Also set the FACL recursively on the DEV stack

2026-04-11 13:47:05 +02:00 · 2026-01-21 20:21:13 +01:00
parent e3e279f2ae
commit 6f88462670
1 changed files with 11 additions and 2 deletions
--- a/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl
+++ b/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl
@@ -54,15 +54,24 @@ chmod 0440 /etc/sudoers.d/fail2ban-ui
 mkdir -p /config/fail2ban/{action.d,filter.d,jail.d}

 # Apply both access ACL and default ACL (so new files/dirs inherit)
+# First apply recursively to existing files/directories, then set default ACLs
 for d in /config/fail2ban /config/fail2ban/action.d /config/fail2ban/filter.d /config/fail2ban/jail.d; do
-  setfacl -m u:testuser:rwX,m::rwX "$d"
+  # Apply access ACL recursively to existing files/directories
+  setfacl -R -m u:testuser:rwX,m::rwX "$d"
+  # Set default ACL so new files/dirs inherit permissions
  setfacl -d -m u:testuser:rwX,m::rwX "$d"
+  # Also ensure the directory itself has the access ACL
+  setfacl -m u:testuser:rwX,m::rwX "$d"
 done

 # /etc/fail2ban is a symlink to /config/fail2ban in this image; setfacl follows symlinks by default.
 if [ -e /etc/fail2ban ]; then
-  setfacl -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Apply recursively to existing files/directories
+  setfacl -R -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Set default ACL
  setfacl -d -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Ensure the symlink target has access ACL
+  setfacl -m u:testuser:rwX,m::rwX /etc/fail2ban || true
 fi

 echo "[custom-init] ssh + acl setup complete"