Fedora 39
Sponsored Link

NFS : NFS 4 ACL Tool2023/11/13

 
It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
[root@node01 ~]#
dnf -y install nfs4-acl-tools
[2] On this example, it shows usage examples on the environment like follows.
[root@node01 ~]#
df -hT /mnt

Filesystem                   Type  Size  Used Avail Use% Mounted on
dlp.srv.world:/home/nfsshare nfs4   15G  1.8G   14G  12% /mnt

[root@node01 ~]#
ll /mnt

total 4
drwx------. 2 root root   6 Nov 13 10:22 testdir
-rw-------. 1 root root 865 Nov 13 10:22 testfile.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

[root@node01 ~]#
nfs4_getfacl /mnt/testdir


# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type  
A A = Allow : it means Allow accesses.
D D = Deny : it means Deny accesses.
ACE Flags  
d Directory-Inherit : New sub-directory inherits the same ACE.
f File-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
n No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
i Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal  
(USER)@(NFSDomain) Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain) Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@ Special Principal : Owner
GROUP@ Special Principal : Group
EVERYONE@ Special Principal : Everyone
ACE Permissions  
r Read data of files / List files in directory
w Write data to files / Create new files in directory
a Append data to files / Create new sub-directory
x Execute files / Change directory
d Delete files or directories
D Delete files or sub-directories under the directory
t Read attributes of files or directories
T Write attributes to files or directories
n Read named attributes of files or directories
N Write named attributes of files or directories
c Read ACL of files or directories
C Write ACL of files or directories
o Change ownership of files or directories
ACE Permissions Aliases For using nfs4_setfacl, possible to use Alias for ACE Permissions
R R = rntcy : Generic Read
W W = watTNcCy : Generic Write
X X = xtcy : Generic Execute

[4] Add or Delete ACE.
[root@node01 ~]#
ll /mnt

total 4
drwx------. 2 root root   6 Nov 13 10:57 testdir
-rw-------. 1 root root 887 Nov 13 10:58 testfile.txt

[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# add generic read/execute for [fedora] user to [/mnt/testfile.txt] file

[root@node01 ~]#
nfs4_setfacl -a A::fedora@srv.world:rxtncy /mnt/testfile.txt
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy


# verify with [fedora] user

[fedora@node01 ~]$
ll /mnt

total 4
drwx------. 2 root root   6 Nov 13 10:57 testdir
-rw-r-x---. 1 root root 887 Nov 13 10:58 testfile.txt

[fedora@node01 ~]$
cat /mnt/testfile.txt

test file

# delete generic read/execute for [fedora] user from [/mnt/testfile.txt] file

[root@node01 ~]#
nfs4_setfacl -x A::1000:rxtcy /mnt/testfile.txt
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly.
[root@node01 ~]#
nfs4_setfacl -e /mnt/testfile.txt


# $EDITOR is run and enter to ACL editing
# default $EDITOR on Fedora is [vim], if $EDITOR=null, default is set to [vi]
## Editing NFSv4 ACL for file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::fedora@srv.world:RX
A::redhat@srv.world:RWX

# add ACL from the file

[root@node01 ~]#
nfs4_setfacl -A acl.txt /mnt/testfile.txt
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace ACL from the file

[root@node01 ~]#
nfs4_setfacl -S acl.txt /mnt/testfile.txt
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace EVERYONE's ACE to read/execute

[root@node01 ~]#
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/testfile.txt
[root@node01 ~]#
nfs4_getfacl /mnt/testfile.txt


# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
Matched Content