NFS4 ACL's
This page shows how to restrict access permissions using NFS4 ACLs [1].
Set ACLs
To set access control entry to a file or directory, use the command:
nfs4_setfacl [OPTIONS] COMMAND file
Modify ACLs
To modify an access control entry of a file or directory, use the command:
nfs4_editfacl [OPTIONS] file
View ACLs
To view the access control list of a file or directory, use the command:
nfs4_getfacl file
Commands
The commands to use for setting access control entry are:
COMMANDS | FUNCTION |
---|---|
-a acl_spec [index] |
add ACL entries in acl_spec at index (DEFAULT: 1). |
-x acl_spec index |
remove ACL entries or entry-at-index from ACL |
-A file [index] |
read ACL entries to add from file |
-X file |
read ACL entries to remove from file |
-s acl_spec |
set ACL to acl_spec (replaces existing ACL) |
-S file |
read ACL entries to set from file |
-m from_ace to_ace |
modify in-place: replace 'from_ace' with 'to_ace' |
Those commands are just used for first setting an access control entry. The function column above shows the uses of every command so that you can choose the suitable one for your purpose.
Options
Below is the list of all options to use when set or modify an access control entry. These options can also be used as a combination.
OPTION | NAME | FUNCTION |
---|---|---|
-R |
recursive | Applies ACE to a directory's files and subdirectories |
-L |
logical | Used with -R, follows symbolic links |
-P |
physical | Used with -R, skips symbolic links |
Example
The example below will show how to use NFSv4 to set and modify permission for your group.
Situation
There are three people in a group including a professor and two students. The group directory has 5 sub directories: shared, original_data, prof, student1, student2. Prof is owner for all. The directory “shared” can be written to by all and deleted by all. The “original_data” directory can only be read by students. Then each student personal directory is owner-only, but prof can read all (not delete).
Step 1: First step is creating the group directory using the mkdir command.
mkdir group
Step 2: Then move inside the group directory using cd command and create 5 directories under the group directory.
cd group
mkdir shared original_data prof student1 student2
Step 3: Now we set the permission for each subdirectory using nfs4_setfacl command.
The shared directory can be written and deleted by all.
nfs4_setfacl -R -a A:dfg:group@cm.cluster:RWX shared
In this command:
- nfs4_setfacl: is the required command.
- -R: mean applying ACE to a directory’s file and subdirectories of group.
- A: denotes allow.
- d: New subdirectories will have the same ACE.
- f: New files will have the same ACE minus the inheritance flags.
- g: group
- group@cm.cluster: is the group name.
- RXW: these are 3 permissions: read, execute, and write.
- shared: this is the path for the targeted directory or file.
The “original_data” directory can only be read by students.
nfs4_setfacl -a A::student1@cm.cluster:rtxcny original_data
nfs4_setfacl -a A::student2@cm.cluster:rtxcny original_data
In this command:
- rtxcny: is the expansion of read permission.
Each student personal directory is owner-only, but prof can read all (not delete) We try another command for this target, which is nfs4_editfacl.
nfs4_editfacl -R group/student1
Then you should see the content of a file which show permission for each person to the directory student1.
Try to edit the permission for OWNER@, GROUP@ and EVERYONE@ according to the requirement.
- Add this line to allow student1 all permissions.
A:fd:student1id@cm.cluster:rwaDdxtTnNcCoy
- Change the line after OWNER@ to be rxtncy so that the owner (the professor) can read but cannot delete.
- Change the line after GROUP@ to be rxtncy so that the other members of the group (the professor and student2) can read but cannot delete or modify.
- Continue to do the same steps above for student2.
Step 4: To check if we assigned the right permission, use command nfs4_getfacl.
nfs4_getfacl group/shared
The owner and 2 group members who are student 1 and student 2 can read, write, and delete. Other people who are not in the group can just read the content.
nfs4_getfacl group/original_data
The owner can read, write, and delete. Other people who are not in the group and 2 group members who are student 1 and student 2 can just read the content.
nfs4_getfacl group/student1
Hoang Oanh Pham URCF Coop 4/23/2021