X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fposix_acl%2FREADME.org;fp=3rdparty%2Fmodules%2Fposix_acl%2FREADME.org;h=0000000000000000000000000000000000000000;hb=58e0c785f50b2751ee1cc42e6686297cfa631e33;hp=de48263265b46f50623824247e902d0408ff5907;hpb=906a3243ed81ccb850e494ea880045084fbaeb35;p=mirror%2Fdsa-puppet.git diff --git a/3rdparty/modules/posix_acl/README.org b/3rdparty/modules/posix_acl/README.org deleted file mode 100644 index de4826326..000000000 --- a/3rdparty/modules/posix_acl/README.org +++ /dev/null @@ -1,174 +0,0 @@ -#+TITLE: Acl module for Puppet - -* Description -This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet. - -* Usage: - - the =posix_acl= resource =title= is used as the path specifier. - - ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=. - - the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below. - - the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented. - - the =recursive= parameter allows you to apply the ACLs to all files under the specified path. - - : posix_acl { "/var/log/httpd": - : action => set, - : permission => [ - : "user::rwx", - : "group::---", - : "mask::r-x", - : "other::---", - : "group:logview:r-x", - : "default:user::rwx", - : "default:group::---", - : "default:mask::rwx", - : "default:other::---", - : "default:group:logview:r-x", - : ], - : provider => posixacl, - : require => [ - : Group["logview"], - : Package["httpd"], - : Mount["/var"], - : ], - : recursive => false, - : } - -** Using action => set: -The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged. -*** Initial permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:webadmin:r-x - : group:httpadmin:rwx -*** Specified acls: - : permission => [ - : 'user::rwx', - : 'group::r-x', - : 'other::r-x', - : 'mask::rwx', - : 'group:webadmin:rwx', - : 'user:apache:rwx', - : ], -*** Updated permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : user:apache:rwx - : group:webadmin:rwx - : group:httpadmin:rwx -** Using action => exact: -The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed. -*** Initial permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:webadmin:r-x - : group:httpadmin:rwx -*** Specified acls: - : permission => [ - : 'user::rwx', - : 'group::r-x', - : 'other::r-x', - : 'mask::rwx', - : 'group:webadmin:r--', - : 'user:apache:rwx', - : ], -*** Updated permissions: - - group:httpadmin permission is removed - - user:apache permission is added - - group:webadmin permission is updated - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:webadmin:r-- - : user:apache:rwx -** Using action => unset: -The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged. -*** Initial permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:webadmin:r-x - : group:httpadmin:rwx -*** Specified acls: - : permission => [ - : 'user::rwx', - : 'group::r-x', - : 'other::r-x', - : 'mask::rwx', - : 'group:webadmin:r--', - : 'user:apache:rwx', - : ], -*** Updated permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:httpadmin:rwx -** Using action => purge: -The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path. - -NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue. -*** Initial permissions: - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - : mask::rwx - : group:webadmin:r-x - : group:httpadmin:rwx -*** Specified acls: -See above - : permission => [ - : 'user::rwx', - : 'group::r-x', - : 'other::r-x', - : 'mask::rwx', - : 'group:webadmin:r--', - : 'user:apache:rwx', - : ], -*** Updated permissions: - - All file ACLs are removed - : # file /var/www/site1 - : user::rwx - : group::r-x - : other::r-x - -* Notes: -** Conflicts with "file" resource type: -If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL -** Mask check: -The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=: - : permission => [ - : 'user::rw-', - : 'group::---', - : 'mask::r--', - : 'other::---', - : 'user:apache:rwx', - : 'group:root:r-x', - : 'group:admin:rwx', - : ], - -The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected: - : # file: test - : # owner: root - : # group: root - : user::rw- - : group::--- - : other::--- - : mask::r-- - : user:apache:rwx #effective:r-- - : group:root:r-x #effective:r-- - : group:admin:rwx #effective:r--