Saturday, November 22, 2025

NFS : NFS 4 ACL Tool

 

NFS : NFS 4 ACL Tool

 

It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.

[1]Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
root@node01:~# 
apt -y install nfs4-acl-tools
[2]On this example, it shows usage examples on the environment like follows.
root@node01:~# 
df -hT /mnt

Filesystem                   Type  Size  Used Avail Use% Mounted on
dlp.srv.world:/home/nfsshare nfs4   27G  937M   25G   4% /mnt
root@node01:~# 
ll /mnt

total 8
drwx------ 2 root root 4096 Aug 14 10:36 testdir
-rw------- 1 root root   30 Aug 14 10:35 testfile.txt
[3]Show ACL of a file or directory on NFSv4 filesystem.
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
root@node01:~# 
nfs4_getfacl /mnt/testdir

# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type 
AA = Allow : it means Allow accesses.
DD = Deny : it means Deny accesses.
ACE Flags 
dDirectory-Inherit : New sub-directory inherits the same ACE.
fFile-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
nNo-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
iInherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal 
(USER)@(NFSDomain)Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain)Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@Special Principal : Owner
GROUP@Special Principal : Group
EVERYONE@Special Principal : Everyone
ACE Permissions 
rRead data of files / List files in directory
wWrite data to files / Create new files in directory
aAppend data to files / Create new sub-directory
xExecute files / Change directory
dDelete files or directories
DDelete files or sub-directories under the directory
tRead attributes of files or directories
TWrite attributes to files or directories
nRead named attributes of files or directories
NWrite named attributes of files or directories
cRead ACL of files or directories
CWrite ACL of files or directories
oChange ownership of files or directories
ACE Permissions AliasesFor using nfs4_setfacl, possible to use Alias for ACE Permissions
RR = rntcy : Generic Read
WW = watTNcCy : Generic Write
XX = xtcy : Generic Execute

[4]Add or Delete ACE.
root@node01:~# 
ll /mnt

total 8
drwx------ 2 root root 4096 Aug 14 10:36 testdir
-rw------- 1 root root   30 Aug 14 10:35 testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# add generic read/execute for [debian] user to [/mnt/testfile.txt] file

root@node01:~# 
nfs4_setfacl -a A::debian@srv.world:rxtncy /mnt/testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
# verify with [debian] user

debian@node01:~$ 
ll /mnt

total 8
drwx------  2 root root 4096 Aug 14 10:36 testdir
-rw-r-x---+ 1 root root   30 Aug 14 10:35 testfile.txt
debian@node01:~$ 
cat /mnt/testfile.txt

test file

# delete generic read/execute for [debian] user from [/mnt/testfile.txt] file

root@node01:~# 
nfs4_setfacl -x A::1000:rxtcy /mnt/testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5]Edit ACL directly.
root@node01:~# 
nfs4_setfacl -e /mnt/testfile.txt

# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6]Add ACE from a file.
# create ACL list

root@node01:~# 
vi acl.txt
A::debian@srv.world:RX
A::trixie@srv.world:RWX
# add ACL from the file

root@node01:~# 
nfs4_setfacl -A acl.txt /mnt/testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::1002:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7]Replace current ACE to new ACE.
# create ACL list

root@node01:~# 
vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace ACL from the file

root@node01:~# 
nfs4_setfacl -S acl.txt /mnt/testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8]Replace specific ACE to new ACE.
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace EVERYONE's ACE to read/execute

root@node01:~# 
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/testfile.txt
root@node01:~# 
nfs4_getfacl /mnt/testfile.txt

# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)