views:

602

answers:

3

I'm trying to remove an ACL set for johndoe from all the folders recursively on one of my drives without hosing any other entries! Anyone know how to do this without affecting the ACLs that already exist for other groups/users?

I'm looking for the Mac equivalent of "setfacl -d u:johndoe"

I know you can use chmod to remove a rule from multiple files, but the only way I have seen won't work because it removes the rule via its index (eg: the 5th entry of every folder) and the entry for my user won't always be the same index.

Why would you want to do this? Say you inherit an insane file system that has a bunch of individual users instead of groups and you want to get rid of just the individuals since they already have access.

A: 

I'd grep the output of ls -le for the username, then remove the rule with the index number you found using awk. As long as you don't call your users read, write, deny, allow, delete or such ;)

Graham Lee
that would work fine for a single folder, but i need to perform this on thousands of files. it's a 2TB volume
username
This is where loops or even the find command will help. If something works fine for a folder, it works fine for _all_ folders.
Graham Lee
A: 

find / -print0 -type fd | xargs -0 ls -le | more

might help you to start exploring the filesystem.

You could replace more with another command, such as a grep for ACL output, and a subsequent pipe to handle the results of grep with fsaclctl.

Alex Reynolds
i'm trying to figure our if there's a dead easy way to do this. for starters, you can only delete an ACL entry either by its rule number (which wont be the same for 6TB of files), or by removing its exact permissions (strangely). all seems very kludgy. fsaclctl isnt installed by default on mac os
username
... except that it is. fsaclctl i mean. sorry, misread as "setfacl"
username
+2  A: 

How about the chmod "-a" option?

find . -exec chmod -a "johndoe allow delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,read,write,append,execute,list,search,add_file,add_subdirectory,delete_child" {} \;

It will remove all ACL permissions for johndoe on all files recursively from the current directory. (It will print errors for all files without an ACL, but it will still work on the rest of 'em). As you mentioned, you'll have to run this with "inherited" and "deny" as well.

EDIT: Here are tools that use ACLs on Mac OS X:

# cat has_acl.sh 
otool -IV $1 2>&1 | grep _acl_ > /dev/null
# find /bin /sbin /usr/bin /usr/sbin -exec ./has_acl.sh {} \; -print
/bin/chmod
/bin/ls
/usr/bin/ex
/usr/bin/rview
/usr/bin/rvim
/usr/bin/vi
/usr/bin/view
/usr/bin/vim
/usr/bin/vimdiff
/usr/sbin/cupsd
/usr/sbin/kadmind
/usr/sbin/pkgutil

vi only reads & preserves the ACLs, the others don't seem useful, either. But there could be 3rd party tool. Maybe in Fink/MacPorts?

Jesse Rusak
I've reposted this, as requested by the asker.
Jesse Rusak
(Apparently, you can't accept an old answer - even an edited one - after posting a bounty? Crazy.)
Jesse Rusak
Sorry Jesse, I still don't get any option to accept this as the answer. I don't get an option to set a bounty again either. It seems like either a SO bug, or some process I am ignorant of. I do see the option to Close/Open the question, but the status appears as Open already.
username
Well, don't worry about it. I hope the command worked!
Jesse Rusak
You probably have to accept it before the bounty has expired.
Jesse Rusak
Hey Jesse, do you have an account at the SO sister-site: serverfault.com? If so, could you copy and paste your answer to http://serverfault.com/questions/6607/propagate-removal-of-an-acl-entry-for-just-one-user-in-mac-os
username
I don't, unfortunately. Once it goes public, I'll try to remember.
Jesse Rusak