This topic describes how to configure NFSv4 access control lists (ACLs) and use the ACLs to control access to files and directories in an NFSv4 file system.
Prerequisites
An NFSv4 file system is mounted. For more information, see Mount an NFS file system on a Linux ECS instance.
Background information
You can mount an NFSv4 file system on a Linux Elastic Compute Service (ECS) instance and install Linux-specific nfs4-acl-tools on the instance. After the tool is installed, you can use the standard nfs4_getfacl and nfs4_setfacl tools to configure NFSv4 ACLs.
Command description
Before you configure NFSv4 ACLs, we recommend that you get familiar with specific commands. The following table describes the commands.
Command | Description |
| Queries the ACL that applies to a specified file. |
| Adds an access control entry (ACE) that grants the write permissions on a specified file to the GROUP@ principal. |
| Adds an ACE that grants the write permissions on a specified file to a user principal named 1000. |
| Adds an ACE that grants the write permissions on a specified file to a user principal named 10001. |
| Modifies an ACL in interactive mode. |
| Saves a list of permissions on a specified file as a TXT file. |
| Configures permissions on a specified file by using a TXT file that includes a list of permissions. |
| Modifies the permission of an ACE that applies to the file1 file. |
| Copies the ACL for the file1 file to the file2 file. |
| Removes all ACEs that apply to the file1 file except for ACEs that include the following principals: OWNER@, GROUP@, and EVERYONE@. |
| Adds an ACE that grants the read and write permissions on the files and subdirectories in the dir directory to a group principal named 10001. |
| Removes ACEs that grant permissions on the files in the dir directory to a user principal named 1005. |
| Adds an ACE that grants the read and write permissions on new files and subdirectories in the dir1 directory to a group principal named 10001. |
| Adds an ACE that grants the read, write, and execute permissions on all new files in the dir1 directory to a group principal named 10001. |
Procedure
To control access to files and directories by configuring NFSv4 ACLs, perform the following steps.
Create users and groups.
In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.
sudo useradd player sudo groupadd players sudo usermod -g players player sudo useradd admini sudo groupadd adminis sudo usermod -g adminis admini sudo useradd anonymInstall the required tools to configure NFSv4 ACLs.
If you have installed these tools, skip this step.
sudo yum -y install nfs4-acl-toolsObtain the IDs of the players and adminis groups.
Open the /etc/group file. The IDs of the players and adminis groups are displayed.
players:x:19064:player adminis:x:19065:adminiConfigure NFSv4 ACLs to control access to files and directories.
Run the following commands to complete the operations: Create a directory named dir0. Add ACEs that grant the read-only permissions on all files in the dir0 directory to the players group, grant the read, write, and execute permissions to the adminis group, and do not grant permissions to other users.
sudo umask 777 sudo mkdir dir0 sudo nfs4_setfacl -a A:fdg:19064:RX dir0 sudo nfs4_setfacl -a A:fdg:19065:RWX dir0 sudo nfs4_setfacl -a A:fdg:OWNER@: dir0 sudo nfs4_setfacl -a A:fdg:GROUP@: dir0 sudo nfs4_setfacl -a A:fdg:EVERYONE@: dir0Run the
sudo nfs4_getfacl dir0command to verify the configuration.A::OWNER@:tTnNcCy A::GROUP@:tncy A::EVERYONE@:tncy A:fdi:EVERYONE@:tncy A:fdi:OWNER@:tTnNcCy A:fdi:GROUP@:tncy A:g:19064:rxtncy A:g:19065:rwaDxtTnNcCy A:fdig:19064:rxtncy A:fdig:19065:rwaDxtTnNcCyVerify the configuration of the ACL.
Run the following commands to verify that the admini user has the read and write permissions:
sudo su admini -c 'touch dir0/file'sudo su admini -c 'echo 123 > dir0/file'Verify that the player user has the read-only permissions.
Verify that the player user does not have the permissions to create a file, for example, a dir0/file file.
Run the following command:
sudo su player -c 'touch dir0/file'If the output is similar to the following information, the player user does not have the permissions to create a file:
touch: cannot touch 'dir0/file': Permission denied
Verify that the player user does not have the write permissions, for example, the write permissions on the dir0/file file.
Run the following command:
sudo su player -c 'echo 456 >> dir0/file'If the output is similar to the following information, the player user does not have the write permissions:
bash: dir0/file: Permission denied
Verify that the player user has the read permissions.
Run the following command:
sudo su player -c 'cat dir0/file'If the output is similar to the following information, the player user has the read permissions:
123
You can also run the
sudo su player -c 'nfs4_getfacl dir0/file'command to view the permissions that the player user has on the dir0/file file.A::OWNER@:tTnNcCy A::GROUP@:tncy A::EVERYONE@:tncy A:g:19064:rxtncy A:g:19065:rwaxtTnNcCy
Verify that the anonym user does not have permissions on the dir0 directory.
Verify that the anonym user does not have the permissions to view files in the dir0 directory.
Run the following command:
sudo su anonym -c 'ls dir0'If the output is similar to the following information, the anonym user does not have permissions on the dir0 directory:
ls: cannot open directory dir0: Permission denied
Verify that the anonym user does not have the permissions to view the content of the file.
Run the following command:
sudo su anonym -c 'cat dir0/file'If the output is similar to the following information, the anonym user does not have the permissions to view the content of the file:
cat: dir0/file: Permission denied
Verify that the anonym user does not have the permissions to access the file.
Run the following command:
sudo su anonym -c 'nfs4_getfacl dir0/file'If the output is similar to the following information, the anonym user does not have the permissions to access the file.
Invalid filename: dir0/file
What to do next
You can use the following method to revoke permissions from a user.
If you want to use NFSv4 ACLs, we recommend that you add each user to a group. This allows you to configure permissions for user groups rather than individual users. To revoke permissions on an object from a user, you can remove the user from the group that is granted permissions on the object. For example, you can run the following commands to remove the admini user from the adminis group and add the user to the adminis2 group.
Run the following command to create the adminis2 group:
sudo groupadd adminis2Run the following command to remove the admini user from the adminis group and add the user to the adminis2 group:
sudo usermod -g adminis2 adminiQuery the ID information about the user.
Run the following command:
id adminiThe following information is returned:
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
Verify the permissions of the admini user.
Verify that the admini user does not have the permissions to access the dir0 directory.
Run the following command:
sudo su admini -c 'ls dir0'If the output is similar to the following information, the admini user does not have the permissions to access the dir0 directory:
ls: cannot open directory dir0: Permission denied
Verify that the admini user does not have the permissions to view the content of the dir0/file file.
Run the following command:
sudo su admini -c 'cat dir0/file'If the output is similar to the following information, the admini user does not have the permissions to view the content of the dir0/file file:
cat: dir0/file: Permission denied
Verify that the admini user does not have the permissions to access the dir0/file file.
Run the following command:
sudo su admini -c 'getfacl dir0/file'If the output is similar to the following information, the admini user does not have the permissions to access the dir0/file file:
getfacl: dir0/file: Permission denied