Abstract

This shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems.

package

You need install package to use nfs4_acl

rpm package name is nfs4-acl-tools

Understanding NFSv4 ACL

This is an example of an NFSv4 ACL

A::user@nfsdomain.org:rxtncy

The following sections will break down this example from left to right and provide more usage options

ACE Type

The ‘A’ in the example is known as the ACE (access control entry) type. The ‘A’ denotes “Allow” meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default.

Note: ‘D’ can denote a Deny ACE. While this is a valid option, this ACE type is not reccomended since any permission that is not explicity granted is automatically denied meaning Deny ACE’s can be redundant and complicated.

ACE Flags

The above example could have a distinction known as a flag shown below

A:d:user@nfsdomain.org:rxtncy

The ‘d’ used above is called an inheritence flag. This makes it so the ACL set on this directory will be automatically established on any new subdirectories. Inheritence flags only work on directories and not files. Multiple inheritence flags can be used in combonation or omitted entirely. Examples of inheritence flags are listed below:

Flag Name Function
d directory-inherit New subdirectories will have the same ACE
f file-inherit New files will have the same ACE minus the inheritence flags
n no-propogate inherit New subdirectories will inherit the ACE minus the inheritence flags
i inherit-only New files and subdirectories will have this ACE but the ACE for the directory with the flag is null

ACE Principal

the 'user@nfsdomain.org' is a principal. The principal denotes the people the ACL is allowing access to.

Principals can be the following:

  • A named user user1@nfsdomain.org
  • Speical principals OWNER@ GROUP@ EVERYONE@
  • A group A:g:group1@nfsdomain.org:rxtncy When the principal is a group, you need to add a group flag, 'g', as shown above example.

ACE Permissions

the 'rxtncy' are the permissions the ACE is allowing. Permissions can be used in combonation with each other.

A list of permissions and what they do can be found below:

Permission Function
r read-data (files) / list-directory (directories)
w write-data (files) / create-file (directories)
a append-data (files) / create-subdirectory (directories)
x execute (files) / change-directory (directories)
d delete the file/directory
D delete-child : remove a file or subdirectory from the given directory (directories only)
t read the attributes of the file/directory
T write the attribute of the file/directory
n read the named attributes of the file/directory
N write the named attributes of the file/directory
c read the file/directory ACL
C write the file/directory ACL
o change ownership of the file/directory

Aliases such ‘R’ ‘W’ ‘X’ can be used as permissions. These work simlarly to POSIX Read/Write/Execute. More detail can be found below.

Alias Name Expansion
R Read rntcy
W Write watTNcCy (with D added to directory ACE’s
X Execute xtcy

Using NFSv4 ACL

nfs4_editfacl

nfs4_getfacl

nfs4_gefacl /path

nfs4_setfacl

commands

Commands are only used when first setting an ACE. Commands and their uses are listed below.

COMMAND FUNCTION
-a acl_spec [index] add ACL entries in acl_spec at index (DEFAULT: 1)
-x acl_spec | index remove ACL entries or entry-at-index from ACL
-A file [index] read ACL entries to add from file
-X file read ACL entries to remove from file
-s acl_spec set ACL to acl_spec (replaces existing ACL)
-S file read ACL entries to set from file
-m from_ace to_ace modify in-place: replace ‘from_ace’ with ‘to_ace’

Options

Options can be used in combination or ommitted entirely. A list of options is shown below:

OPTION NAME FUNCTION
-R recursive Applies ACE to a directory’s files and subdirectories
-L logical Used with -R, follows symbolic links
-P physical Used with -R, skips symbolic links

Use cases

nfs4_setfacl -Ra A::user1@domain:RWX  /path

nfs4_setfacl -a A:fdg:group1@domain:RWX  /path

本文采用 知识共享署名 4.0 国际许可协议(CC-BY 4.0)进行许可。转载请注明来源: https://snowfrs.com/2020/07/02/NFS4_ACL.html 欢迎对文中引用进行考证,欢迎指出任何不准确和模糊之处。