- Configure NFS Server
- Configure NFS Client
- NFS 4 ACL Tool
It’s possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.
Mục Lục
- 1 [1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
- 2 [2] On this example, it shows usage examples on the environment like follows.
- 3 [3] Show ACL of a file or directory on NFSv4 filesystem.
- 4 [4] Add or Delete ACE.
- 5 [5] Edit ACL directly.
- 6 [6] Add ACE from a file.
- 7 [7] Replace current ACE to new ACE.
- 8 [8] Replace specific ACE to new ACE.
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
root@client:~# apt -y install nfs4-acl-tools
[2] On this example, it shows usage examples on the environment like follows.
root@client:~# df -hT /mnt
Filesystem Type Size Used Avail Use% Mounted on
nfs.srv.local:/var/lib/nfs/share nfs4 71G 1.3G 70G 2% /mnt
root@client:~# ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 19:12 testdir
-rwx------. 1 root root 10 Oct 22 19:11 test.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
root@client:~# nfs4_getfacl /mnt/testdir
# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type | |
A | A = Allow : it means Allow accesses. |
D | D = Deny : it means Deny accesses. |
ACE Flags | |
d | Directory-Inherit : New sub-directory inherits the same ACE. |
f | File-Inherit : New file inherits the same ACE but not inherit inheritance-flag. |
n | No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag. |
i | Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE. |
ACE Principal | |
(USER)@(NFSDomain) | Common User For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf]. |
(GROUP)@(NFSDomain) | Common Group For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy |
OWNER@ | Special Principal : Owner |
GROUP@ | Special Principal : Group |
EVERYONE@ | Special Principal : Everyone |
ACE Permissions | |
r | Read data of files / List files in directory |
w | Write data to files / Create new files in directory |
a | Append data to files / Create new sub-directory |
x | Execute files / Change directory |
d | Delete files or directories |
D | Delete files or sub-directories under the directory |
t | Read attributes of files or directories |
T | Write attributes to files or directories |
n | Read named attributes of files or directories |
N | Write named attributes of files or directories |
c | Read ACL of files or directories |
C | Write ACL of files or directories |
o | Change ownership of files or directories |
ACE Permissions Aliases | For using nfs4_setfacl, possible to use Alias for ACE Permissions |
R | R = rntcy : Generic Read |
W | W = watTNcCy : Generic Write |
X | X = xtcy : Generic Execute |
[4] Add or Delete ACE.
root@client:~# ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 19:12 testdir
-rwx------. 1 root root 10 Oct 22 19:11 test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# add generic read/execute for [ubuntu] user to [/mnt/test.txt] file
root@client:~# nfs4_setfacl -a A::ubuntu@srv.local:rxtncy /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
# verify with [ubuntu] user
ubuntu@client:~$ ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 10:12 testdir
-rwxr-x---. 1 root root 10 Oct 22 10:11 test.txt
ubuntu@client:~$ cat /mnt/test.txt
test file
# delete generic read/execute for [ubuntu] user from [/mnt/test.txt] file
root@client:~# nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly.
root@client:~# nfs4_setfacl -e /mnt/test.txt
# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list
root@client:~# vi acl.txt
A::ubuntu@srv.local:RX
A::debian@srv.local:RWX
# add ACL from the file
root@client:~# nfs4_setfacl -A acl.txt /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list
root@client:~# vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace ACL from the file
root@client:~# nfs4_setfacl -S acl.txt /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace EVERYONE's ACE to read/execute
root@client:~# nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy