Nfs4 acl: Difference between revisions
Created page with "=== Abstract === This shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These p..." |
No edit summary |
||
| Line 1: | Line 1: | ||
=== Abstract === | ===Abstract=== | ||
This shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems. | This shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems. | ||
<br /> | <br /> | ||
=== package === | ===package=== | ||
You need install package to use nfs4_acl | You need install package to use nfs4_acl | ||
| Line 16: | Line 16: | ||
<br /> | <br /> | ||
==== ACE Type ==== | ====ACE Type==== | ||
The '<nowiki/>'''A'''<nowiki/>' in the example is known as the ACE (access control entry) type. The ''''A'''<nowiki/>' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default. | The '<nowiki/>'''A'''<nowiki/>' in the example is known as the ACE (access control entry) type. The ''''A'''<nowiki/>' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default. | ||
| Line 22: | Line 22: | ||
<br /> | <br /> | ||
==== ACE Flags ==== | ====ACE Flags==== | ||
The above example could have a distinction known as a flag shown below | The above example could have a distinction known as a flag shown below | ||
A:d:[email protected]:rxtncy | A:d:[email protected]:rxtncy | ||
| Line 49: | Line 49: | ||
|} | |} | ||
=== ACE Principal === | ===ACE Principal=== | ||
the '[email protected]' is a principal. The principal denotes the people the ACL is allowing access to. | the '[email protected]' is a principal. The principal denotes the people the ACL is allowing access to. | ||
Principals can be the following: | Principals can be the following: | ||
* A named user [email protected] | *A named user [email protected] | ||
* Speical principals '''OWNER@''' '''GROUP@''' '''EVERYONE@''' | *Speical principals '''OWNER@''' '''GROUP@''' '''EVERYONE@''' | ||
* A group A:g:[email protected]:rxtncy When the principal is a group, you need to add a group flag, ''''<code>g</code>'''<nowiki/>', as shown above example. | *A group A:g:[email protected]:rxtncy When the principal is a group, you need to add a group flag, ''''<code>g</code>'''<nowiki/>', as shown above example. | ||
=== ACE Permissions === | ===ACE Permissions=== | ||
the '<code>rxtncy</code>' are the permissions the ACE is allowing. Permissions can be used in combonation with each other. | the '<code>rxtncy</code>' are the permissions the ACE is allowing. Permissions can be used in combonation with each other. | ||
| Line 122: | Line 122: | ||
|Execute | |Execute | ||
|xtcy | |xtcy | ||
|} | |||
Summary | |||
{| class="wikitable" | |||
|ACE Type | |||
| | |||
|- | |||
|A | |||
|A = Allow : it means Allow accesses. | |||
|- | |||
|D | |||
|D = Deny : it means Deny accesses. | |||
|- | |||
|ACE Flags | |||
| | |||
|- | |||
|d | |||
|Directory-Inherit : New sub-directory inherits the same ACE. | |||
|- | |||
|f | |||
|File-Inherit : New file inherits the same ACE but not inherit inheritance-flag. | |||
|- | |||
|n | |||
|No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag. | |||
|- | |||
|i | |||
|Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE. | |||
|- | |||
|ACE Principal | |||
| | |||
|- | |||
|(USER)@(NFSDomain) | |||
|Common User | |||
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf]. | |||
|- | |||
|(GROUP)@(NFSDomain) | |||
|Common Group | |||
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy | |||
|- | |||
|OWNER@ | |||
|Special Principal : Owner | |||
|- | |||
|GROUP@ | |||
|Special Principal : Group | |||
|- | |||
|EVERYONE@ | |||
|Special Principal : Everyone | |||
|- | |||
|ACE Permissions | |||
| | |||
|- | |||
|r | |||
|Read data of files / List files in directory | |||
|- | |||
|w | |||
|Write data to files / Create new files in directory | |||
|- | |||
|a | |||
|Append data to files / Create new sub-directory | |||
|- | |||
|x | |||
|Execute files / Change directory | |||
|- | |||
|d | |||
|Delete files or directories | |||
|- | |||
|D | |||
|Delete files or sub-directories under the directory | |||
|- | |||
|t | |||
|Read attributes of files or directories | |||
|- | |||
|T | |||
|Write attributes to files or directories | |||
|- | |||
|n | |||
|Read named attributes of files or directories | |||
|- | |||
|N | |||
|Write named attributes of files or directories | |||
|- | |||
|c | |||
|Read ACL of files or directories | |||
|- | |||
|C | |||
|Write ACL of files or directories | |||
|- | |||
|o | |||
|Change ownership of files or directories | |||
|- | |||
|ACE Permissions Aliases | |||
|For using nfs4_setfacl, possible to use Alias for ACE Permissions | |||
|- | |||
|R | |||
|R = rntcy : Generic Read | |||
|- | |||
|W | |||
|W = watTNcCy : Generic Write | |||
|- | |||
|X | |||
|X = xtcy : Generic Execute | |||
|} | |} | ||
=== Using NFSv4 ACL === | ===Using NFSv4 ACL=== | ||
==== nfs4_editfacl ==== | ====nfs4_editfacl==== | ||
==== nfs4_getfacl ==== | ====nfs4_getfacl==== | ||
<code>nfs4_gefacl /path</code> | <code>nfs4_gefacl /path</code> | ||
==== nfs4_setfacl ==== | ====nfs4_setfacl==== | ||
===== commands ===== | =====commands===== | ||
Commands are only used when first setting an ACE. Commands and their uses are listed below. | Commands are only used when first setting an ACE. Commands and their uses are listed below. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 148: | Line 248: | ||
|read ACL entries to add from file | |read ACL entries to add from file | ||
|- | |- | ||
| -X file | | -X file | ||
|read ACL entries to remove from file | |read ACL entries to remove from file | ||
|- | |- | ||
| Line 161: | Line 261: | ||
|} | |} | ||
===== Options ===== | =====Options===== | ||
Options can be used in combination or ommitted entirely. A list of options is shown below: | Options can be used in combination or ommitted entirely. A list of options is shown below: | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 181: | Line 281: | ||
|} | |} | ||
==== Use cases ==== | ====Use cases==== | ||
nfs4_setfacl -Ra A::user1@domain:RWX /path | nfs4_setfacl -Ra A::user1@domain:RWX /path | ||
nfs4_setfacl -a A:fdg:group1@domain:RWX /path | nfs4_setfacl -a A:fdg:group1@domain:RWX /path | ||
reference: | |||
https://www.server-world.info/en/note?os=Rocky_Linux_8&p=nfs&f=3 | |||
Latest revision as of 06:56, 25 November 2021
Abstract
This shows you how to use the NFSv4 ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems.
package
You need install package to use nfs4_acl
rpm package name is nfs4-acl-tools
Understanding NFSv4 ACL
This is an example of an NFSv4 ACL
A::[email protected]:rxtncy
The following sections will break down this example from left to right and provide more usage options
ACE Type
The 'A' in the example is known as the ACE (access control entry) type. The 'A' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default.
Note: 'D' can denote a Deny ACE. While this is a valid option, this ACE type is not reccomended since any permission that is not explicity granted is automatically denied meaning Deny ACE's can be redundant and complicated.
ACE Flags
The above example could have a distinction known as a flag shown below
A:d:[email protected]:rxtncy
The 'd' used above is called an inheritence flag. This makes it so the ACL set on this directory will be automatically established on any new subdirectories. Inheritence flags only work on directories and not files. Multiple inheritence flags can be used in combonation or omitted entirely. Examples of inheritence flags are listed below:
| Flag | Name | Function |
|---|---|---|
| d | directory-inherit | New subdirectories will have the same ACE |
| f | file-inherit | New files will have the same ACE minus the inheritence flags |
| n | no-propogate inherit | New subdirectories will inherit the ACE minus the inheritence flags |
| i | inherit-only | New files and subdirectories will have this ACE but the ACE for the directory with the flag is null |
ACE Principal
the '[email protected]' is a principal. The principal denotes the people the ACL is allowing access to.
Principals can be the following:
- A named user [email protected]
- Speical principals OWNER@ GROUP@ EVERYONE@
- A group A:g:[email protected]:rxtncy When the principal is a group, you need to add a group flag, '
g', as shown above example.
ACE Permissions
the 'rxtncy' are the permissions the ACE is allowing. Permissions can be used in combonation with each other.
A list of permissions and what they do can be found below:
| Permission | Function |
|---|---|
| r | read-data (files) / list-directory (directories) |
| w | write-data (files) / create-file (directories) |
| a | append-data (files) / create-subdirectory (directories) |
| x | execute (files) / change-directory (directories) |
| d | delete the file/directory |
| D | delete-child : remove a file or subdirectory from the given directory (directories only) |
| t | read the attributes of the file/directory |
| T | write the attribute of the file/directory |
| n | read the named attributes of the file/directory |
| N | write the named attributes of the file/directory |
| c | read the file/directory ACL |
| C | write the file/directory ACL |
| o | change ownership of the file/directory |
Aliases such 'R' 'W' 'X' can be used as permissions. These work simlarly to POSIX Read/Write/Execute. More detail can be found below.
| Alias | Name | Expansion |
|---|---|---|
| R | Read | rntcy |
| W | Write | watTNcCy (with D added to directory ACE's |
| X | Execute | xtcy |
Summary
| ACE Type | |
| A | A = Allow : it means Allow accesses. |
| D | D = Deny : it means Deny accesses. |
| ACE Flags | |
| d | Directory-Inherit : New sub-directory inherits the same ACE. |
| f | File-Inherit : New file inherits the same ACE but not inherit inheritance-flag. |
| n | No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag. |
| i | Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE. |
| ACE Principal | |
| (USER)@(NFSDomain) | Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf]. |
| (GROUP)@(NFSDomain) | Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy |
| OWNER@ | Special Principal : Owner |
| GROUP@ | Special Principal : Group |
| EVERYONE@ | Special Principal : Everyone |
| ACE Permissions | |
| r | Read data of files / List files in directory |
| w | Write data to files / Create new files in directory |
| a | Append data to files / Create new sub-directory |
| x | Execute files / Change directory |
| d | Delete files or directories |
| D | Delete files or sub-directories under the directory |
| t | Read attributes of files or directories |
| T | Write attributes to files or directories |
| n | Read named attributes of files or directories |
| N | Write named attributes of files or directories |
| c | Read ACL of files or directories |
| C | Write ACL of files or directories |
| o | Change ownership of files or directories |
| ACE Permissions Aliases | For using nfs4_setfacl, possible to use Alias for ACE Permissions |
| R | R = rntcy : Generic Read |
| W | W = watTNcCy : Generic Write |
| X | X = xtcy : Generic Execute |
Using NFSv4 ACL
nfs4_editfacl
nfs4_getfacl
nfs4_gefacl /path
nfs4_setfacl
commands
Commands are only used when first setting an ACE. Commands and their uses are listed below.
| COMMAND | FUNCTION |
|---|---|
| -a acl_spec [index] | add ACL entries in acl_spec at index (DEFAULT: 1) |
| -x acl_spec | index | remove ACL entries or entry-at-index from ACL |
| -A file [index] | read ACL entries to add from file |
| -X file | read ACL entries to remove from file |
| -s acl_spec | set ACL to acl_spec (replaces existing ACL) |
| -S file | read ACL entries to set from file |
| -m from_ace to_ace | modify in-place: replace 'from_ace' with 'to_ace' |
Options
Options can be used in combination or ommitted entirely. A list of options is shown below:
| OPTION | NAME | FUNCTION |
|---|---|---|
| -R | recursive | Applies ACE to a directory's files and subdirectories |
| -L | logical | Used with -R, follows symbolic links |
| -P | physical | Used with -R, skips symbolic links |
Use cases
nfs4_setfacl -Ra A::user1@domain:RWX /path
nfs4_setfacl -a A:fdg:group1@domain:RWX /path
reference:
https://www.server-world.info/en/note?os=Rocky_Linux_8&p=nfs&f=3