This document shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems.
These commands are useful for managing ACLs in the dir locations of /users/<project-code>.
Understanding NFSv4 ACL
This is an example of an NFSv4 ACL
The following sections will break down this example from left to right and provide more usage options
The 'A' in the example is known as the ACE (access control entry) type. The 'A' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default.
The above example could have a distinction known as a flag shown below
The 'd' used above is called an inheritence flag. This makes it so the ACL set on this directory will be automatically established on any new subdirectories. Inheritence flags only work on directories and not files. Multiple inheritence flags can be used in combonation or omitted entirely. Examples of inheritence flags are listed below:
|d||directory-inherit||New subdirectories will have the same ACE|
|f||file-inherit||New files will have the same ACE minus the inheritence flags|
|n||no-propogate inherit||New subdirectories will inherit the ACE minus the inheritence flags|
|i||inherit-only||New files and subdirectories will have this ACE but the ACE for the directory with the flag is null|
The 'firstname.lastname@example.org' is a principal. The principle denotes the people the ACL is allowing access to. Principals can be the following:
- A named user
- Example: email@example.com
- Special principals
- A group
- Note: When the principal is a group, you need to add a group flag, 'g', as shown in the below example
The 'rxtncy' are the permissions the ACE is allowing. Permissions can be used in combonation with each other. A list of permissions and what they do can be found below:
|r||read-data (files) / list-directory (directories)|
|w||write-data (files) / create-file (directories)|
|a||append-data (files) / create-subdirectory (directories)|
|x||execute (files) / change-directory (directories)|
|d||delete the file/directory|
|D||delete-child : remove a file or subdirectory from the given directory (directories only)|
|t||read the attributes of the file/directory|
|T||write the attribute of the file/directory|
|n||read the named attributes of the file/directory|
|N||write the named attributes of the file/directory|
|c||read the file/directory ACL|
|C||write the file/directory ACL|
|o||change ownership of the file/directory|
Note: Aliases such as 'R', 'W', and 'X' can be used as permissions. These work simlarly to POSIX Read/Write/Execute. More detail can be found below.
|W||Write||watTNcCy (with D added to directory ACE's|
Using NFSv4 ACL
This section will show you how to set, modify, and view ACLs
Set and Modify ACLs
To set an ACE use this command:
nfs4_setfacl [OPTIONS] COMMAND file
To modify an ACE, use this command:
nfs4_editfacl [OPTIONS] file
Where file is the name of your file or directory. More information on Options and Commands can be found below.
Commands are only used when first setting an ACE. Commands and their uses are listed below.
|-a acl_spec [index]||add ACL entries in acl_spec at index (DEFAULT: 1)|
|-x acl_spec | index||remove ACL entries or entry-at-index from ACL|
|-A file [index]||read ACL entries to add from file|
|-X file||read ACL entries to remove from file|
|-s acl_spec||set ACL to acl_spec (replaces existing ACL)|
|-S file||read ACL entries to set from file|
|-m from_ace to_ace||modify in-place: replace 'from_ace' with 'to_ace'|
Options can be used in combination or ommitted entirely. A list of options is shown below:
|-R||recursive||Applies ACE to a directory's files and subdirectories|
|-L||logical||Used with -R, follows symbolic links|
|-P||physical||Used with -R, skips symbolic links
To view ACLs, use the following command:
Where file is your file or directory
Create a share folder for a specific group
First, make the top-level of home dir group executable.
nfs4_setfacl -a A:g:<group>@osc.edu:X $HOME
Next create a new folder to store shared data
Move all data to be shared that already exists to this folder
mv <src> ~/share_group
Apply the acl for all current files and dirs under ~/share_group, and set acl so that new files created there will automatically have proper group permissions
nfs4_setfacl -R -a A:dfg:<group>@osc.edu:RX ~/share_group
using an acl file
One can also specify the acl to be used in a single file, then apply that acl to avoid duplicate entries and keep the acl entries consistent.
$ cat << EOF > ~/group_acl.txt A:fdg:firstname.lastname@example.org:rxtncy A::OWNER@:rwaDxtTnNcCy A:g:GROUP@:tcy A::EVERYONE@:rxtncy EOF $ nfs4_setfacl -R -S ~/group_acl.txt ~/share_group
That data will need to be set with a new acl manually to allow group read permissions.
Share data in your home directory with other users
Assume that you want to share a directory (e.g data) and its files and subdirectories, but it is not readable by other users,
> ls -ld /users/PAA1234/john/data drwxr-x--- 3 john PAA1234 4096 Nov 21 11:59 /users/PAA1234/john/data
Like before, allow the user execute permissions to $HOME.
> nfs4_setfacl -a A::email@example.com:X $HOME
set an ACL to the directory 'data' to allow specific user access:
> cd /users/PAA1234/john > nfs4_setfacl -R -a A:df:firstname.lastname@example.org:RX data
or to to allow a specific group access:
> cd /users/PAA1234/john > nfs4_setfacl -R -a A:dfg:email@example.com:RX data
You can repeat the above commands to add more users or groups.
Share entire home dir with a group
Sometimes one wishes to share their entire home dir with a particular group. Care should be taken to only share folders with data and not any hidden dirs.
~/.sshdir, which should always have read permissions only for the user that owns it.
Use the below command to only assign group read permissions only non-hidden dirs.
for dir in $(ls $HOME); do nfs4_setfacl -R -a A:dfg:<group>@osc.edu:RX $dir; done
After sharing an entire home dir with a group, you can still create a single share folder with the previous instructions to share different data with a different group only. So, all non-hidden dirs in your home dir would be readable by group_a, but a new folder named 'group_b_share' can be created and its acl altered to only share its contents with group_b.
Please contact firstname.lastname@example.org if there are any questions.