Native NFSv4 ACLs on Linux

This page hosts an implementation of NFSv4 ACLs on ext3 filesystems. Please note that this page is slightly outdated, and the code behaves different in some ways nowadays.

The NFSv4 ACL model is close to the CIFS ACL model, so supporting NFSv4 ACLs will provide full NFSv4 ACL support for NFSv4, and allow Samba to much better support CIFS ACLs. At the same time, the full POSIX semantics are preserved. This implementation allows to use Linux as a very capable multi-protocol file server that avoids many of the interoperability problems of other solutions.

Download

The kernel patches are against a 2.6.25-ish kernel.

The current user-space tarball which includes the nfs4acl utility and a few test cases is also available here. (Please apply the kernel patches in the order given in the series file.)

License

The kernel patches and nfs4acl user-space utility are licensed under the GNU General Public License Version 2.

Design

The design of this implementation is documented in NFSv4 ACLs in POSIX. This design is based on similar principals as POSIX 1003.1e draft 17 ACLs, which Linux as well as many other UNIX-like operationg systems support today.

A key concept in the design is masking, which is described in NFSv4 file_masks Attribute (html and xml versions available here).

Please also refer to various discussions on the nfsv4@ietf.org mailing list, archived here.

Caveats

How To Use

Apply the kernel patches, and build and install a new kernel.

Note: if you have never applied kernel patches and build your own kernel, then this code is not for you. Wait until your favorite distribution offers native NFSv4 ACLs (or not).

By default, Ext3 filesystems have ACLs disabled. In order to enable native NFSv4 ACLs, mount the filesystem with the -o acl=nfs4 mount option. With this option, the owner, owning group, and others are only granted permissions if they are granted both by the file mode and the ACL.

The -o acl and -o acl=posix mount options will enable POSIX ACLs. The -o noacl mount option will turn off ACLs.

The nfs4acl user-space utility can be used for retrieving, setting, and removing NFSv4 ACLs; see below.

The nfs4acl Utility

The nfs4acl utility supports the --get, --set and --remove options, and takes a number of filenames as arguments. The --get and --remove options themselves take no arguments; the --set option takes a text representation of an NFSv4 ACL as argument. The --get option writes the text representation of the ACLs of the specified file or files to standard output. The --set option sets the ACL of the specified file or files to the ACL defined by the option's argument. The --remove option removes a file's ACL.

The utility supports short and long names for masks and flags, defaulting to short (see nfs4acl --help). For each ACL entry, the fields are printed in who, mask, flags, and type order, separated by colons. Multiple mode bits and flags are separated by slashes. In the mask field, permissions that are not effective because they are not also enabled in the corresponding mask field are enclosed in parentheses. Each entry is printed on a separate line.

In front of the actual ACL, the Owner, Group, and Other masks are printed in the same format, even though they are not actual ACL entries: for those pseudo ACL entries, OWNER@, GROUP@, and EVERYONE@ is used as the who field, and the type field is reported as MASK. The flags field is empty for these pseudo-entries.

The --set option takes the same text representation as its argument. Multiple ACL entries are separated by whitespace. Mask entries may be specified in any order and at any position. Each unspecified mask entry is set to the union of mask flags that the entry applies to (in other words, it is set so that it does not mask anything).

Local users and group identifiers which can be resolved to names will be printed with the user or group name as the who field, with no "@" characters, or with their numeric identifier otherwise, and can be specified by either name or numeric identifier. Groups must have the IDENTIFIER_GROUP (g) flag set. Non-local users and groups are supported by nfs4acl, but not by the kernel.

Examples (outdated)

$ mount -o acl=nfs4 /dev/hda4 /mnt
$ mkdir /mnt/d
$ nfs4acl --set "agruen:rwx:fd:allow suse:rx:fdg:allow" /mnt/d
$ nfs4acl --get /mnt/d
/mnt/d:
owner@:rwx::mask
group@:rwx::mask
everyone@:::mask
agruen:wx:fd:allow
suse:rx:fdg:allow

$ touch /mnt/d/f
$ nfs4acl --get /mnt/d/f
/mnt/d/f:
owner@:rw::mask
group@:rw::mask
everyone@:::mask
owner@:x::deny
agruen:w::allow
suse:r:g:allow

$ chmod 755 /mnt/d/f
$ nfs4acl --get /mnt/d/f
/mnt/d/f:
owner@:rx::mask
group@:rx::mask
everyone@:rx::mask
agruen:x::allow
suse:rx:g:allow

$ mkdir /mnt/d/d
$ nfs4acl --get /mnt/d/d
/mnt/d/d:
owner@:rwx::mask
group@:rwx::mask
everyone@:::mask
agruen:wx:fd:allow
suse:rx:fdg:allow

Note that the mask bits have different semantics for non-directories and directories, and NFSv4 uses different long mnemonics for the same mask bits depending on the object type. Nfs4acl currently uses the non-directory mnemonics for non-directories, and the directory mnemonics for directories. This is slightly confusing when a file inherits an ACL from its parent directory: the permissions seem to change during inheritance, while really only different mnemonics are used.

Code Change Log

May 19, 2008

May 18, 2008

August 17, 2007

November 3, 2006

September 29, 2006

September 21, 2006

September 5, 2006

September 1, 2006

August 30, 2006

August 26, 2006

August 24, 2006

July 17, 2006

July 16, 2006

July 15, 2006

July 14, 2006


Copyright (C) Andreas Gruenbacher <agruen@suse.de>, May 2008