Skip to content

NFS4 ACL's

This page shows how to restrict access permissions using NFS4 ACLs [1].

Set ACLs

To set access control entry to a file or directory, use the command:

nfs4_setfacl [OPTIONS] COMMAND file

Modify ACLs

To modify an access control entry of a file or directory, use the command:

nfs4_editfacl [OPTIONS] file

View ACLs

To view the access control list of a file or directory, use the command:

nfs4_getfacl file

Commands

The commands to use for setting access control entry are:

COMMANDS FUNCTION
-a acl_spec [index] add ACL entries in acl_spec at index (DEFAULT: 1).
-x acl_spec index remove ACL entries or entry-at-index from ACL
-A file [index] read ACL entries to add from file
-X file read ACL entries to remove from file
-s acl_spec set ACL to acl_spec (replaces existing ACL)
-S file read ACL entries to set from file
-m from_ace to_ace modify in-place: replace 'from_ace' with 'to_ace'

Those commands are just used for first setting an access control entry. The function column above shows the uses of every command so that you can choose the suitable one for your purpose.

Options

Below is the list of all options to use when set or modify an access control entry. These options can also be used as a combination.

OPTION NAME FUNCTION
-R recursive Applies ACE to a directory's files and subdirectories
-L logical Used with -R, follows symbolic links
-P physical Used with -R, skips symbolic links

Example

The example below will show how to use NFSv4 to set and modify permission for your group.

Situation

There are three people in a group including a professor and two students. The group directory has 5 sub directories: shared, original_data, prof, student1, student2. Prof is owner for all. The directory “shared” can be written to by all and deleted by all. The “original_data” directory can only be read by students. Then each student personal directory is owner-only, but prof can read all (not delete).

Step 1: First step is creating the group directory using the mkdir command.

mkdir group

Step 2: Then move inside the group directory using cd command and create 5 directories under the group directory.

cd group
mkdir shared original_data prof student1 student2

Step 3: Now we set the permission for each subdirectory using nfs4_setfacl command.

The shared directory can be written and deleted by all.

nfs4_setfacl -R -a A:dfg:group@cm.cluster:RWX shared

In this command:

  • nfs4_setfacl: is the required command.
  • -R: mean applying ACE to a directory’s file and subdirectories of group.
  • A: denotes allow.
  • d: New subdirectories will have the same ACE.
  • f: New files will have the same ACE minus the inheritance flags.
  • g: group
  • group@cm.cluster: is the group name.
  • RXW: these are 3 permissions: read, execute, and write.
  • shared: this is the path for the targeted directory or file.

The “original_data” directory can only be read by students.

nfs4_setfacl -a A::student1@cm.cluster:rtxcny original_data
nfs4_setfacl -a A::student2@cm.cluster:rtxcny original_data

In this command:

  • rtxcny: is the expansion of read permission.

Each student personal directory is owner-only, but prof can read all (not delete) We try another command for this target, which is nfs4_editfacl.

nfs4_editfacl -R group/student1

Then you should see the content of a file which show permission for each person to the directory student1. <File:3c.JPG>

Try to edit the permission for OWNER@, GROUP@ and EVERYONE@ according to the requirement.

  • Add this line to allow student1 all permissions.
A:fd:student1id@cm.cluster:rwaDdxtTnNcCoy
  • Change the line after OWNER@ to be rxtncy so that the owner (the professor) can read but cannot delete.
  • Change the line after GROUP@ to be rxtncy so that the other members of the group (the professor and student2) can read but cannot delete or modify.
  • Continue to do the same steps above for student2.

Step 4: To check if we assigned the right permission, use command nfs4_getfacl.

nfs4_getfacl group/shared

<File:Step4a.JPG>

The owner and 2 group members who are student 1 and student 2 can read, write, and delete. Other people who are not in the group can just read the content.

nfs4_getfacl group/original_data

<File:Step4b.JPG>

The owner can read, write, and delete. Other people who are not in the group and 2 group members who are student 1 and student 2 can just read the content.

nfs4_getfacl group/student1

<File:Step4c.JPG>

Hoang Oanh Pham URCF Coop 4/23/2021

Reference

[1] HOWTO: Use NFSv4 ACLs (Ohio Supercomputer Center)