Results 1 to 8 of 8

Thread: NFS ACL

  1. #1

    Default NFS ACL

    I'm trying to set up ACL between an exported NFS4 directory and an opensuse client
    The exported file system is ext4, and I can set ACL from the server using setfacl etc, but the ACL is not visible from the client, it only shows normal file permission bits
    Additionally, using setfacl on the client fails with: "Operation not supported" for anything more complex than normal file permission bits
    chmod and chown work as normal, add setfacl on the client functions on non-nfs directories

    I'm struggling to find documentation on the internet that's more recent than 2008, but some of that suggests that ACL are not possible over NFS. Although some of that documentation also states that ext4 does not support ACL, which would not seem to be correct...

    Any help would be appreciated

  2. #2
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,507

    Default Re: NFS ACL

    Nemeth et al. (2011) Unix and Linux System Administration discuss this topic.

    One possibility: ‘The NFS ACL is kept in xtab which can be modified using exportfs. Whenever /etc/exports is modified, exportfs -a must be run to update xtab.’ - but this comes from a section on NFS3.

    Another: ‘In deciding whether a particular user has permission for an action NFSv4 reads all the ACEs and denies permission if there is no clear permission for the action.’

    As far as I can see NFS4 allows finer grained access control (but I have no experience of using it).

  3. #3

    Default Re: NFS ACL

    From scanning the NFS manual (which is pretty hefty, just saying) the ACL used in NFS3 is different to the implementation in NFS4

    As I understand it, NFS3 uses normal POSIX ACL while NFS4 uses its own specification which is slightly different and requires mapping to POSIX
    That being said, the manual says nothing about tools for modifying ACLs, and setfacl doesn't seem to work on my NFS3 either

    One possibility: ‘The NFS ACL is kept in xtab which can be modified using exportfs. Whenever /etc/exports is modified, exportfs -a must be run to update xtab.’
    I normally use exportfs -ra anyway to update exports, but thanks for the suggestion

    Still more or less at a loss...

  4. #4
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,263
    Blog Entries
    1

    Default Re: NFS ACL

    I don't profess to know much about this, but AFAIU (and you may already be aware), you need to use the nfs4-acl-tools package to implement

    Then the man pages
    man nfs4_acl
    man nfs4_editfacl
    man nfs4_getfacl
    man nfs4_setfacl

    Looks like a minefield to me

  5. #5

    Default Re: NFS ACL

    I don't profess to know much about this, but AFAIU (and you may already be aware), you need to use the nfs4-acl-tools package to implement
    Ah yes...I'll just grab those...

    Thanks, the nfs4 tools work great. Their syntax is a little bit different to setfacl but they do more or less the same thing

    Only oddity I've found so far is that recursive operations fail when using the d or f inheritance flags because nfs4_setfacl tries to apply them to files as well as directories, which obviously doesn't make sense.

    so
    Code:
    nfs4_setfacl -R -s A:df:OWNER@:RWX,A:dfg:GROUP@:RWX,A:df:EVERYONE@:RX /directory
    You would expect to allow the owner and group read,write and execute permissions and others only read and execute, applied to all directories and files under (and including) /directory, so that newly create files also have the same permissions

    This fails with:
    Failed setxattr operation: Input/output error
    An error occurred during recursive file tree walk.

    If there is a file anywhere under /directory

    Any help?

  6. #6

    Default Re: NFS ACL

    captain alge wrote:
    > nfs4_setfacl -R -s A:dfWNER@:RWX.A:dfg:GROUP@:RWX,A:df:EVERYONE@:RX
    > /directory
    > You would expect to allow the owner and group read,write and execute
    > permissions and others only read and execute, applied to all directories
    > and files under (and including) /directory, so that newly create files
    > also have the same permissions
    >
    > This fails with:
    > Failed setxattr operation: Input/output error
    > An error occurred during recursive file tree walk.
    >
    > If there is a file anywhere under /directory
    >
    > Any help?


    Perhaps "Please send bug reports, feature requests, and comments to
    <nfsv4@linux-nfs.org>."?

  7. #7

    Default Re: NFS ACL

    Mail to nfsv4@linux-nfs.org bounces, I've tried linux-nfs@vger.kernel.org instead which I believe is the now correct email

  8. #8

    Default Re: NFS ACL

    captain alge wrote:
    > Mail to nfsv4@linux-nfs.org bounces,


    Ah, OK. I was just quoting a man page that hasn't caught up

    > I've tried linux-nfs@vger.kernel.org instead which I believe is the
    > now correct email


    I hope you find an answer there. At least your post made it to the list.

    Cheers, Dave

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •