This topic describes how to configure Portable Operating System Interface (POSIX) access control lists (ACLs) to control access to the files and directories in an NFSv3 file system.
Prerequisites
An NFSv3 file system is mounted. For more information, see Mount an NFS file system on a Linux ECS instance.
Command description
Before you configure POSIX ACLs, we recommend that you get familiar with specific commands. The following table describes the commands.
Command | Description |
getfacl <filename> | Queries the ACL that applies to the specified file. |
setfacl -m g::w <filename> | Adds an access control entry (ACE) that grants the write permissions on a specified file to the GROUP@ principal. |
setfacl -m u:player:w <filename> | Grants the write permissions to the player user. |
setfacl -m g:players:rwx <filename> | Grants the read, write, and execute permissions to the players group. |
setfacl -x g:players <filename> | Revokes permissions from the players group. |
getfacl file1 | setfacl --set-file=- file2 | Copies the ACL for the file1 file to the file2 file. |
setfacl -b file1 | Removes all extended ACEs from the file1 file. The base ACEs of the owner, group, and others are retained. |
setfacl -k file1 | Removes all default ACEs from the file1 file. |
setfacl -R -m g:players:rw dir | Grants the read and write permissions on the files and subdirectories in the dir directory to the players group. |
setfacl -d -m g:players:rw dir1 | Grants the read and write permissions on the new files and subdirectories in the dir1 directory to the players group. |
Procedure
To control access to files and directories by configuring NFS ACLs, perform the following steps:
Create users and groups.
In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.
sudo useradd player sudo groupadd players sudo usermod -g players player sudo useradd admini sudo groupadd adminis sudo usermod -g adminis admini sudo useradd anonym
Configure POSIX ACLs to control access to files and directories.
Run the following commands to complete the operations: Create a directory named dir0. Grant the read-only permissions to the players group, the read, write, and execute permissions to the adminis group, and no permissions on all the files in the dir0 directory to the others class.
sudo umask 777 sudo mkdir dir0 sudo setfacl -m g:players:r-x dir0 sudo setfacl -m g:adminis:rwx dir0 sudo setfacl -m u::--- dir0 sudo setfacl -m g::--x dir0 sudo setfacl -m o::--- dir0 sudo setfacl -d -m g:players:r-x dir0 sudo setfacl -d -m g:adminis:rwx dir0 sudo setfacl -d -m u::--- dir0 sudo setfacl -d -m g::--x dir0 sudo setfacl -d -m o::--- dir0
Run the
sudo getfacl dir0
command to verify the configuration.# file: dir0 # owner: root # group: root user::--- group::--x group:players:r-x group:adminis:rwx mask::rwx other::--- default:user::--- default:group::--x default:group:players:r-x default:group:adminis:rwx default:mask::rwx default:other::---
Verify the ACL configuration.
Run the following commands to verify that the admini user has the read and write permissions:
sudo su admini -c 'touch dir0/file'
sudo su admini -c 'echo 123 > dir0/file'
Verify that the player user has the read-only permissions.
Verify that the player user does not have the permissions to create the file file.
For example, verify that the player user cannot create the file file in the dir0 directory.
Run the following command:
sudo su player -c 'touch dir0/file'
If the output is similar to the following information, the player user does not have the permissions to create the file file:
touch: cannot touch 'dir0/file': Permission denied
Verify that the player user has the permissions to view the content of the dir0/file file.
Run the following command:
sudo su player -c 'cat dir0/file'
If the output is similar to the following information, the player user has the permissions to view the content of the dir0/file file:
123
Verify that the player user does not have the write permissions.
Run the following command:
sudo su player -c 'echo 456 >> dir0/file'
If the output is similar to the following information, the player user does not have the write permissions:
bash: dir0/file: Permission denied
You can also run the
sudo su player -c 'getfacl dir0/file'
command to view the permissions that the player user has on the dir0/file file.# file: dir0/file # owner: admini # group: adminis user::--- group::--- group:players:r-x group:adminis:rwx mask::rwx other::---
Verify that the anonym user does not have permissions on the dir0 directory.
Verify that the anonym user does not have the permissions to view files in the dir0 directory.
Run the following command:
sudo su anonym -c 'ls dir0'
If the output is similar to the following information, the anonym user does not have permissions on the dir0 directory:
ls: cannot open directory dir0: Permission denied
Verify that the anonym user does not have the permissions to view the content of the file.
Run the following command:
sudo su anonym -c 'cat dir0/file'
If the output is similar to the following information, the anonym user does not have the permissions to view the content of the file:
cat: dir0/file: Permission denied
Verify that the anonym user does not have the permissions to access the file.
Run the following command:
sudo su anonym -c 'getfacl dir0/file'
If the output is similar to the following information, the anonym user does not have the permissions to access the file.
getfacl: dir0/file: Permission denied
Related operations
You can use the following method to revoke permissions from a user.
If you want to use NFSv4 ACLs, we recommend that you add each user to groups. This allows you to configure permissions for a group rather than a separate user. To revoke permissions on an object from a user, you can remove the user from the group that is granted permissions on the object. For example, the following commands remove the admini user from the adminis group and add the user to the adminis2 group.
Run the following command to create the adminis2 group:
sudo groupadd adminis2
Run the following command to remove the admini user from the adminis group and add the user to the adminis2 group:
sudo usermod -g adminis2 admini
Query the ID information about the user.
Run the following command:
id admini
The following information is returned:
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
Verify the permissions of the admini user.
Verify that the admini user does not have the permissions to access the dir0 directory.
Run the following command:
sudo su admini -c 'ls dir0'
If the output is similar to the following information, the admini user does not have the permissions to access the dir0 directory:
ls: cannot open directory dir0: Permission denied
Verify that the admini user does not have the permissions to view the content of the dir0/file file.
Run the following command:
sudo su admini -c 'cat dir0/file'
If the output is similar to the following information, the admini user does not have the permissions to view the content of the dir0/file file:
cat: dir0/file: Permission denied
Verify that the admini user does not have the permissions to access the dir0/file file.
Run the following command:
sudo su admini -c 'getfacl dir0/file'
If the output is similar to the following information, the admini user does not have the permissions to access the dir0/file file:
getfacl: dir0/file: Permission denied