qq fs_modify_acl

This section explains how to use the qq fs_modify_acl command.

Examples

The following examples show how to run the qq fs_modify_acl command to work with access control lists (ACLs).

Important
Before deploying permissions changes in a production environment, we strongly recommend performing a dry run on a test directory.

To Create a New ACL

Run the qq fs_modify_acl command and use the --path flag to specify the path for the ACL. For the add_entry subcommand:

Use the -t flag to specify a trustee.
Use the -y flag to specify Allowed or Denied.
Use the -r flag to specify the rights.
Tip
For full control, specify -r All.
Use the -f flag to specify ACL flags.

Note
To ensure that the ACL applies to newly created files automatically, specify "Object inherit" "Container inherit".

For example:

qq fs_modify_acl --path /my_path \
  add_entry -t "MYDOMAIN\\my_username" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"

qq fs_modify_acl --path /my_path \
  add_entry -t "uid:5005" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"

qq fs_modify_acl --path /my_path \
  add_entry -t "gid:5005" \
    -y Allowed \
    -r "Execute/Traverse" "Read" \
    -f "Object inherit" "Container inherit"

To Modify an Existing ACL

Run the qq fs_modify_acl command and use the --path flag to specify the path for the ACL. For the modify_entry subcommand:

Use the --old-trustee flag to specify the existing trustee.
Use the --new-rights flag to specify new rights to assign to the trustee.

For example:

qq fs_modify_acl --path /my_path \
  modify_entry --old-trustee Everyone \
    --new-rights=Read

qq fs_modify_acl --path=/my_path \
  modify_entry --old-trustee Everyone \
    --new-rights=All

To Remove an Existing ACL or Its Elements

Run the qq fs_modify_acl command and use the --path flag to specify the path for the ACL.

To remove a single trustee from an ACL, for the remove_entry subcommand use the --trustee flag to specify the trustee to remove. For example:
```
qq fs_modify_acl --path /my_path \
  remove_entry --trustee="DOMAIN\\myusername"
```
To remove a specific position from an ACL, for the remove_entry subcommand use the -p flag to specify the position number. For example:
```
qq fs_modify_acl --path /my_path \
  remove_entry -p 42
```
To remove all ACLs, for the remove_entry subcommand use the -a flag.

To Recursively Add a New ACL with Multithreading

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

Note
For very large directories, we recommend running the following command in a screen session.

Ensure that the jq tool is installed on your system.

Run the qq fs_walk_tree command and use the --path flag to specify the path for the ACL. To extract the path for each item into an array, pipe the command to the jq tool. To modify the ACL for each path, pipe the command to xargs which in turn runs the qq fs_set_acl command on each path. For example:

qq fs_walk_tree --path /my_path | \
  jq -r '.tree_nodes[].path' | \
    xargs -d '\n' -I % -n1 -P 4 \
      qq fs_modify_acl --path '%' \
        add_entry -t "DOMAIN\my_username" \
          -y Allowed \
          -r "Read" "Execute/Traverse" \
          -f "Object inherit" "Container inherit"

To Recursively Apply a Permissions Template

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

Ensure that the jq tool is installed on your system.
Use a new or existing file with the necessary permissions to capture the ACL and save it in JSON format by using the qq fs_get_acl command. For example:
```
qq fs_get_acl --path /path_to_acl_source \
  --json >/history/new_permissions.json
```
To apply the captured ACL, run the qq fs_walk_tree command and use the --path flag to specify the path for the ACL. To extract the path for each item into an array, pipe the command to the jq tool. To modify the ACL for each path, pipe the command to xargs which in turn runs the qq fs_set_acl command on each path.
```
qq fs_walk_tree --path /my_target_path | \
  jq -r '.tree_nodes[].path' | \
    xargs -I % -n1 -P 4 \
      qq fs_set_acl --path '%' \
        --file /history/new_permissions.json >> &>/dev/null
```

To Recursively Modify SMB Attributes

For this operation, you must run the qq fs_walk_tree and qq fs_modify_acl commands.

qq fs_walk_tree --path /my_path | \
  jq -r '.tree_nodes[].path' | \
    xargs -I % -n1 -P 4 \
      qq fs_file_set_smb_attrs --path % \
        --hidden false

Description

Modify file ACL

Usage

qq fs_modify_acl [-h] (--path PATH | --id ID) [--json] {add_entry,remove_entry,modify_entry,set_posix_special_permissions} ...

Flags

Flag Name	Required	Description
`--path`	No	File path
`--id`	No	File ID
`--json`	No	Print the raw JSON response.

Examples

To Create a New ACL

To Modify an Existing ACL

To Remove an Existing ACL or Its Elements

To Recursively Add a New ACL with Multithreading

To Recursively Apply a Permissions Template

To Recursively Modify SMB Attributes

Description

Usage

Flags

Related Topics