Forge Home


POSIX filesystem ACLs module


150,232 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.1 (latest)
  • 1.0.0
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Feb 25th 2015
This version is compatible with:
  • Puppet Enterprise 3.x
  • Puppet >=2.7.20 <4.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'thias-fooacl', '1.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add thias-fooacl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install thias-fooacl --version 1.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: acl, posix, setfacl


thias/fooacl — version 1.0.1 Feb 25th 2015



Manage POSIX filesystem ACLs with Puppet.

Most (all?) other ACL modules implement a type which can be declared only once per file, which isn't flexible. This module takes the unusual approach of creating a single large concatenated script to manage all ACLs recursively in a single run. Ugly, yet very efficient and flexible since ACLs aren't tied to the file type in any way.

Features :

  • Set ACLs for the same path from different parts of your puppet manifests (flexible).
  • Set global ACL permissions to be applied for all paths managed by the module (flexible).
  • Automatic purging of ACLs on paths as long as at least one ACL is still being applied by the module (remove users easily and reliably).
  • Automatic setting of both normal and default ACLs to the same values (shortens declarations, increases code readability).

Limitations :

  • No purging once paths are no longer being managed by the module.
  • Any ACL changes trigger re-applying all ACLs (fine for a few thousands files, but typically an issue for millions of files).

Module content :

  • fooacl : Class to start managing ACLs with the module (fooacl::conf automatically includes it).
  • fooacl::conf: Definition to manage ACLs configuration.


A typical declaration from anywhere in your puppet manifests :

fooacl::conf { '/var/www/':
  permissions => [

From anywhere else, you may set more ACLs for the same /var/www/ directory as long as you don't use the same $title (that would cause a duplicate declatation), so you would do :

fooacl::conf { '':
  target      => '/var/www/',
  permissions => [

Parameter requirements :

  • If $target is not specificed, $title must be the target.
  • If $target is specified, as a directory or an array of directories, $title is ignored (this allows to work around duplicate declarations)
  • The special $title of 'default' will apply permissions to all directories managed by this module on the node. Useful for global access on certain nodes.

If you need to order some of your resources with the execution of the script contained in the module (e.g. refresh when you modify uid or gid values), use :

foo { 'bar':
  notify => Class['::fooacl'],

More advanced example :

# Global webmasters
fooacl::conf { 'default':
  permissions => [
# Frontend website webmasters
fooacl::conf { 'frontend':
  target => [
  permissions => [
# Backend website webmasters
fooacl::conf { 'backend':
  target => [
  permissions => [


You can set the module fooacl_noop globally using hiera :

fooacl::fooacl_noop: true

After which the /usr/local/sbin/fooacl script will get updated but won't be automatically run.