setfacl for a while now has supported for the +X (capital X) flag. From the man page:
The perms field is a combination of characters that indicate the permissions: read (r), write (w), execute (x), execute only if the file is a directory or already has execute permission for some user (X).
The version OpenSUSE ships with doesn’t have this functionality which imo is odd, because if I do:
setfacl --version
setfacl 2.3.2
Setfacl should be new enough, according to this Stackoverflow comment:
My version of setfacl allows X exactly like you want, e.g.:
setfacl g:mygroup:rwX
$ setfacl --version
setfacl 2.2.49
Is there any way we can get the more feature complete version? It would enhance security. I’m not sure where it’s found. Maybe the Debian distros have a link to it.
If I do man setfacl and search for " execute only if the file is a directory or already has execute permission for some user" it doesn’t appear, implying the version of setfacl on the OpenSUSE distro is old enough to lack this feature.
Do you have link to a project release notes, NEWS, README, commit or anything that proves it?
It is there. Searching for such long sentence can easily fail e.g. because it is wrapped.
Besides, this sentence directly contradicts to “only on directories”. If you are aware of what X does, then I do not no understand the problem at all. Your example invocation does exactly what is described in the man page - it sets x bit because file “already has execute permission for some user”.
Do you have link to a project release notes, NEWS, README, commit or anything that proves it?
The quote with the link at the top in the first comment at the top of the chain is just what you’re asking for. For further proof: https://linux.die.net/man/1/setfacl You can ctrl+f for “execute only if the file is a directory”.
Your claim was that in the “current” version of setfacl the X is only applied to directories, not files. Your “proof link” says exactly the opposite. At which point I give up.
Compound statement is “A(directory) or B(has executable permission)” here, so it works as it supposed to be.
(note on “file” concept in unix: anything exposed through the filesystem name space is called a file, it can be ordinary files, directories, pipes, sockets, etc.)
However in everyday speaking a phrase like “set x bit recursively” usually means don’t touch ordinary files without x.
In this cases X (execute/search) is comfy, for example
I interpreted “or already has execute permission for some user” as " or already has execute permission" as in, don’t remove +x if it already exists, missing the user part at the end of the sentence.
It does work as intended. The man page on my machine doesn’t line up with the man pages online, so from that I assumed it lacked the feature.
I hope I haven’t been too much of a burden for you guys. Thanks for helping out.