From 6f8846267036fe67bff49655e84ffaa81202b981 Mon Sep 17 00:00:00 2001
From: Michael Reber <michael.reber@swissmakers.ch>
Date: Wed, 21 Jan 2026 20:21:13 +0100
Subject: [PATCH] Also set the FACL recursively on the DEV stack

---
 .../fail2ban-ssh-custom-cont-init.d/99-ssh-acl      | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl b/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl
index 335e5e2..673d70b 100755
--- a/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl
+++ b/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/99-ssh-acl
@@ -54,15 +54,24 @@ chmod 0440 /etc/sudoers.d/fail2ban-ui
 mkdir -p /config/fail2ban/{action.d,filter.d,jail.d}
 
 # Apply both access ACL and default ACL (so new files/dirs inherit)
+# First apply recursively to existing files/directories, then set default ACLs
 for d in /config/fail2ban /config/fail2ban/action.d /config/fail2ban/filter.d /config/fail2ban/jail.d; do
-  setfacl -m u:testuser:rwX,m::rwX "$d"
+  # Apply access ACL recursively to existing files/directories
+  setfacl -R -m u:testuser:rwX,m::rwX "$d"
+  # Set default ACL so new files/dirs inherit permissions
   setfacl -d -m u:testuser:rwX,m::rwX "$d"
+  # Also ensure the directory itself has the access ACL
+  setfacl -m u:testuser:rwX,m::rwX "$d"
 done
 
 # /etc/fail2ban is a symlink to /config/fail2ban in this image; setfacl follows symlinks by default.
 if [ -e /etc/fail2ban ]; then
-  setfacl -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Apply recursively to existing files/directories
+  setfacl -R -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Set default ACL
   setfacl -d -m u:testuser:rwX,m::rwX /etc/fail2ban || true
+  # Ensure the symlink target has access ACL
+  setfacl -m u:testuser:rwX,m::rwX /etc/fail2ban || true
 fi
 
 echo "[custom-init] ssh + acl setup complete"