inherit-acl

Releases

Tool that applies to a path its parent directory's permissions and ACL

Usage

inherit-acl path [path]...

To each given path, recursively applies its parent directory's

As one might expect, the nature of these actions requires the application to act with root privileges. To enable restricted use by regular users also, inherit-acl comes with sudo integration combined with user-specific parent directory whitelisting – with appropriate entries in "/etc/sudoers" and in the configuration file "/etc/inherit-acl.conf", a systems administrator may allow a specific user to run inherit-acl with root privileges on items that reside below certain parent directories only. Beware however, the whitelists might not be insurmountable for crafty users, see Security considerations.

If allowed usage this way, such a user may for convenience add a custom right-click action to their file manager of choice if it supports context menu integration of custom scripts, as do for example GNOME Nautilus or MATE Caja and likely many more, to run inherit-acl as root on a selection of files or directories.

Security considerations

Although symbolic links will not be followed, smartass users may abuse hardlinks to reach any other non-directory they may hardlink below their whitelisted parent directories.

Assuming directory hardlinks are impossible, and hardlink protection is enabled (check "/proc/sys/fs/protected_hardlinks"), for any user this encompasses all files they have write access for and that reside on the same file system as a whitelisted parent directory.

Inherit-acl checks if hardlink protection is enabled on the system. If it isn't, it will refuse operation for all users except root.

A possible way to make sure a user cannot use hardlinks to circumvent their whitelist might be to bind-mount the directories in question to mount points elsewhere, and to whitelist those mount points instead of the actual directories – it appears that bind mounts do not allow hardlinking to targets beyond their mount point.

License

GNU General Public License version 3

Packages

Browseable sources

These source files of the latest tag can be viewed in the browser:

Releases

inherit-acl-0.1.3

03 November 2019 (2019-11-03 20:57:38 UTC)

inherit-acl-0.1.3.tar.gz SHA256 checksum SHA384 checksum PGP signature

inherit-acl-0.1.2

03 June 2019 (2019-06-03 01:09:04 UTC)

inherit-acl-0.1.2.tar.gz SHA256 checksum SHA384 checksum PGP signature

inherit-acl-0.1.1

14 May 2019 (2019-05-14 20:21:00 UTC)

inherit-acl-0.1.1.tar.gz SHA256 checksum SHA384 checksum PGP signature

inherit-acl-0.1.0

15 March 2019 (2019-03-15 22:40:37 UTC)

inherit-acl-0.1.0.tar.gz SHA256 checksum SHA384 checksum PGP signature