How to backup and restore ACL permissions

Jump to: navigation, search


This article describes a procedure not supported by Hewlett-Packard, but it may be useful under some circumstances. The recovery script here described can be used to backup and restore ACL permissions after a standard file system recovery using standard tool, like tar or an Ignite-UX recovery.

The pax command used by Ignite-UX to build the recovery archives has been enhanced to support the backup ACLs, but usage of this feature has not yet been implemented on Ignite-UX at the time of writing this article (Ignite-UX C.7.8.201).

This script won't handle the restore of the files or directory structures, only the corresponding ACL permissions of those files and directories.

The aclbck script[edit]

# This POSIX SHELL script recursively detects and creates a restoration list
# for all ACLs directories and files located at <source_directory>
# on the <output_file>
# It comes with no support and HP makes no representations as to its
# fitness for purpose. It is up to whoever uses this program to ensure
# that whatever functionality it provides is what they require.
# (c) Hewlett-Packard (2009)
# The output file list can be used later to restore the ACL
# permissions.
# Both relative and absolute paths are supported.
# If using relative paths, make sure you are located on the
# same working directory used during the backup and restoration processes.
#"Usage: aclbck <source_directory> <output_file>"

# Check script usage
if [[ $# -ne 2 ]] then
 echo "Usage: aclbck <source_directory> <output_file>"

# Backup ACL directories
# Trim previous getacl command list temporary file
if [[ -f /tmp/flist.getacl.out ]]; then
   > /tmp/flist.getacl.out

# Create getacl command for the directories under the parent directory
find $1 -type d -exec ll -d {} \; | awk '{if(NF==9) if(substr($1,11,1)=="+") printf("getacl %s\n", $9)}' > /tmp/flist.bckacl.out

if [[ $? -eq 0 ]] then
 sh /tmp/flist.bckacl.out >> /tmp/flist.getacl.out

# Backup ACL for the files under the parent directory
find $1 -type f -exec ll {} \; | awk '{if(NF==9) if(substr($1,11,1)=="+") printf("getacl %s\n", $9)}' > /tmp/flist.bckacl.out

if [[ $? -eq 0 ]] then
 sh /tmp/flist.bckacl.out >> /tmp/flist.getacl.out

# Remove getacl command list temporary file
if [ -f /tmp/flist.bckacl.out ]]; then
   rm /tmp/flist.bckacl.out

# Generate restoration list
awk '{
 if( NF==3 )
  if( $2=="file:" )
 else if( substr($1,1,2)=="us" ||
          substr($1,1,2)=="gr" ||
          substr($1,1,2)=="cl" ||
          substr($1,1,2)=="ot" )
  printf("setacl -m %s %s\n", $1, FILE);
}' /tmp/flist.getacl.out > $2

# Remove temporary getacl file
if [[ -f /tmp/flist.getacl.out ]]; then
   rm /tmp/flist.getacl.out

Usage example[edit]

On this example a directory structure starting at tt has been created to simulate an ACL environment.

# pwd

# cd tt

# ls
file   file3  ri2    ri4    ri6    ri8
file2  ri     ri3    ri5    ri7    test

# cd ..

# getacl tt
# file: tt
# owner: root
# group: sys
# getacl tt/test
# file: tt/test
# owner: test
# group: users
user:ricardo:rwx        #effective:rw-
group:users:rwx #effective:rw-
# ./aclbck tt /var/tmp/file.out
# cat file.out
setacl -m user::rwx tt
setacl -m group::rwx tt
setacl -m class:rwx tt
setacl -m other:rwx tt
setacl -m user::rw- tt/file3
setacl -m user:ricardo:rwx tt/file3
setacl -m group::rwx tt/file3
setacl -m class:r-- tt/file3
setacl -m other:r-- tt/file3
setacl -m user::rw- tt/ri
setacl -m user:ricardo:rwx tt/ri
setacl -m group::rwx tt/ri
setacl -m class:rw- tt/ri
setacl -m other:r-- tt/ri
setacl -m user::rw- tt/ri2
setacl -m user:ricardo:rwx tt/ri2
setacl -m group::rwx tt/ri2
setacl -m class:r-- tt/ri2
setacl -m other:r-- tt/ri2
setacl -m user::rw- tt/test
setacl -m user:ricardo:rwx tt/test
setacl -m group::rw- tt/test
setacl -m group:users:rwx tt/test
setacl -m class:rw- tt/test
setacl -m other:r-- tt/test
setacl -m user::r-- tt/ri3
setacl -m user:ricardo:rwx tt/ri3
setacl -m group::r-- tt/ri3
setacl -m group:users:rwx tt/ri3
setacl -m class:r-- tt/ri3
setacl -m other:r-- tt/ri3
setacl -m user::rw- tt/ri4
setacl -m user:ricardo:rwx tt/ri4
setacl -m group::r-- tt/ri4
setacl -m group:users:rwx tt/ri4
setacl -m class:r-- tt/ri4
setacl -m other:r-- tt/ri4
setacl -m user::rw- tt/ri5
setacl -m user:ricardo:rwx tt/ri5
setacl -m group::r-- tt/ri5
setacl -m group:users:rwx tt/ri5
setacl -m class:r-- tt/ri5
setacl -m other:r-- tt/ri5
setacl -m user::rw- tt/ri6
setacl -m user:ricardo:rwx tt/ri6
setacl -m group::rw- tt/ri6
setacl -m group:users:rwx tt/ri6
setacl -m class:rw- tt/ri6
setacl -m other:r-- tt/ri6
setacl -m user::rw- tt/ri7
setacl -m user:ricardo:rwx tt/ri7
setacl -m group::rw- tt/ri7
setacl -m group:users:rwx tt/ri7
setacl -m class:rw- tt/ri7
setacl -m other:r-- tt/ri7
setacl -m user::rw- tt/ri8
setacl -m user:ricardo:rwx tt/ri8
setacl -m group::r-- tt/ri8
setacl -m group:users:rwx tt/ri8
setacl -m class:r-- tt/ri8
setacl -m other:r-- tt/ri8

When restoring, just make sure you seat in the same working directory and restore with sh using file.out:

# cd /var/tmp
# sh /var/tmp/file.out


  • getacl(1) - HP-UX 11i Version 1: September 2005
  • setacl(1) - HP-UX 11i Version 1: September 2005