Acls support in rsync

jw schultz jw at pegasys.ws
Wed Jun 5 19:05:03 EST 2002


On Wed, Jun 05, 2002 at 10:57:22PM +0200, Olivier Tarnus wrote:
> Hi,
> 
> I already wrote about this subject last month but didn't get attention...
> 
> I've found a way to transfert acls with a script and applying them. This 
> process has already been described in this mailing list 
> (http://lists.samba.org/pipermail/rsync/2000-March/001992.html) but there's a 
> way to do it in a more efficient way using some getfacl options.
> You can dump acls of a full directory with this command :
> 
> getfacl -R --skip-base --no-effect --absolute-names  --access  /somedir/
> 
> -R : recursive
> --skip-base : do not process files with standard rights
> --no-effect : no comments
> --absolute-names : get full file name
> --access : display file access control list, not default access control list
> 
> The advantage of this command is that you get all but only effective acls, so 
> standard access rights are still processed by rsync, and you only transfert 
> "supplementary access rights".
> 
> using some sed magic (don't flame, i'm not a Regex master...):
> 
> getfacl -R --skip-base --no-effect --absolute-names  --access * | \
> sed 's/# file: \(.*$\)/\1 /' | grep -v '^#' | tr "\n" "," | \
> sed "s/ ,/ /g" | sed 's/,,/\/g' | sed 's/\(.*\) user::\(.*\)/user::\2 \1/
> 
> you get a line for each acl looking like this :
> 
> user::rwx,user:joe:rwx,group::rwx,group:users:rwx,mask::rwx,other::r-x myfile
> 
> Processing this command on +250 000 files took less than 2 minutes on a fresh 
> rebooted (no cache involved) xfs file system (linux 2.4.18). Running 1 hour 
> later, it will generally run in less than 5 seconds.
> 
> You just have to pipe in a file in the involved directory on the master before 
> running rsync and apply acls on the other side after rsync completed. To 
> apply, use this script :
> 
> #!/bin/bash
> ### This script work only if you don't have " and / in your filenames
> ### I hope for you...   :-)
> 
> cat $1 | while read acl file
>      do
>           myfile=$file
>           echo "Applying acl in $file..."
>           /usr/bin/setfacl -s $acl "$myfile"
>      done
> 
> Running time depend of the number of acls in your directory.  :-)
> 
> I don't know if this method work well on other file systems, but it do on xfs 
> and is really efficient. I hope this will help acls users, so please let me 
> know if you get success with this method.
> 
> I still want to create a "getfacl" patch for rsync, so that acls are 
> transfered with a shorter syntax 
> (u::rwx,u:101:rwx,g::rwx,g:100:rwx,m::rwx,o::r-x myfile), and so you don't 
> have to script anymore :-)
> 
> So please dear rsync developpers, could you please give me some advice about 
> what to modifiy in rsync to add acls to standard access rights 
> synchronisation. 
> 
> Thank you in advance.
> 
> Olivier Tarnus

Thanks for this research.  As one using rsync for backups it
is useful info.

I'm sure the regular rsync developers will have their own
thoughts on this but i believe that adding ACL support to
rsync will require a protocol extension.

For the transfer protocol I'm inclined to think that ACLs
should probably be handled as a subset of Extended File
Attributes (EFA) as has been discussed on lkml.  EFAs are of
interest on many platforms especially Macintosh where they
correlate to the file resource fork.

One of the main issues of dealing with ACLs is that we
really want to handle them in a way that allows proper
translation between implementations.  This is an issue for
backups where admins want to rsync Windows boxes (shudder)
to Unix/Linux.  Can i grant/deny access to a non-existent account
or group?  If not i would want to be able to apply the
--numeric-ids option.

-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw at pegasys.ws

		Remember Cernan and Schmitt




More information about the rsync mailing list