ACLs with NFSv4

Problem statement

We want to use nfs4_getfacl and nfs4_setfacl to view and modify ACL permissions on an NFS-mounted drive.

To view permissions, we can type:

$ nfs4_getfacl .
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDxtcy
A:fdi:EVERYONE@:rxtcy

To change permissions (where 1001 is the uid / gid), we can type:

nfs4_setfacl -R A::1001:rwaDxtTcCy .
nfs4_setfacl -R A::1001:rwaDxtTcCy .
nfs4_setfacl -R A:g:1001:rwaDxtTcCy .
nfs4_setfacl -R A:g:1001:rwaDxtTcCy .

However, nfs4_setacl applies the users umask before creating a new file. This makes it impossible to create a file with g+rw permissions when we have a umask of 0022, even if the directory has A:g:1001:rwaDxtTcCy permissions.

Solution

The “solution” is to use NFSv3, by specifying vers=3 in the /etc/fstab file.

XXX:XXX:X:X:/external    /home/external     nfs rw,vers=3,acl,hard,intr,async,noatime,rsize=32768,wsize=32768    0       2

After remounting the directory, we can make sure that you are using NFSv3 using the nfsstat -m command:

$ nfsstat -m
/home/external from 192.168.1.1:/external
 Flags:    rw,noatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=XXX.XXX.X.X,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=XXX.XXX.X.X
                           ^--- make sure we have 3 here!!!

ACLs can now be viewed and changed using the standard getfacl and setfacl commands, and the user’s umask is not applied when the folder has ACL permissions.

Alexey Strokach
Alexey Strokach
Graduate Student

If you found something wrong, let me know!