doc: document the apply-default-acl algorithm.

[apply-default-acl.git] / doc / man / apply-default-acl.1

.TH apply-default-acl 1

.SH NAME
apply-default-acl \- Apply default POSIX ACLs to files and directories.

.SH SYNOPSIS

\fBapply-default-acl\fR [\fB-rx\fR] \fIpath\fR [\fIpath2 ...\fR]

.SH DESCRIPTION

.P
If the directory containing \fIpath\fR has a default ACL, the ACL on
\fIpath\fR is replaced with that default. Neither symbolic nor hard
links are followed; symbolic links are ignored in all path components
to avoid a dangerous race condition.
.P
By default, a heuristic is used to determine whether or not the
execute bit is masked on \fIpath\fR. If \fIpath\fR is not a directory,
and no user or group has \fBeffective\fR execute permissions on
\fIpath\fR, then the execute bit will not masked. Otherwise, it is
left alone. In effect we pretend that the \fBx\fR permission acts like
the \fBX\fR (note the case difference) permission of \fBsetfacl\fR.
.P
This behavior can be modified with the \fB--no-exec-mask\fR flag.

.SH OPTIONS
.IP \fB\-\-recursive\fR,\ \fB\-r\fR
Apply default ACLs recursively. This works top-down, so if directory
\fBfoo\fR is in another directory \fBbar\fR which has a default ACL,
then \fBbar\fR's default ACL will be applied to \fBfoo\fR before the
contents of \fBfoo\fR are processed.
.IP \fB\-\-no-exec-mask\fR,\ \fB\-x\fR
Apply the default ACL literally; that is, don't use a heuristic to
decide whether or not to mask the execute bit. This usually results in
looser-than-necessary execute permissions.

.SH ALGORITHM
.IP "I. Argument validation" 0.4i
.RS
.IP "a. If any part of the target path contains a symlink" 0.4i
Return failure
.IP "b. If there's no default ACL to apply"
Return success
.IP "c. If the target is not a (non-hardlink) regular file or directory"
Return failure
.RE
.IP "II. ACL application"
.RS
.IP "a. If the target is a directory" 0.4i
Set the target's default ACL equal to its parent's default ACL
.IP "b. Set the target's access ACL equal to its parent's default ACL"
.IP "c. If the target is a directory"
Return success
.IP "d. If the target was executable by anyone"
Return success
.IP "e. If \fB--no-exec-mask\fR was given"
Return success
.IP "f. Unset the user/group/other/mask execute bits"
.IP "g. Return success"
.RE
.P
The action of apply-default ACL largely mimics what the kernel would
do if you ran \fImkdir\fR or \fItouch\fR to create a new file. The one
point of disagreement is on how to mask group-execute permissions for
files. The kernel will let the \(dqmask\(dq bits prevent group-execute,
whereas apply-default-acl will explicitly remove the group-execute bits.
For example,

.nf
.I $ mkdir herp
.I $ setfacl --default --modify user:mjo:rw herp
.I $ touch herp/derp
.I $ getfacl --omit-header herp/derp
user::rw-
user:mjo:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--
.fi

In the same situation, apply-default-acl will mask the group \fBx\fR bit:

.nf
.I $ apply-default-acl herp/derp
.I $ getfacl --omit-header herp/derp
user::rw-
user:mjo:rw-
group::r--
mask::rw-
other::r--
.fi

The author is of the opinion that the latter is more sensible, if not
simply more consistent.

.SH EXIT CODE
.P
When given a single path, the following codes correspond directly to
the action of the program on that path:
.IP \fB0\ (EXIT_SUCCESS)\fR
Success
.IP \fB1\ (EXIT_FAILURE)\fR
Failure due to a symlink, hardlink, or invalid/inaccessible path
.IP \fB2\fP
Other unexpected library error
.P
When called on multiple paths, the results from all paths are
collected and the \(dqworst\(dq result is returned. For example, if
one path succeeds and another fails, the overall result will be
failure. If one succeeds, one fails, and one causes an error, then the
overall result will be an error; and so on.
.P
When the \fB\-\-recursive\fR flag is used, the exit code is computed
as if all affected paths were passed, depth-first, on the command-line.