NFS ACL

captain_alge · May 12, 2013, 1:12pm

I’m trying to set up ACL between an exported NFS4 directory and an opensuse client
The exported file system is ext4, and I can set ACL from the server using setfacl etc, but the ACL is not visible from the client, it only shows normal file permission bits
Additionally, using setfacl on the client fails with: “Operation not supported” for anything more complex than normal file permission bits
chmod and chown work as normal, add setfacl on the client functions on non-nfs directories

I’m struggling to find documentation on the internet that’s more recent than 2008, but some of that suggests that ACL are not possible over NFS. Although some of that documentation also states that ext4 does not support ACL, which would not seem to be correct…

Any help would be appreciated

john_hudson · May 12, 2013, 11:05pm

Nemeth et al. (2011) Unix and Linux System Administration discuss this topic.

One possibility: ‘The NFS ACL is kept in xtab which can be modified using exportfs. Whenever /etc/exports is modified, exportfs -a must be run to update xtab.’ - but this comes from a section on NFS3.

Another: ‘In deciding whether a particular user has permission for an action NFSv4 reads all the ACEs and denies permission if there is no clear permission for the action.’

As far as I can see NFS4 allows finer grained access control (but I have no experience of using it).

captain_alge · May 13, 2013, 12:21am

From scanning the NFS manual (which is pretty hefty, just saying) the ACL used in NFS3 is different to the implementation in NFS4

As I understand it, NFS3 uses normal POSIX ACL while NFS4 uses its own specification which is slightly different and requires mapping to POSIX
That being said, the manual says nothing about tools for modifying ACLs, and setfacl doesn’t seem to work on my NFS3 either

One possibility: ‘The NFS ACL is kept in xtab which can be modified using exportfs. Whenever /etc/exports is modified, exportfs -a must be run to update xtab.’

I normally use exportfs -ra anyway to update exports, but thanks for the suggestion

Still more or less at a loss…

deano_ferrari · May 13, 2013, 5:51am

I don’t profess to know much about this, but AFAIU (and you may already be aware), you need to use the nfs4-acl-tools package to implement

Then the man pages
man nfs4_acl
man nfs4_editfacl
man nfs4_getfacl
man nfs4_setfacl

Looks like a minefield to me

captain_alge · May 13, 2013, 12:04pm

I don’t profess to know much about this, but AFAIU (and you may already be aware), you need to use the nfs4-acl-tools package to implement

Ah yes…I’ll just grab those…

Thanks, the nfs4 tools work great. Their syntax is a little bit different to setfacl but they do more or less the same thing

Only oddity I’ve found so far is that recursive operations fail when using the d or f inheritance flags because nfs4_setfacl tries to apply them to files as well as directories, which obviously doesn’t make sense.

so

nfs4_setfacl -R -s A:df:OWNER@:RWX,A:dfg:GROUP@:RWX,A:df:EVERYONE@:RX /directory

You would expect to allow the owner and group read,write and execute permissions and others only read and execute, applied to all directories and files under (and including) /directory, so that newly create files also have the same permissions

This fails with:
Failed setxattr operation: Input/output error
An error occurred during recursive file tree walk.

If there is a file anywhere under /directory

Any help?

djh-novell · May 13, 2013, 12:19pm

captain alge wrote:
> nfs4_setfacl -R -s A:df:OWNER@:RWX.A:dfg:GROUP@:RWX,A:df:EVERYONE@:RX
> /directory
> You would expect to allow the owner and group read,write and execute
> permissions and others only read and execute, applied to all directories
> and files under (and including) /directory, so that newly create files
> also have the same permissions
>
> This fails with:
> Failed setxattr operation: Input/output error
> An error occurred during recursive file tree walk.
>
> If there is a file anywhere under /directory
>
> Any help?

Perhaps “Please send bug reports, feature requests, and comments to
<nfsv4@linux-nfs.org>.”?

captain_alge · May 13, 2013, 2:09pm

Mail to nfsv4@linux-nfs.org bounces, I’ve tried linux-nfs@vger.kernel.org instead which I believe is the now correct email

djh-novell · May 13, 2013, 3:34pm

captain alge wrote:
> Mail to nfsv4@linux-nfs.org bounces,

Ah, OK. I was just quoting a man page that hasn’t caught up

> I’ve tried linux-nfs@vger.kernel.org instead which I believe is the
> now correct email

I hope you find an answer there. At least your post made it to the list.

Cheers, Dave