This document shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems. Show These commands are useful for managing ACLs in the dir locations of /users/<project-code>. Understanding NFSv4 ACLThis is an example of an NFSv4 ACL A:::rxtncy A:::rxtncy A:::rxtncy A:::rxtncy The following sections will break down this example from left to right and provide more usage options ACE TypeThe 'A' in the example is known as the ACE (access control entry) type. The 'A' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default. Note: 'D' can denote a Deny ACE. While this is a valid option, this ACE type is not reccomended since any permission that is not explicity granted is automatically denied meaning Deny ACE's can be redundant and complicated. ACE FlagsThe above example could have a distinction known as a flag shown below A:d::rxtncy The 'd' used above is called an inheritence flag. This makes it so the ACL set on this directory will be automatically established on any new subdirectories. Inheritence flags only work on directories and not files. Multiple inheritence flags can be used in combonation or omitted entirely. Examples of inheritence flags are listed below:
ACE PrincipalThe '' is a principal. The principle denotes the people the ACL is allowing access to. Principals can be the following:
ACE PermissionsThe 'rxtncy' are the permissions the ACE is allowing. Permissions can be used in combonation with each other. A list of permissions and what they do can be found below:
Note: Aliases such as 'R', 'W', and 'X' can be used as permissions. These work simlarly to POSIX Read/Write/Execute. More detail can be found below.
Using NFSv4 ACLThis section will show you how to set, modify, and view ACLs Set and Modify ACLsTo set an ACE use this command: nfs4_setfacl [OPTIONS] COMMAND file To modify an ACE, use this command: nfs4_editfacl [OPTIONS] file Where file is the name of your file or directory. More information on Options and Commands can be found below. CommandsCommands are only used when first setting an ACE. Commands and their uses are listed below.
OptionsOptions can be used in combination or ommitted entirely. A list of options is shown below:
View ACLsTo view ACLs, use the following command: nfs4_getfacl file Where file is your file or directory Use casesCreate a share folder for a specific groupFirst, make the top-level of home dir group executable. nfs4_setfacl -a A:g:<group>@osc.edu:X $HOME We make $HOME only executable so that the group can only traverse to the share folder which is created in the next steps, and view other folders in your home dir. Providing executable access lets one (user/group) go to that dir, but not read it's contents. Next create a new folder to store shared data mkdir share_group Move all data to be shared that already exists to this folder mv <src> ~/share_group Apply the acl for all current files and dirs under ~/share_group, and set acl so that new files created there will automatically have proper group permissions nfs4_setfacl -R -a A:dfg:<group>@osc.edu:RX ~/share_group using an acl fileOne can also specify the acl to be used in a single file, then apply that acl to avoid duplicate entries and keep the acl entries consistent. $ cat << EOF > ~/group_acl.txt A:fdg::rxtncy A::OWNER@:rwaDxtTnNcCy A:g:GROUP@:tcy A::EVERYONE@:rxtncy EOF $ nfs4_setfacl -R -S ~/group_acl.txt ~/share_group Remember that any existing data moved into the share folder will retain its original permissions/acl. Share data in your home directory with other usersAssume that you want to share a directory (e.g data) and its files and subdirectories, but it is not readable by other users, > ls -ld /users/PAA1234/john/data drwxr-x--- 3 john PAA1234 4096 Nov 21 11:59 /users/PAA1234/john/data Like before, allow the user execute permissions to $HOME. > nfs4_setfacl -a A:::X $HOME set an ACL to the directory 'data' to allow specific user access: > cd /users/PAA1234/john > nfs4_setfacl -R -a A:df::RX data or to to allow a specific group access: > cd /users/PAA1234/john > nfs4_setfacl -R -a A:dfg::RX data You can repeat the above commands to add more users or groups. Share entire home dir with a groupSometimes one wishes to share their entire home dir with a particular group. Care should be taken to only share folders with data and not any hidden dirs. Some folders in a home dir should retain permissions to only allow the user
which owns them to read them. An example is the Use the below command to only assign group read permissions only non-hidden dirs. for dir in $(ls $HOME); do nfs4_setfacl -R -a A:dfg:<group>@osc.edu:RX $dir; done After sharing an entire home dir with a group, you can still create a single share folder with the previous instructions to share different data with a different group only. So, all non-hidden dirs in your home dir would be readable by group_a, but a new folder named 'group_b_share' can be created and its acl altered to only share its contents with group_b. Please contact if there are any questions. |