ACLs under NFS4

On the Linux desktop computers, home directories, workgroup directories and other network drives are connected with NFS. The now used version NFS V4 uses Access Control Lists (ACLs) to control the access rights, which allow a very precise definition of the rights. For example, a file can be assigned with different rights for several users and groups, while regular access rights only allow the assignment of rights for one user, one group and the “rest of the world”.

The advantage that the ACLs under NFSv4 have, in compression to the variant under NFSv3, is that the allocation of rights is possible even more differentiated. Several parameters have been added for that. They are listed underneath:

The ACLs are described here in details. For a more specific Description: “Form of ACLs

frequently used cases

  • file- and folder-inheritance

The folder “testFolder” has the following ACLs:

$> nfs4_getfacl testFolder

The folder can be fully accessed not only by the owner (OWNER) but also by two other user (“tstfb15” und “t_turu01”).
These two identifications are only allowed to access the content (subfolder and files)
due to the “f”- and “d”-Ace (file- and folder-inheritance). This means that every file or
every folder which is created in the folder “testFolder” can be accessed by “tstfb15” und “t_turu01”\\.

  • delete ACLs

To withdraw the rights for the file “file” from the user “tstfb15” you have to follow these steps:
As first step you take a look at the rights (to be able to copy and insert the corresponding line).

$> nfs4_getfacl file

Now we delete the line “” from the ACL-list.

$> nfs4_setfacl -x


$> nfs4_getfacl file

  • insert ACLs

Now we want to give the user “tstfb15” on the file “file” the same rights the user “t_turu01” has:
As first step take a look at the rights of “t_turu01”:

$> nfs4_getfacl file

Copy the line “” and replace the identification with “tstfb15” and enter as follows:

$> nfs4_setfacl -a file

Now the user “tstfb15” has the same rights on the file “file”.

  • ACLs modification

Now we want to modify the ACLs of the file “file” so the user “tstfb15
has no more writing-rights (w) but only reading-rights (r).
First copy the to be modified line “”:

$> nfs4_getfacl file

Now the actual command:

$> nfs4_setfacl -m file


$> nfs4_getfacl file

form of ACLs


ACE TYPES are represented by a letter:
- A Allow
- D Deny

ACE FLAGS: there a three different ACE Flags: “group”, “inheritence” and “administrative”. It's possible to set no or more than one flag.
g group - represents a group (instead of a single user).
d directory-inherit - The rights of the newly created subfolder are inherited.
f file-inherit - The rights of the newly created file are inherited without “inheritance-Flas”.
n no-propagate-inherit - The rights of the newly created subfolder are inherited without “inheritance-Flas”.

ACE PRINCIPALS: A “Principal” might have an identifier (e.g. “t_turu01”), a group or one of these three special “Principals” OWNER, GROUP and EVERYONE.

ACE PERMISSIONS: there are different ACE-permissions (13 for files, 14 for folders) which are each represented by letters:

parameter meaning validity
r read-data / list-directory file and folder
w write-data / create-file file and folder
a append-data / create subdirectories file and folder
x execute / change folder file and folder
d delete a file or folder file and folder
D delete a file or a subfolder of a given folder only folder
t read the features of a file or folder file and folder
T set the features of a file or folder file and folder
n read the named-attribute of a file or folder file and folder
N set the named-attribute of a file or folder file and folder
c read the NFSv4-ACLs of a file or folder file and folder
C write the NFSv4-ACLs of a file or folder file and folder
o change the owner file and folder
y synchronize with server file and folder

Beispiel ACLs

  • In the example above the user “” has “read”- and “execute”-rights, “” has “read”- and “write”-rights. The group “GROUP” and “EVERYONE” has only “read”-rights.
  • NFSv4 ACLs are preventative. this means: by default the “deny-ace” is set, so the access is only allowed if the “allow-ace” is set explicitly.

The allocation of ACLs can be made easier by using the command “nfs4_editfacl”. Before the call of the command you can set with the command “export EDITORT=[gedit|nano|vim]” which editor you want to use.

In Other Languages
Translations of this page: