Introduction
Trustee2ACL is an opensource Java application which generates a Bash script with Linux ACL commands from a trustee permissions file. The resulting file can be run in a Linux console terminal. The commands implement the same file access controls as did the trustees before it.
Requirements
1. Program requirements:
Built and tested on Sun Java 1.6.0_14, but should work on most versions.
Get the latest version at "http://www.java.com".
2. Trustee permissions file format requirements:
2.1 Acceptable permission formats:
REBX
REBXU
OREBX
!REBX
CREBX
DREBX
RWEBX
RWEBXU
ORWEBX
!RWEBX
!ORWEBX
CRWEBX
DRWEBX
!DRWEBX
Configuration
The configuration is stored in "/home/[USERNAME]/.Trustee2ACL/trustee2acl.conf"
There are three configuration lines and all must have correct values for the conversion process to complete succesfully.
These are:
----------
1. Trustee file source path:
TrusteeFilePathSource=
Example: TrusteeFilePathSource=/path/to/trustee.conf
2. ACL file destination path:
ACLFilePathDestination=
Example: ACLFilePathDestination=/path/to/acl.sh
3. The mapping between the names of the trustee devices and the equivalent ACL device names
DeviceMap=
Example: DeviceMap=/dev/sda1:/mnt/disk1:/dev/sdb1:/mnt/disk2
Note1: You can edit the configuration file manually or you can edit it through the application.
Note2: Whenever you press the "Convert to ACL" button it saves the running configuration to file.
Getting started
Here is how it goes:
--------------------
1. Select or enter a path to a trustee permissions file (there are some examples in the Examples help topic)
2. Find and enter all the trustee block devices listed in the trustee file (probably something like /dev/sda)
3. Select or enter a path to where the ACL file should be saved
4. Enter the names of the mount points where the trustee devices are at (probably something like /mnt/disk)
5. Press the "Convert to ACL" button
6. After the conversion is complete there will be a message in the bottom status bar which will say "Conversion complete"
7. Browse through the generated ACL script and, if necessary, modify it
8. Run the ACL script in the Bash shell on the target machine
Examples
EXAMPLE 1:
Trustee permissions:
[/dev/sda1]/finance:user1:RWEBX:user2:RWEBX:user3:RWEBX:+group1:RWEBX:
+group2:RWEBX
[/dev/sda1]/finance/general:user1:RWEBX:user2:REBX:user3:DREBX:+group1:RWEBX
[/dev/sdb1]/public:*:RWEBX
-----
Resulting ACL commands:
setfacl -R -m u:user1:rwx,default:u:user1:rwx,u:user2:rwx,default:u:user2:rwx,u:user3:rwx,default:
u:user3:rwx,g:group1:rwx,default:g:group1:rwx,g:group2:rwx,default:g:group2:rwx,
g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,default:m::rwx '/mnt/disk1/finance'
setfacl -R -m u:user1:rwx,default:u:user1:rwx,u:user2:rx,default:u:user2:rx,g:group1:rwx,default:g
:group1:rwx,g:group2:rx,default:g:group2:rx,g::rwx,default:g::rwx,o::---,default:o::---,m::rwx
,default:m::rwx '/mnt/disk1/finance/general'
setfacl -R -m u:user1:rwx,default:u:user1:rwx,u:user2:rwx,default:u:user2:rwx,u:user3:rwx,default:
u:user3:rwx,g:group1:rwx,default:g:group1:rwx,g:group2:rwx,default:g:group2:rwx,
g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,default:m::rwx '/mnt/disk2/public'
setfacl -R -x u:user3,default:u:user3,g:group2,default:g:group2 '/mnt/disk1/finance/general'
=====
EXAMPLE 2:
Trustee file contents:
[/dev/sda1]/finance:user1:RWEBX:user2:RWEBX:user3:RWEBX:+group1:RWEBX:
+group2:RWEBX
[/dev/sda1]/finance/general:user1:RWEBX:user2:CRWEBX:user3:DREBX:
+group1:CRWEBX
[/dev/sdb1]/public:*:RWEBX
[/dev/sdb1]/public/private_admin:*:REBX:admin:RWEBX
-----
Generated ACL file contents:
setfacl -R -m u:user1:rwx,default:u:user1:rwx,u:user2:rwx,default:u:user2:rwx,u:user3:rwx,default:
u:user3:rwx,g:group1:rwx,default:g:group1:rwx,g:group2:rwx,default:g:group2:rwx,
g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,default:m::rwx '/mnt/disk1/finance'
setfacl -R -m u:user1:rwx,default:u:user1:rwx,g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,
default:m::rwx '/mnt/disk1/finance/general'
setfacl -R -m u:user1:rwx,default:u:user1:rwx,u:user2:rwx,default:u:user2:rwx,u:user3:rwx,default:
u:user3:rwx,u:admin:rwx,default:u:admin:rwx,g:group1:rwx,default:g:group1:rwx,
g:group2:rwx,default:g:group2:rwx,g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,default:m::rwx '/mnt/
disk2/public'
setfacl -R -m u:user1:rx,default:u:user1:rx,u:user2:rx,default:u:user2:rx,u:user3:rx,default:u:
user3:rx,u:admin:rwx,default:u:admin:rwx,g:group1:rx,default:g:group1:rx,g:group2:rx,
default:g:group2:rx,g::rwx,default:g::rwx,o::---,default:o::---,m::rwx,default:m::rwx '/mnt/disk2/
public/private_admin'
setfacl -R -x u:user2,default:u:user2,u:user3,default:u:user3,g:group1,default:g:group1,g:group2,
default:g:group2 '/mnt/disk1/finance/general'
Limitations
Converted wildcards ("*") are interpreted as meaning all the users and groups which are present in the trustee file and so are not equal to all the users and groups in the /etc/passwd and /etc/groups files.
Tips
1. Clean up the trustee file before converting (remove unwanted permissions, merge duplicate directories, ...)
2. If possible don't use wildcards ("*") - read the Limitations topic.
3. Inspect the the generated ACL file before running it on production machines
Troubleshooting
If your generated ACL file is incorrect or gives errors while run then take a look at the Limitations and Tips help topics for advice.
Known bugs
No known bugs :)
Feedback and support
If you have a question that is not answered anywhere in this readme file or on the webpage then feel free to email me at peter.faric@gmail.com
License
This project is licensed under the GNU GPL version 2 open source license. For detailed information about the license please read the LICENSE.txt file which came with the program or read it at "http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt".
