projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3
star

Projects: NFS Version 4 Open Source Reference Implementation

Using NFSv4 ACL

You should have already followed the directions on the using nfsv4 and preceding pages (though note krb5 is optional).

  • Make sure that your server supports ACLs (if you are exporting ext3 from a Linux server, make sure that the exported filesystem is mounted on the server with the "acl" option).
  • On the client, unpack the nfs4-acl-tools tarball, build, and install:
    tar -xzvf nfs4-acl-tools-xxx.tar.gz
    cd nfs4-acl-tools/
    ./configure && make && make install
    
  • To read an acl, use nfs4_getfacl on a file in an nfsv4-mounted directory:
    nfs4_getfacl /mnt/nfsv4/my-file.txt
    
  • To modify an acl, use setfacl:
    nfs4_setfacl -e /mnt/nfsv4/my-file.txt
    
    which will allow you to edit the acl in a text editor; edit the acl and save the result, and the modified acl will be set on the file when you exit.

Note that NFSv4 ACLs are more fine-grained than the POSIX ACLs supported by local linux filesystems. You can type "nfs4_getfacl" to get a list of what all the mask bits mean.

Linux servers, and Solaris servers exporting UFS (as opposed to the newer ZFS) only support a subset of NFSv4 ACLs corresponding to POSIX ACLs. Newer linux servers will accept any NFSv4 ACL, and automatically convert it to a (possibly more restrictive) POSIX ACL, but Solaris and older linux servers may reject the ACL outright.

To help with such servers, and to provide a POSIX ACL interface for those more familiar with it, we also provide patches to the POSIX ACL tools which can set and get "POSIX" ACLs by transparently translating them to and from NFSv4 ACLs.

NFSv4-aware POSIX ACL tools

The POSIX<->NFSv4 translation performed by these patches is complex, so we recommend using the native NFSv4 ACL tools described above, unless (for the reasons described above) you are sure you need NFSv4-aware versions of the POSIX ACL tools:

  • On the client, unpack the acl tarball, apply our patches, build, and install:
    tar -xzvf acl_xxx.tar.gz
    cd acl-xxx/
    patch -p1 <../acl-xxxx-CITI_NFS4_ALL-x.dif
    ./configure && make && make install && make install-lib
    
  • To read an acl, use getfacl on a file in a nfsv4-mounted directory:
    getfacl /mnt/nfsv4/my-file.txt
    
  • To modify an acl, use setfacl:
    setfacl -m u:bfields:rwx /mnt/nfsv4/my-file.txt
    

See the getfacl and setfacl man pages for more documentation. Note that these utilities do not provide access to the underlying NFSv4 ACLs; instead, they translate between NFSv4 ACLs and the more coarse-grained linux-native "POSIX" ACLs, using a mapping described in this internet draft.

Direct access to underlying NFSv4 ACLs is provided by the nfs4_getfacl and nfs4_setfacl commands described in the previous section.

blank.space
b.star projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan
bottom.line
citi