Table of Contents
ACLs under NFS4
On the Linux desktop computers, home directories, workgroup directories and other network drives are connected with NFS. The now used version NFS V4 uses Access Control Lists (ACLs) to control the access rights, which allow a very precise definition of the rights. For example, a file can be assigned with different rights for several users and groups, while regular access rights only allow the assignment of rights for one user, one group and the “rest of the world”.
The advantage that the ACLs under NFSv4 have, in compression to the variant under NFSv3, is that the allocation of rights is possible even more differentiated. Several parameters have been added for that. They are listed underneath:
The ACLs are described here in details. For a more specific Description: “Form of ACLs”
frequently used cases
- file- and folder-inheritance
The folder “testFolder” has the following ACLs:
$> nfs4_getfacl testFolder A:fdi:tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcC A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcC A:fdi:t_turu01@rbg.informatik.tu-darmstadt.de:rwaDdxtTnNcCo A::t_turu01@rbg.informatik.tu-darmstadt.de:rwaDdxtTnNcCo A:fdi:OWNER@:rwaDdxtTnNcCo A::OWNER@:rwaDdxtTnNcCo
The folder can be fully accessed not only by the owner (OWNER) but also by two other user (“tstfb15” und “t_turu01”).
These two identifications are only allowed to access the content (subfolder and files)
due to the “f”- and “d”-Ace (file- and folder-inheritance). This means that every file or
every folder which is created in the folder “testFolder” can be accessed by “tstfb15” und “t_turu01”\\.
- delete ACLs
To withdraw the rights for the file “file” from the user “tstfb15” you have to follow these steps:
As first step you take a look at the rights (to be able to copy and insert the corresponding line).
$> nfs4_getfacl file A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcC A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::OWNER@:rwadxtTnNcCo
Now we delete the line “A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcC” from the ACL-list.
$> nfs4_setfacl -x A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcC
Check
$> nfs4_getfacl file A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::OWNER@:rwadxtTnNcCo
- insert ACLs
Now we want to give the user “tstfb15” on the file “file” the same rights the user “t_turu01” has:
As first step take a look at the rights of “t_turu01”:
$> nfs4_getfacl file A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::OWNER@:rwadxtTnNcCo
Copy the line “A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo” and replace the identification with “tstfb15” and enter as follows:
$> nfs4_setfacl -a A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo file
Now the user “tstfb15” has the same rights on the file “file”.
- ACLs modification
Now we want to modify the ACLs of the file “file” so the user “tstfb15“
has no more writing-rights (w) but only reading-rights (r).
First copy the to be modified line “A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo”:
$> nfs4_getfacl file A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::OWNER@:rwadxtTnNcCo
Now the actual command:
$> nfs4_setfacl -m A::tstfb15@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::tstfb15@rbg.informatik.tu-darmstadt.de:radxtTnNcCo file
Check:
$> nfs4_getfacl file A::tstfb15@rbg.informatik.tu-darmstadt.de:radxtTnNcCo A::t_turu01@rbg.informatik.tu-darmstadt.de:rwadxtTnNcCo A::OWNER@:rwadxtTnNcCo
form of ACLs
type:flags:principal:permissions
ACE TYPES are represented by a letter:
- A Allow
- D Deny
ACE FLAGS: there a three different ACE Flags: “group”, “inheritence” and “administrative”. It's possible to set no or more than one flag.
GROUP FLAG
g group - represents a group (instead of a single user).
INHERITANCE FLAGS
d directory-inherit - The rights of the newly created subfolder are inherited.
f file-inherit - The rights of the newly created file are inherited without “inheritance-Flas”.
n no-propagate-inherit - The rights of the newly created subfolder are inherited without “inheritance-Flas”.
ACE PRINCIPALS: A “Principal” might have an identifier (e.g. “t_turu01”), a group or one of these three special “Principals” OWNER, GROUP and EVERYONE.
ACE PERMISSIONS: there are different ACE-permissions (13 for files, 14 for folders) which are each represented by letters:
| parameter | meaning | validity |
|---|---|---|
| r | read-data / list-directory | file and folder |
| w | write-data / create-file | file and folder |
| a | append-data / create subdirectories | file and folder |
| x | execute / change folder | file and folder |
| d | delete a file or folder | file and folder |
| D | delete a file or a subfolder of a given folder | only folder |
| t | read the features of a file or folder | file and folder |
| T | set the features of a file or folder | file and folder |
| n | read the named-attribute of a file or folder | file and folder |
| N | set the named-attribute of a file or folder | file and folder |
| c | read the NFSv4-ACLs of a file or folder | file and folder |
| C | write the NFSv4-ACLs of a file or folder | file and folder |
| o | change the owner | file and folder |
| y | synchronize with server | file and folder |
Beispiel ACLs
A::OWNER@:rwatTnNcCy A::alice@rbg.informatik.tu-darmstadt.de:rxtncy A::bob@rbg.informatik.tu-darmstadt.de:rwadtTnNcCy A:g:GROUP@:rtncy D:g:GROUP@:waxTC A::EVERYONE@:rtncy D::EVERYONE@:waxTC
- In the example above the user “alice@rbg.informatik.tu-darmstadt.de” has “read”- and “execute”-rights, “bob@rbg.informatik.tu-darmstadt.de” has “read”- and “write”-rights. The group “GROUP” and “EVERYONE” has only “read”-rights.
- NFSv4 ACLs are preventative. this means: by default the “deny-ace” is set, so the access is only allowed if the “allow-ace” is set explicitly.
The allocation of ACLs can be made easier by using the command “nfs4_editfacl”. Before the call of the command you can set with the command “export EDITORT=[gedit|nano|vim]” which editor you want to use.
