# Setting ACLs recursively - howto?



## Conzales (Oct 12, 2012)

Greetings,


I was just wondering if I can set or lists acls recursively on specific 
directories? Could find an easy answer to this in the man pages or on the internet.

I couldn't find the usual '-R' option for setfacl
Is there another way to do this; if possible easily? I'm using ACLs on UFS, not on NFSv4.

The only way i found was this:
`# find . -type f -exec setfacl -m xxx {} \;`
or 
`# find . -type d -exec setfacl -d -m u::,g::,o::,g:rrr:rwx {} \;`

The reason I want to be able to do this is because ACL permissions are only inerhited while copying a file to a directory that has this set already. When moving files permissions will not be set automatically obviously. Copying large files takes a long time. I use ACL permissions on FreeBSD9 for my NAS system. various directories are shared for DLNA purposes for example. The miniDLNA program user needs user rights on the files shared. I don't want to run miniDLNA as root, by default it's using 'dlna' on FreeBSD.

Thanks,
Conzales


----------



## SirDice (Oct 12, 2012)

Conzales said:
			
		

> The reason I want to be able to do this is because ACL permissions are only inherited while copying a file to a directory that has this set already. When moving files permissions will not be set automatically obviously. Copying large files takes a long time.



One way would be to create hardlinks instead of copies. But this only works if both are on the same filesystem.

`# ln /path/to/original/file /path/to/copy`


----------



## Conzales (Oct 12, 2012)

Thanks for the quick answer.

That would be possible; files are on the same filesystem. However that would get messy very quickly, because I don't want all the files I download for example to show up in the shared directories. As I understand your answer, creating a link will set file permissions?


----------



## SirDice (Oct 12, 2012)

Conzales said:
			
		

> As I understand your answer, creating a link will set file permissions?


Yes, as it's basically a 'new' file. Moving files doesn't change the permissions because only the reference to the file is moved.


----------



## jkhilmer (May 12, 2015)

Sorry for resurrecting this, but I haven't found a good solution anywhere else and this is one of the top hits when searching this topic.

Based on my limited understanding, there are multiple problems with the find/exec approach:
1.) Although you can add new ACLs, you can't easily remove them (assuming variable existing ACLs).
2.) You can't bulk-add multiple ACLs (`setfacl -a` is only good for one at a time): you can only bulk-modify them (`setfacl -M`).

These combine to give two problem areas:
1.) Even via root, it's a slow multi-step process to bulk-wipe ACLs (`chmod` then `setfacl -b`) and then replace them with new ones.
2.) A user without root can't trivially write a new set of ACLs: a bulk remove-then-write (itself inefficient) could end up locking themself out.

I wrote a script to get around this by calling `setfacl` multiple times, but it seems like a really inefficient approach:
1.) Use `getfacl` to find the permissions that will be removed.
2.) Give a new ACL via `setfacl -a 0`.
3.) Add new ACLs one ACE at a time via `setfacl -a 0`.
4.) Remove the old ACL (from step #1).
5.) Remove the temp ACL entry from step #2.

This has the advantage of never denying access to the user even momentarily, but it's a lot of looping and calling `setfacl` repeatedly: there must be a better way!  Does anyone have any ideas?


----------



## da1 (May 13, 2015)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=155163

I've tried it on 9.1-STABLE (r246451) and it worked (see comment #2) and someone else reported that it's working against 11-CURRENT (comment 5).

I think this answered the OP's question.


----------

