thias
commented
8 years ago Once ACLs are set, what used to be reported as the group permissions is now the ACL mask, and that confuses pretty much any tool which sets restrictive group permissions explicitly (puppet included). The most common case are web developers using deployment tools that explicitly "chmod g-w" everywhere, effectively breaking all ACL-set write permissions...
I'm sorry, but there is nothing that my (hackish) module can do about this. What I recommend is that you set rwx for group from puppet on all file resources that you know are going to have POSIX ACLs set, i.e. '0771' where you are used to '0711', as that works and is the cleanest solution.
And believe me when I tell you that trying to move the POSIX ACL functionality directly to the file type would not be as good a solution as you might imagine : It's opening a whole new can of worms!!
Unrelated : When using ACLs, you probably no longer need the +x for others, as you can set multiple user/group permissions on your files, so mode => '0770' should become your new norm for puppet file resources that have ACLs ;-)
TJM
If I create a directory with mode
0711then grant a group access to the directory with an ACL, it all seems fine till the next puppet run, when puppet detects that the permissions are0771and changes them back to0711, which creates a "mask" on the ACL... which "fooacl" doesn't detect.This makes for a very bad day, and might illustrate why this functionality needs to be implemented as part of the "file" type? I am not sure what to do to resolve this. As a workaround, I am going to set mode => undef, but that is not really a "good" solution.