This section explains how to use the qq fs_modify_acl command.

Examples

The following examples show how to run the qq fs_modify_acl command to work with access control lists (ACLs).

To Create a New ACL

Run the qq fs_modify_acl command and use the --path flag to specify

the path for the ACL. For the add_entry subcommand:

  • Use the -t flag to specify a trustee.
  • Use the -y flag to specify Allowed or Denied.
  • Use the -r flag to specify the rights.
  • Use the -f flag to specify ACL flags.

For example:

qq fs_modify_acl --path /my_path \
  add_entry -t "MYDOMAIN\\my_username" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"
qq fs_modify_acl --path /my_path \
  add_entry -t "uid:5005" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"
qq fs_modify_acl --path /my_path \
  add_entry -t "gid:5005" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"

To Modify an Existing ACL

Run the qq fs_modify_acl command and use the --path flag to specify

the path for the ACL. For the modify_entry subcommand:

  • Use the --old-trustee flag to specify the existing trustee.
  • Use the --new-rights flag to specify new rights to assign to the trustee.

For example:

qq fs_modify_acl --path /my_path \
  modify_entry --old-trustee Everyone \
    --new-rights=Read
qq fs_modify_acl --path=/my_path \
  modify_entry --old-trustee Everyone \
    --new-rights=All

To Remove an Existing ACL or Its Elements

Run the qq fs_modify_acl command and use the --path flag to specify

the path for the ACL.

  • To remove a single trustee from an ACL, for the remove_entry subcommand use the --trustee flag to specify the trustee to remove. For example:

    qq fs_modify_acl --path /my_path \
      remove_entry --trustee="DOMAIN\\myusername"
    
  • To remove a specific position from an ACL, for the remove_entry subcommand use the -p flag to specify the position number. For example:

    qq fs_modify_acl --path /my_path \
      remove_entry -p 42
    
  • To remove all ACLs, for the remove_entry subcommand use the -a flag.

To Recursively Add a New ACL with Multithreading

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

  1. Ensure that the jq tool is installed on your system.

  2. Run the qq fs_walk_tree command and use the --path flag to specify the path for the ACL. To extract the path for each item into an array, pipe the command to the jq tool. To modify the ACL for each path, pipe the command to xargs which in turn runs the qq fs_set_acl command on each path. For example:

    qq fs_walk_tree --path /my_path | \
      jq -r '.tree_nodes[].path' | \
        xargs -d '\n' -I % -n1 -P 4 \
          qq fs_modify_acl --path '%' \
            add_entry -t "DOMAIN\my_username" \
              -y Allowed \
              -r "Read" "Execute/Traverse" \
              -f "Object inherit" "Container inherit"
    

To Recursively Apply a Permissions Template

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

  1. Ensure that the jq tool is installed on your system.

  2. Use a new or existing file with the necessary permissions to capture the ACL and save it in JSON format by using the qq fs_get_acl command. For example:

    qq fs_get_acl --path /path_to_acl_source \
      --json >/history/new_permissions.json
    
  3. To apply the captured ACL, run the qq fs_walk_tree command and use the --path flag to specify the path for the ACL. To extract the path for each item into an array, pipe the command to the jq tool. To modify the ACL for each path, pipe the command to xargs which in turn runs the qq fs_set_acl command on each path.

    qq fs_walk_tree --path /my_target_path | \
      jq -r '.tree_nodes[].path' | \
        xargs -I % -n1 -P 4 \
          qq fs_set_acl --path '%' \
            --file /history/new_permissions.json >> &>/dev/null
    

To Recursively Modify SMB Attributes

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

Run the qq fs_walk_tree command and use the --path flag to specify the path for the ACL. To extract the path for each item into an array, pipe the command to the jq tool. To modify the ACL for each path, pipe the command to xargs which in turn runs the qq fs_set_acl command on each path.

qq fs_walk_tree --path /my_path | \
  jq -r '.tree_nodes[].path' | \
    xargs -I % -n1 -P 4 \
      qq fs_file_set_smb_attrs --path % \
        --hidden false

Description

Modify file ACL

Usage

qq fs_modify_acl [-h] (--path PATH | --id ID) [--json] {add_entry,remove_entry,modify_entry,set_posix_special_permissions} ...

Flags

Flag Name Required Description
--path No File path
--id No File ID
--json No Print the raw JSON response.