ACLs with NFSv4
Problem statement
We want to use nfs4_getfacl
and nfs4_setfacl
to view and modify ACL permissions on an NFS-mounted drive.
To view permissions, we can type:
$ nfs4_getfacl .
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDxtcy
A:fdi:EVERYONE@:rxtcy
To change permissions (where 1001
is the uid
/ gid
), we can type:
nfs4_setfacl -R A::1001:rwaDxtTcCy .
nfs4_setfacl -R A::1001:rwaDxtTcCy .
nfs4_setfacl -R A:g:1001:rwaDxtTcCy .
nfs4_setfacl -R A:g:1001:rwaDxtTcCy .
However, nfs4_setacl
applies the users umask
before creating a new file. This makes it impossible to create a file with g+rw
permissions when we have a umask
of 0022
, even if the directory has A:g:1001:rwaDxtTcCy
permissions.
Solution
The “solution” is to use NFSv3, by specifying vers=3
in the /etc/fstab
file.
XXX:XXX:X:X:/external /home/external nfs rw,vers=3,acl,hard,intr,async,noatime,rsize=32768,wsize=32768 0 2
After remounting the directory, we can make sure that you are using NFSv3 using the nfsstat -m
command:
$ nfsstat -m
/home/external from 192.168.1.1:/external
Flags: rw,noatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=XXX.XXX.X.X,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=XXX.XXX.X.X
^--- make sure we have 3 here!!!
ACLs can now be viewed and changed using the standard getfacl
and setfacl
commands, and the user’s umask
is not applied when the folder has ACL permissions.
Relevant links
- NFSv4 ACLs Documentation
- ServerFault - NFS v4 ACL inheritance problems
- Discussion about the interaction between
umask
andnfs4_setfacl
: