Scribd
Upload
344 views4 pages

NFSV4 Access Control List: 1.1 Important Tips For Setting NFSV4 ACL

This document shows you how to use the NFSv4 ACL permissions system, Since the NFSV4 uses an ACL (access control list) which is a list of permissions associated with a file or directory.

Uploaded by

Ahmed (Mash) Mashhour
Copyright
© Public Domain
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
344 views4 pages

NFSV4 Access Control List: 1.1 Important Tips For Setting NFSV4 ACL

This document shows you how to use the NFSv4 ACL permissions system, Since the NFSV4 uses an ACL (access control list) which is a list of permissions associated with a file or directory.

Uploaded by

Ahmed (Mash) Mashhour
Copyright
© Public Domain
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

NFSV4 Access Control List

Ahmed (Mash) Mashhour


IBM AIX Global SME
ahdmashr@eg.ibm.com
icemashhour@yahoo.com

This document shows you how to use the NFSv4 ACL permissions system. An ACL (access control list)
is a list of permissions associated with a file or directory.

These permissions allow you to restrict access to a certain file or directory by user or group.

NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in
most systems.

NFSV4 ACL type implements access control as specified in the Network File System (NFS) version 4
Protocol RFC 3530. The JFS2 file system allows a maximum size of 64KB for NFSV4 ACLs.

1.1 Important tips for setting NFSV4 ACL


a letter => means Allow
d letter => means Deny
fi context => means File Inheirt
di context => means Directory Inheirt

IDENTITY => Has format of:


'IDENTITY_type:(IDENTITY_name or IDENTITY_ID or IDENTITY_who):'
Like the example: s:(OWNER@): a rwpRWxDaAdcCs fidi

Where:
IDENTITY_type => One of the following Identity type:
u : user
g : group
s : special => who string (IDENTITY_who must be a
special who)
IDENTITY_name => user/group name
IDENTITY_ID => user/group ID
IDENTITY_who => special who string (e.g. OWNER@, GROUP@, EVERYONE@)
ACE_TYPE => One of the following ACE Type:
a : allow
d : deny
l : alarm
u : audit

ACE_MASK => One or more of the following Mask value Key without
separator:
r : READ_DATA or LIST_DIRECTORY
w : WRITE_DATA or ADD_FILE
x : EXECUTE or SEARCH_DIRECTORY
p : APPEND_DATA or ADD_SUBDIRECTORY
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
o : WRITE_OWNER
s : SYNCHRONIZE

ACE_FLAGS (Optional) => One or more of the following Attribute Key without separater:
fi : FILE_INHERIT
di : DIRECTORY_INHERIT
oi : INHERIT_ONLY
ni : NO_PROPAGATE_INHERIT
sf : SUCCESSFUL_ACCESS_ACE_FLAG
ff : FAILED_ACCESS_ACE_FLAG
1.2 Setting up NFSV4 ACL Inheritance
In the below example, we create a simple NFSV4 ACL to apply the permissions inheritance based on
AIX ACL policy.

1. Use a JFS2 filesystem, either to create a new one or just use an existing JFS2 filesystem
# crfs -v jfs2 -g datavg -m /mash -A yes -a size=2G

2. Mount the file system and change it to use Extended Attributes Version 2
# mount /mash
# chfs -a ea=v2 /mash

3. Create a directory, or identify an existing directory


# cd /mash
# mkdir newdir

4. Convert the directory to use NFS4 ACLs:


# aclconvert -t NFS4 newdir

5. Edit the ACL


# export EDITOR=/usr/bin/vi
# acledit newdir
<You should see this in the file>
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

6. To allow inheritance for all files and directories underneath this directory, add the strings "fi" (for
files) and "di" (for directories) to any ACLs you create. Those ACLs will be propagated to each file
created from now on.
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

7. Create a file in your directory and check the ACL list on it:
# cd newdir
# touch newfile
# aclget newfile
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi

8. The above example will:


a) allow the permissions of newdir directory to be inherited
to all sucdirectories and files under it.
b) Allow the following masks (rights) to be given to the

Owner rights/authorities for any new created file/directory under /mash/newdir as per the previous
example will be:
r : READ_DATA
w : WRITE_DATA
p : APPEND_DATA
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
x : EXECUTE
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
s : SYNCHRONIZE

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy