/explorer/file_type @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# 2018 Ander Punnar (ander-at-kvlt-dot-ee) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +if [ -e "/$__object_id" ] +then + if [ -d "/$__object_id" ] + then echo d + elif [ -f "/$__object_id" ] + then echo f + fi +fi diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 2ea01524..355cc88e 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -20,6 +20,8 @@ os="$( cat "$__global/explorer/os" )" +file_type="$( cat "$__object/explorer/file_type" )" + acl_path="/$__object_id" acl_is="$( cat "$__object/explorer/acl_is" )" @@ -33,7 +35,8 @@ do do echo "$parameter:$l" - if [ -f "$__object/parameter/default" ] + if [ -f "$__object/parameter/default" ] \ + && [ "$file_type" = 'd' ] then echo "default:$parameter:$l" fi done < "$__object/parameter/$parameter" @@ -44,7 +47,8 @@ then echo "mask::$l" - if [ -f "$__object/parameter/default" ] + if [ -f "$__object/parameter/default" ] \ + && [ "$file_type" = 'd' ] then echo "default:mask::$l" fi fi From ab954ffbcf285d3d83b7e61070468afc8cab1610 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 14:44:32 +0300 Subject: [PATCH 04/28] __acl: always check first if path exists --- cdist/conf/type/__acl/explorer/acl_is | 13 +++++++------ cdist/conf/type/__acl/explorer/file_type | 15 ++++++++------- cdist/conf/type/__acl/gencode-remote | 6 ++++-- 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index bb1db89d..c5d8468d 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -18,15 +18,16 @@ # along with cdist. If not, see . # +acl_path="/$__object_id" + +[ ! -e "$acl_path" ] && exit 0 + if ! command -v getfacl 2>/dev/null then echo 'getfacl not available' >&2 exit 1 fi -if [ -e "/$__object_id" ] -then - getfacl "/$__object_id" 2>/dev/null \ - | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \ - || true -fi +getfacl "$acl_path" 2>/dev/null \ + | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \ + || true diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/file_type index 0d1edb7d..f45e302b 100755 --- a/cdist/conf/type/__acl/explorer/file_type +++ b/cdist/conf/type/__acl/explorer/file_type @@ -18,11 +18,12 @@ # along with cdist. If not, see . # -if [ -e "/$__object_id" ] -then - if [ -d "/$__object_id" ] - then echo d - elif [ -f "/$__object_id" ] - then echo f - fi +acl_path="/$__object_id" + +[ ! -e "$acl_path" ] && exit 0 + +if [ -d "$acl_path" ] +then echo d +elif [ -f "$acl_path" ] +then echo f fi diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 355cc88e..88fc8ce0 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -18,12 +18,14 @@ # along with cdist. If not, see . # +acl_path="/$__object_id" + +[ ! -e "$acl_path" ] && exit 0 + os="$( cat "$__global/explorer/os" )" file_type="$( cat "$__object/explorer/file_type" )" -acl_path="/$__object_id" - acl_is="$( cat "$__object/explorer/acl_is" )" acl_should="$( for parameter in user group From 2b5887bdbd3229d75da48e32dc7e55b29b6abd54 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 14:51:26 +0300 Subject: [PATCH 05/28] __acl: we only care whether file is directory --- cdist/conf/type/__acl/explorer/{file_type => is_dir} | 5 ++--- cdist/conf/type/__acl/gencode-remote | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) rename cdist/conf/type/__acl/explorer/{file_type => is_dir} (94%) diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/is_dir similarity index 94% rename from cdist/conf/type/__acl/explorer/file_type rename to cdist/conf/type/__acl/explorer/is_dir index f45e302b..d3080de6 100755 --- a/cdist/conf/type/__acl/explorer/file_type +++ b/cdist/conf/type/__acl/explorer/is_dir @@ -23,7 +23,6 @@ acl_path="/$__object_id" [ ! -e "$acl_path" ] && exit 0 if [ -d "$acl_path" ] -then echo d -elif [ -f "$acl_path" ] -then echo f +then echo 1 +else echo 0 fi diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 88fc8ce0..a50174fa 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -24,7 +24,7 @@ acl_path="/$__object_id" os="$( cat "$__global/explorer/os" )" -file_type="$( cat "$__object/explorer/file_type" )" +is_dir="$( cat "$__object/explorer/is_dir" )" acl_is="$( cat "$__object/explorer/acl_is" )" @@ -38,7 +38,7 @@ do echo "$parameter:$l" if [ -f "$__object/parameter/default" ] \ - && [ "$file_type" = 'd' ] + && [ "$is_dir" = '1' ] then echo "default:$parameter:$l" fi done < "$__object/parameter/$parameter" @@ -50,7 +50,7 @@ then echo "mask::$l" if [ -f "$__object/parameter/default" ] \ - && [ "$file_type" = 'd' ] + && [ "$is_dir" = '1' ] then echo "default:mask::$l" fi fi From 9e3cd47b9afa0a13276ca5967d689773111f6990 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 15:03:07 +0300 Subject: [PATCH 06/28] __acl: command -v stdout to devnull --- cdist/conf/type/__acl/explorer/acl_is | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index c5d8468d..f75f4003 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -22,7 +22,7 @@ acl_path="/$__object_id" [ ! -e "$acl_path" ] && exit 0 -if ! command -v getfacl 2>/dev/null +if ! command -v getfacl > /dev/null then echo 'getfacl not available' >&2 exit 1 From 731986ef8b417cdc0284ffd3b43c66a9bd851f55 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 15:21:41 +0300 Subject: [PATCH 07/28] __acl: trying to understand X --- cdist/conf/type/__acl/gencode-remote | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index a50174fa..651bfce0 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -35,6 +35,16 @@ do fi while read -r l do + if echo "$l" | grep -Fq 'X' + then + if [ "$is_dir" = '1' ] + then + l="$( echo "$l" | sed 's/X/x/' )" + else + l="$( echo "$l" | sed 's/X/-/' )" + fi + fi + echo "$parameter:$l" if [ -f "$__object/parameter/default" ] \ From cea639d1c901de298818c303202b9332d0f20d1a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 15:27:47 +0300 Subject: [PATCH 08/28] __acl: we can't remove mask --- cdist/conf/type/__acl/gencode-remote | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 651bfce0..47e39e0a 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -89,7 +89,8 @@ then else echo "$acl_is" | while read -r acl do - if echo "$acl_should" | grep -Fq "$acl" + if echo "$acl_should" | grep -Fq "$acl" \ + || echo "$acl" | grep -Eq '^(default:)?mask' then continue fi From 8b9b2c56ab534d619148e497b2e1342128168d21 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 15:28:25 +0300 Subject: [PATCH 09/28] __acl: be more strict because of reasons --- cdist/conf/type/__acl/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 47e39e0a..a989f95f 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -89,7 +89,7 @@ then else echo "$acl_is" | while read -r acl do - if echo "$acl_should" | grep -Fq "$acl" \ + if echo "$acl_should" | grep -Eq "^$acl" \ || echo "$acl" | grep -Eq '^(default:)?mask' then continue fi From 53c963b2eec3eab529bece57cdc25cd00b5557d3 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 15:35:11 +0300 Subject: [PATCH 10/28] __acl: be bit more precise where the X is --- cdist/conf/type/__acl/gencode-remote | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index a989f95f..7003c26f 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -39,9 +39,9 @@ do then if [ "$is_dir" = '1' ] then - l="$( echo "$l" | sed 's/X/x/' )" + l="$( echo "$l" | sed 's/X$/x/' )" else - l="$( echo "$l" | sed 's/X/-/' )" + l="$( echo "$l" | sed 's/X$/-/' )" fi fi From e04d647d8e9f1450cdb461b3af4aa14f1d589e24 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 18:09:47 +0300 Subject: [PATCH 11/28] __acl: fix always check first if path exists --- cdist/conf/type/__acl/explorer/acl_is | 6 ++---- cdist/conf/type/__acl/explorer/file_exists | 24 ++++++++++++++++++++++ cdist/conf/type/__acl/explorer/is_dir | 6 ++---- cdist/conf/type/__acl/gencode-remote | 6 +++--- 4 files changed, 31 insertions(+), 11 deletions(-) create mode 100755 cdist/conf/type/__acl/explorer/file_exists diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index f75f4003..89da89f1 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -18,9 +18,7 @@ # along with cdist. If not, see . # -acl_path="/$__object_id" - -[ ! -e "$acl_path" ] && exit 0 +[ ! -e "/$__object_id" ] && exit 0 if ! command -v getfacl > /dev/null then @@ -28,6 +26,6 @@ then exit 1 fi -getfacl "$acl_path" 2>/dev/null \ +getfacl "/$__object_id" 2>/dev/null \ | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \ || true diff --git a/cdist/conf/type/__acl/explorer/file_exists b/cdist/conf/type/__acl/explorer/file_exists new file mode 100755 index 00000000..998d407c --- /dev/null +++ b/cdist/conf/type/__acl/explorer/file_exists @@ -0,0 +1,24 @@ +#!/bin/sh -e +# +# 2018 Ander Punnar (ander-at-kvlt-dot-ee) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +if [ -e "/$__object_id" ] +then echo 1 +else echo 0 +fi diff --git a/cdist/conf/type/__acl/explorer/is_dir b/cdist/conf/type/__acl/explorer/is_dir index d3080de6..7c4e2538 100755 --- a/cdist/conf/type/__acl/explorer/is_dir +++ b/cdist/conf/type/__acl/explorer/is_dir @@ -18,11 +18,9 @@ # along with cdist. If not, see . # -acl_path="/$__object_id" +[ ! -e "/$__object_id" ] && exit 0 -[ ! -e "$acl_path" ] && exit 0 - -if [ -d "$acl_path" ] +if [ -d "/$__object_id" ] then echo 1 else echo 0 fi diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 7003c26f..91fb7117 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -18,9 +18,7 @@ # along with cdist. If not, see . # -acl_path="/$__object_id" - -[ ! -e "$acl_path" ] && exit 0 +[ "$( cat "$__object/explorer/file_exists" )" = '0' ] && exit 0 os="$( cat "$__global/explorer/os" )" @@ -28,6 +26,8 @@ is_dir="$( cat "$__object/explorer/is_dir" )" acl_is="$( cat "$__object/explorer/acl_is" )" +acl_path="/$__object_id" + acl_should="$( for parameter in user group do if [ ! -f "$__object/parameter/$parameter" ] From c1a34caba7c39d3f27f7dd6ba249046e04a83e1c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 19:06:48 +0300 Subject: [PATCH 12/28] __acl: add "other" ACL entry support and some comments, remove getfacl's inline comments --- cdist/conf/type/__acl/explorer/acl_is | 5 +++-- cdist/conf/type/__acl/gencode-remote | 21 +++++++++++++++++++-- cdist/conf/type/__acl/man.rst | 6 +++++- cdist/conf/type/__acl/parameter/optional | 1 + 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index 89da89f1..70e18116 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -26,6 +26,7 @@ then exit 1 fi -getfacl "/$__object_id" 2>/dev/null \ - | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \ +getfacl -E "/$__object_id" 2>/dev/null \ + | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \ + | sed -r 's/#.+$//' \ || true diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 91fb7117..ce88afc4 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -28,7 +28,8 @@ acl_is="$( cat "$__object/explorer/acl_is" )" acl_path="/$__object_id" -acl_should="$( for parameter in user group +acl_should="$( +for parameter in user group do if [ ! -f "$__object/parameter/$parameter" ] then continue @@ -53,6 +54,7 @@ do fi done < "$__object/parameter/$parameter" done + if [ -f "$__object/parameter/mask" ] then l=$( cat "$__object/parameter/mask" ) @@ -64,6 +66,18 @@ then then echo "default:mask::$l" fi fi + +if [ -f "$__object/parameter/other" ] +then + l=$( cat "$__object/parameter/other" ) + + echo "other::$l" + + if [ -f "$__object/parameter/default" ] \ + && [ "$is_dir" = '1' ] + then echo "default:other::$l" + fi +fi )" setfacl_exec='setfacl' @@ -89,8 +103,11 @@ then else echo "$acl_is" | while read -r acl do + # Skip wanted ACL entries which already exist + # and skip mask and other entries, because we + # can't actually remove them, but only change. if echo "$acl_should" | grep -Eq "^$acl" \ - || echo "$acl" | grep -Eq '^(default:)?mask' + || echo "$acl" | grep -Eq '^(default:)?(mask|other)' then continue fi diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index c10ee1a0..40c3ead4 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -18,6 +18,9 @@ OPTIONAL PARAMETERS mask Add mask ACL entry. +other + Add other ACL entry. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- @@ -53,7 +56,8 @@ EXAMPLES --user bob:r-x \ --group project-group:rwx \ --group some-other-group:r-x \ - --mask r-x + --mask r-x \ + --other r-x AUTHORS diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional index bb4fcf2b..4b32086b 100644 --- a/cdist/conf/type/__acl/parameter/optional +++ b/cdist/conf/type/__acl/parameter/optional @@ -1 +1,2 @@ mask +other From a1634b3ec0d8797cff33be88bf9e1487532ed12a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 19:24:38 +0300 Subject: [PATCH 13/28] __acl: optimize gencode-remote --- cdist/conf/type/__acl/gencode-remote | 57 ++++++++++------------------ 1 file changed, 21 insertions(+), 36 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index ce88afc4..fd763b8f 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -28,57 +28,42 @@ acl_is="$( cat "$__object/explorer/acl_is" )" acl_path="/$__object_id" -acl_should="$( -for parameter in user group +acl_should="$( for parameter in user group mask other do if [ ! -f "$__object/parameter/$parameter" ] - then continue + then + continue fi - while read -r l + + while read -r acl do - if echo "$l" | grep -Fq 'X' + if echo "$acl" | grep -Fq 'X' then if [ "$is_dir" = '1' ] then - l="$( echo "$l" | sed 's/X$/x/' )" + acl="$( echo "$acl" | sed 's/X$/x/' )" else - l="$( echo "$l" | sed 's/X$/-/' )" + acl="$( echo "$acl" | sed 's/X$/-/' )" fi fi - echo "$parameter:$l" + if echo "$parameter" | grep -Eq '(mask|other)' + then + sep=:: + else + sep=: + fi + + echo "$parameter$sep$acl" if [ -f "$__object/parameter/default" ] \ && [ "$is_dir" = '1' ] - then echo "default:$parameter:$l" + then + echo "default:$parameter$sep$acl" fi - done < "$__object/parameter/$parameter" -done - -if [ -f "$__object/parameter/mask" ] -then - l=$( cat "$__object/parameter/mask" ) - - echo "mask::$l" - - if [ -f "$__object/parameter/default" ] \ - && [ "$is_dir" = '1' ] - then echo "default:mask::$l" - fi -fi - -if [ -f "$__object/parameter/other" ] -then - l=$( cat "$__object/parameter/other" ) - - echo "other::$l" - - if [ -f "$__object/parameter/default" ] \ - && [ "$is_dir" = '1' ] - then echo "default:other::$l" - fi -fi -)" + done \ + < "$__object/parameter/$parameter" +done )" setfacl_exec='setfacl' From 8b3c84dfefc5e44fa4f5ae1daa40b87e46a5076a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 23:15:58 +0300 Subject: [PATCH 14/28] __acl: remove whitespace before inline comments too --- cdist/conf/type/__acl/explorer/acl_is | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index 70e18116..1c64ffb3 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -28,5 +28,5 @@ fi getfacl -E "/$__object_id" 2>/dev/null \ | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \ - | sed -r 's/#.+$//' \ + | sed -r 's/\s*#.+$//' \ || true From 7924c1339cc76bb7f8ab2c4a17cea751be7ef509 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 23:28:30 +0300 Subject: [PATCH 15/28] __acl: avoid duplication and safer sed for last occurence replacement --- cdist/conf/type/__acl/gencode-remote | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index fd763b8f..56c1cbc1 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -41,10 +41,12 @@ do then if [ "$is_dir" = '1' ] then - acl="$( echo "$acl" | sed 's/X$/x/' )" + rep=x else - acl="$( echo "$acl" | sed 's/X$/-/' )" + rep=- fi + + acl="$( echo "$acl" | sed -r "s/(.*)X/\1$rep/" )" fi if echo "$parameter" | grep -Eq '(mask|other)' From f23099218ab8918efde5798d15d5c025e3a0c5da Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 23:29:38 +0300 Subject: [PATCH 16/28] __acl: juggle man sections around because user/group are more important parameters --- cdist/conf/type/__acl/man.rst | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index 40c3ead4..b7e74d59 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -13,15 +13,6 @@ ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`. See setfacl(1) and acl(5) for more details. -OPTIONAL PARAMETERS -------------------- -mask - Add mask ACL entry. - -other - Add other ACL entry. - - OPTIONAL MULTIPLE PARAMETERS ---------------------------- user @@ -31,6 +22,15 @@ group Add group ACL entry. +OPTIONAL PARAMETERS +------------------- +mask + Add mask ACL entry. + +other + Add other ACL entry. + + BOOLEAN PARAMETERS ------------------ recursive From 68f61c35ff89971a93ebd511ab35d13b40dce690 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 16 Apr 2019 23:36:54 +0300 Subject: [PATCH 17/28] __acl: check for X after last occurrence of colon --- cdist/conf/type/__acl/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 56c1cbc1..96b4a57c 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -37,7 +37,7 @@ do while read -r acl do - if echo "$acl" | grep -Fq 'X' + if echo "$acl" | sed -r 's/(.*)://' | grep -Fq 'X' then if [ "$is_dir" = '1' ] then From f5d3196dd4f142c4b28c9641126d98cfb7eaaab7 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 11:31:38 +0300 Subject: [PATCH 18/28] __acl: getfacl's -E not supported on FreeBSD --- cdist/conf/type/__acl/explorer/acl_is | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index 1c64ffb3..9ca30281 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -26,7 +26,7 @@ then exit 1 fi -getfacl -E "/$__object_id" 2>/dev/null \ +getfacl "/$__object_id" 2>/dev/null \ | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \ | sed -r 's/\s*#.+$//' \ || true From 0809d89836e633af8da983df3f1333ee281938dc Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 12:56:55 +0300 Subject: [PATCH 19/28] __acl: replace sed -r where possible or make it portable without -r --- cdist/conf/type/__acl/explorer/acl_is | 3 +-- cdist/conf/type/__acl/gencode-remote | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is index 9ca30281..a693c023 100755 --- a/cdist/conf/type/__acl/explorer/acl_is +++ b/cdist/conf/type/__acl/explorer/acl_is @@ -27,6 +27,5 @@ then fi getfacl "/$__object_id" 2>/dev/null \ - | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \ - | sed -r 's/\s*#.+$//' \ + | grep -Eo '^(default:)?(user|group|(mask|other):):[^:][[:graph:]]+' \ || true diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 96b4a57c..08ba60ac 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -37,7 +37,7 @@ do while read -r acl do - if echo "$acl" | sed -r 's/(.*)://' | grep -Fq 'X' + if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X' then if [ "$is_dir" = '1' ] then @@ -46,7 +46,7 @@ do rep=- fi - acl="$( echo "$acl" | sed -r "s/(.*)X/\1$rep/" )" + acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" fi if echo "$parameter" | grep -Eq '(mask|other)' @@ -98,7 +98,7 @@ then then continue fi - no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )" + no_bits="$( echo "$acl" | sed 's/:...$//' )" echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\"" done From 0f3c162696c8c35afc155752f47af276c37b1acf Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 13:16:35 +0300 Subject: [PATCH 20/28] __acl: setting default ACL in FreeBSD and macOS is currently not supported --- cdist/conf/type/__acl/gencode-remote | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 08ba60ac..9cdcd3be 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -108,6 +108,13 @@ fi for acl in $acl_should do if ! echo "$acl_is" | grep -Eq "^$acl" - then echo "$setfacl_exec -m \"$acl\" \"$acl_path\"" + then + if echo "$os" | grep -Eq 'macosx|freebsd' \ + && echo "$acl" | grep -Eq '^default:' + then + echo "setting default ACL in $os is currently not supported. sorry :(" >&2 + else + echo "$setfacl_exec -m \"$acl\" \"$acl_path\"" + fi fi done From 86f45db1b9b5bf91ea55e5014e39b2437a06bc70 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 13:30:50 +0300 Subject: [PATCH 21/28] __acl: add nice oneliners and move default ACL decision out of the loop --- cdist/conf/type/__acl/gencode-remote | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 9cdcd3be..99c0f7f2 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -28,6 +28,13 @@ acl_is="$( cat "$__object/explorer/acl_is" )" acl_path="/$__object_id" +if [ -f "$__object/parameter/default" ] && [ "$is_dir" = '1' ] +then + set_default=1 +else + set_default=0 +fi + acl_should="$( for parameter in user group mask other do if [ ! -f "$__object/parameter/$parameter" ] @@ -39,30 +46,16 @@ do do if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X' then - if [ "$is_dir" = '1' ] - then - rep=x - else - rep=- - fi + [ "$is_dir" = '1' ] && rep=x || rep=- acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" fi - if echo "$parameter" | grep -Eq '(mask|other)' - then - sep=:: - else - sep=: - fi + echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=: echo "$parameter$sep$acl" - if [ -f "$__object/parameter/default" ] \ - && [ "$is_dir" = '1' ] - then - echo "default:$parameter$sep$acl" - fi + [ "$set_default" = '1' ] && echo "default:$parameter$sep$acl" done \ < "$__object/parameter/$parameter" done )" From 8729e39c215381e9bdffe6269cedfba85d0e0f85 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 13:48:24 +0300 Subject: [PATCH 22/28] __acl: combine two explorers into one --- .../__acl/explorer/{file_exists => file_is} | 11 ++++++-- cdist/conf/type/__acl/explorer/is_dir | 26 ------------------- cdist/conf/type/__acl/gencode-remote | 10 +++---- 3 files changed, 14 insertions(+), 33 deletions(-) rename cdist/conf/type/__acl/explorer/{file_exists => file_is} (81%) delete mode 100755 cdist/conf/type/__acl/explorer/is_dir diff --git a/cdist/conf/type/__acl/explorer/file_exists b/cdist/conf/type/__acl/explorer/file_is similarity index 81% rename from cdist/conf/type/__acl/explorer/file_exists rename to cdist/conf/type/__acl/explorer/file_is index 998d407c..096cffd1 100755 --- a/cdist/conf/type/__acl/explorer/file_exists +++ b/cdist/conf/type/__acl/explorer/file_is @@ -19,6 +19,13 @@ # if [ -e "/$__object_id" ] -then echo 1 -else echo 0 +then + if [ -d "/$__object_id" ] + then echo directory + elif [ -f "/$__object_id" ] + then echo regular + else echo other + fi +else + echo missing fi diff --git a/cdist/conf/type/__acl/explorer/is_dir b/cdist/conf/type/__acl/explorer/is_dir deleted file mode 100755 index 7c4e2538..00000000 --- a/cdist/conf/type/__acl/explorer/is_dir +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -e -# -# 2018 Ander Punnar (ander-at-kvlt-dot-ee) -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# - -[ ! -e "/$__object_id" ] && exit 0 - -if [ -d "/$__object_id" ] -then echo 1 -else echo 0 -fi diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 99c0f7f2..5bb19aa8 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -18,17 +18,17 @@ # along with cdist. If not, see . # -[ "$( cat "$__object/explorer/file_exists" )" = '0' ] && exit 0 +file_is="$( cat "$__object/explorer/file_is" )" -os="$( cat "$__global/explorer/os" )" +[ "$file_is" = 'missing' ] && exit 0 -is_dir="$( cat "$__object/explorer/is_dir" )" +os="$( cat "$__global/explorer/os" )" acl_is="$( cat "$__object/explorer/acl_is" )" acl_path="/$__object_id" -if [ -f "$__object/parameter/default" ] && [ "$is_dir" = '1' ] +if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ] then set_default=1 else @@ -46,7 +46,7 @@ do do if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X' then - [ "$is_dir" = '1' ] && rep=x || rep=- + [ "$file_is" = 'directory' ] && rep=x || rep=- acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" fi From 13df0a2a2b8ac2724821fc72369eaf9f4ca1fe66 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 14:11:29 +0300 Subject: [PATCH 23/28] __acl: update man --- cdist/conf/type/__acl/man.rst | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index b7e74d59..bc71a0cc 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -3,14 +3,16 @@ cdist-type__acl(7) NAME ---- -cdist-type__acl - Basic wrapper around `setfacl` +cdist-type__acl - Set ACL entries DESCRIPTION ----------- -ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`. +ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. -See setfacl(1) and acl(5) for more details. +Fully supported on Linux, partial support for FreeBSD, OSX and Solaris. + +See ``setfacl`` and ``acl`` manpages for more details. OPTIONAL MULTIPLE PARAMETERS @@ -34,13 +36,14 @@ other BOOLEAN PARAMETERS ------------------ recursive - Operate recursively (Linux only). + Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer. default - Add default ACL entries. + Add default ACL entries (FreeBSD not supported). remove Remove undefined ACL entries (Solaris not supported). + ACL entries for ``mask`` and ``other`` can't be removed. EXAMPLES From 6d71ae342ad826aac73dd34d7334e7b4ef97bf41 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 14:47:16 +0300 Subject: [PATCH 24/28] __acl: update man more --- cdist/conf/type/__acl/man.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index bc71a0cc..092eb555 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -10,7 +10,11 @@ DESCRIPTION ----------- ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. -Fully supported on Linux, partial support for FreeBSD, OSX and Solaris. +Fully supported on Linux (tested on Debian and CentOS). + +Partial support for FreeBSD, OSX and Solaris. + +OpenBSD and NetBSD support is not possible. See ``setfacl`` and ``acl`` manpages for more details. From 05225352aa7434ec35d2691420adb1f81923d4ec Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 14:48:26 +0300 Subject: [PATCH 25/28] __acl: check for missing users and groups (common mistake) --- .../type/__acl/explorer/missing_users_groups | 47 +++++++++++++++++++ cdist/conf/type/__acl/gencode-remote | 8 ++++ 2 files changed, 55 insertions(+) create mode 100755 cdist/conf/type/__acl/explorer/missing_users_groups diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/missing_users_groups new file mode 100755 index 00000000..883fb84d --- /dev/null +++ b/cdist/conf/type/__acl/explorer/missing_users_groups @@ -0,0 +1,47 @@ +#!/bin/sh -e +# +# 2019 Ander Punnar (ander-at-kvlt-dot-ee) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +[ ! -e "/$__object_id" ] && exit 0 + +for parameter in user group +do + if [ ! -f "$__object/parameter/$parameter" ] + then + continue + fi + + while read -r acl + do + check="$( echo "$acl" | awk -F: '{print $1}' )" + + if [ "$parameter" = 'user' ] + then + getent_db=passwd + else + getent_db="$parameter" + fi + + if ! getent "$getent_db" "$check" > /dev/null + then + echo "missing $parameter '$check'" + fi + done \ + < "$__object/parameter/$parameter" +done diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 5bb19aa8..3dd0aef6 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -22,6 +22,14 @@ file_is="$( cat "$__object/explorer/file_is" )" [ "$file_is" = 'missing' ] && exit 0 +missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )" + +if [ -n "$missing_users_groups" ] +then + echo "$missing_users_groups" >&2 + exit 1 +fi + os="$( cat "$__global/explorer/os" )" acl_is="$( cat "$__object/explorer/acl_is" )" From c7e6109462eab6201ae4fee5bf1b9baa2d48314c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 14:49:02 +0300 Subject: [PATCH 26/28] __acl: tabs vs spaces --- cdist/conf/type/__acl/explorer/missing_users_groups | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/missing_users_groups index 883fb84d..b4af614c 100755 --- a/cdist/conf/type/__acl/explorer/missing_users_groups +++ b/cdist/conf/type/__acl/explorer/missing_users_groups @@ -29,7 +29,7 @@ do while read -r acl do - check="$( echo "$acl" | awk -F: '{print $1}' )" + check="$( echo "$acl" | awk -F: '{print $1}' )" if [ "$parameter" = 'user' ] then @@ -38,10 +38,10 @@ do getent_db="$parameter" fi - if ! getent "$getent_db" "$check" > /dev/null - then - echo "missing $parameter '$check'" - fi + if ! getent "$getent_db" "$check" > /dev/null + then + echo "missing $parameter '$check'" + fi done \ < "$__object/parameter/$parameter" done From 186ce77bb24ddb089b69a28c4c27dd1bfbbd1a71 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 14:58:44 +0300 Subject: [PATCH 27/28] __acl: add messaging --- cdist/conf/type/__acl/gencode-remote | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 3dd0aef6..c9583520 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -102,6 +102,7 @@ then no_bits="$( echo "$acl" | sed 's/:...$//' )" echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\"" + echo "removed '$no_bits'" >> "$__messages_out" done fi fi @@ -116,6 +117,7 @@ do echo "setting default ACL in $os is currently not supported. sorry :(" >&2 else echo "$setfacl_exec -m \"$acl\" \"$acl_path\"" + echo "added '$acl'" >> "$__messages_out" fi fi done From 108e46abee03eaca789eb43393aaccf9f699bf7a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Fri, 19 Apr 2019 15:04:18 +0300 Subject: [PATCH 28/28] __acl: fix removal in freebsd --- cdist/conf/type/__acl/gencode-remote | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index c9583520..a0f25a15 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -99,10 +99,15 @@ then then continue fi - no_bits="$( echo "$acl" | sed 's/:...$//' )" + if echo "$os" | grep -Eq 'macosx|freebsd' + then + remove="$acl" + else + remove="$( echo "$acl" | sed 's/:...$//' )" + fi - echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\"" - echo "removed '$no_bits'" >> "$__messages_out" + echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" + echo "removed '$remove'" >> "$__messages_out" done fi fi