script to find "deny" ACE in ACLs, and remove it
- by Tom
On my 100TB cluster, I need to find dirs and files that have a "deny" ACE within their ACL, then remove that ACE on each instance. I'm using the following:
# find . -print0 | xargs -0 ls -led | grep deny -B4
and get this output (partial, for example only)
-r--rw---- 1 chris GroupOne 4096 Mar 6 18:12 ./directoryA/fileX.txt
OWNER: user:chris
GROUP: group:GroupOne
0: user:chris allow file_gen_read,std_write_dac,file_write_attr
1: user:chris deny file_write,append,file_write_ext_attr,execute
--
-r--rwxrwx 1 chris GroupOne 14728221 Mar 6 18:12 ./directoryA/subdirA/fileZ.txt
OWNER: user:chris
GROUP: group:GroupOne
0: user:chris allow file_gen_read,std_write_dac,file_write_attr
1: user:chris deny file_write,append,file_write_ext_attr,execute
--
OWNER: user:bob
GROUP: group:GroupTwo
0: user:bob allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child,object_inherit,container_inherit
1: group:GroupTwo allow std_read_dac,std_write_dac,std_synchronize,dir_read_attr,dir_write_attr,object_inherit,container_inherit
2: group:GroupTwo deny list,add_file,add_subdir,dir_read_ext_attr,dir_write_ext_attr,traverse,delete_child,object_inherit,container_inherit
--
As you can see, depending on where the "deny" ACE is, I can see/not-see the path. I could increase the -B value (I've seen up to 8 ACEs on a file) but then I would get more output to distill from...
What I need to do next is extract $ACENUMBER and $PATHTOFILE so that I can execute this command:
chmod -a# $ACENUMBER $PATHTOFILE
Additional issue is that the find command (above) gives a relative path, whereas I need the full path. I guess that would need to be edited somehow.
Any guidance on how to accomplish this?