Automated ACL Check in shell script

Question

I'd like to get some ideas from you on how to implement that. Let me explain a little bit my problem:

Scenario: We have a system that must have some especific ACLs set in order to run it. So, before running it would be great if I could run a sort of pre check in order to verify if everything was set correctly.

Goal: Create a script that checks those ACLs before starting the system alerting in case one of them is wrong based in a list of files/folder and its ACLs.

Problems: Since the getfacl result is not a simple return, the only way I found to do such checking was parsing the result and analising each piece of it, that not as elegant as I'd like it could be.

I doubt many of you had to do something ACLs check but for sure you guys can contribute to my cause :)

Thanks everybody in advance

Answer 1

Since the getfacl result is not a simple return, the only way I found to do such checking was parsing the result and analising each piece of it, that not as elegant as I'd like it could be.

What exactly are you trying to do? If you're just comparing the result of calling getfacl to a desired ACL, it should be easy. For example, assuming that you have stored your desired ACL in a file named acl-i-want, you could do something like this:

   getfacl /path > acl-i-have
   if ! diff -q acl-i-have acl-i-want; then
      echo "ACLs are different."
   fi

Answer 2

How about using Python module pylibacl

>>> import posix1e
>>> acl1 = posix1e.ACL(file="file1.txt")
>>> print acl1
user::rw-
group::r--
other::r--