On 09/12/2019 22.29, Bernhard Voelker wrote:
On 2019-12-04 22:58, Carlos E. R. wrote:
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
This executes sudo 3 times per each file!
Yes, it does.
You can insert 'echo' before 'sudo' to see what gets executed.
E.g. for only 3 files 'a', 'b' and 'c', this becomes 9 'sudo' commands:
Correct.
$ mkdir tmp.dir $ cd tmp.dir/ $ touch a b c $ find . -type f \ -exec echo sudo chgrp cer '{}' \; \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec echo sudo setfacl -m g:users:r '{}' \; sudo chgrp cer ./b sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b sudo setfacl -m g:users:r ./b sudo chgrp cer ./a sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./a sudo setfacl -m g:users:r ./a sudo chgrp cer ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./c sudo setfacl -m g:users:r ./c
My first change would be to reduce by using find's "-exec ... +" syntax instead of "-exec ... \;" syntax. The + form invokes the given command with as many arguments as would fit into the command line:
Ah? That bit I did not know, you are the first to mention it. I thought it simply executed the next command if the previous one was a success, but that is not an issue to me.
$ find . -type f \ -exec echo sudo chgrp cer '{}' + \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' + \ -exec echo sudo setfacl -m g:users:r '{}' + sudo chgrp cer ./b ./a ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c sudo setfacl -m g:users:r ./b ./a ./c
Then, I'd try to reduce the number of '-exec' actions, e.g. by using a little shell snippet - with the "sh -cx" you see what is executed:
$ find . -type f \ -exec sudo sh -cx 'chgrp cer "$@"; \ chmod u+r+w,g+r+w,o+r-w-x,-t "$@"; \ setfacl -m g:users:r "$@"\ ' sh '{}' +
Ah, yes, I understand. There is a caveat in my case: my sudo will refuse that invocation, because I have it configured such that it has to allow explicitdly every possible invocation. If it is not listed it will refuse to allow it. I can not do "sudo anything", with root's password, and this is on purpose. I can do instead "sudo something" with my own user password, but not "sudo somethingelse". So what I have done is to use sudo on the script call itself, which I do not fully like but it works.
+ chgrp cer ./b ./a ./c + chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c + setfacl -m g:users:r ./b ./a ./c
The above works for any amount of files, and also for unusual (or malicious) file names. GNU find will spawn as many such shell processes as necessary.
For even more secure invocation (e.g. checking PATH), use -execdir instead of -exec. For more on this, pls. refer to the manual, e.g. here:
https://www.gnu.org/software/findutils/manual/html_node/find_html/Single-Fil...
https://www.gnu.org/software/findutils/manual/html_node/find_html/Multiple-F... I'll have a look.
BTW: your chmod argument contradicts the setfacl argument, so the files will have to be adjusted the next time again.
Oh, I think I noticed, the current line now is different. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)