ACLs
NFS ACLs allow POSIX ACLs on the NFS servers to be exported to the shares' clients, enabling consistent access control across both the clients and server.
Enabling ACLs
All clients and servers should have the nfs4-acl-tools
package installed. In Ubuntu:
sudo apt install nfs4-acl-tools
Setting ACLs
Set ACLs with the POSIX ACL tools:
sudo setfacl -Rm user:www-data:rx /export/my-share
Reading ACLs from an NFS server
We can read the ACLs back with the POSIX ACL tools:
$ sudo getfacl /export/my-share
getfacl: Removing leading '/' from absolute path names
# file: mnt/export/myuser
# owner: myuser
# group: myuser
user::rwx
user:www-data:r-x
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:r-x
default:group::rwx
default:mask::rwx
default:other::r-x
Reading ACLs from a client
Unintuitively, it seems that the POSIX ACL tools we used above read the ACLs from extended file attributes directly, so they won't show complete results on mounted NFS shares:
$ sudo getfacl /home/myuser/data/base
getfacl: Removing leading '/' from absolute path names
# file: home/myuser/data/base
# owner: myuser
# group: myuser
user::rwx
group::rwx
other::r-x
The nfs4-acl-tools
package provides a dedicated nfs4_getfacl
tool for this:
$ sudo nfs4_getfacl /home/myuser/data/base
A::OWNER@:rwaDxtTcCy
D::33:waD
A::33:rxtcy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
D:fdi:33:waD
A:fdi:33:rxtcy
A:fdi:GROUP@:rwaDxtcy
A:fdi:EVERYONE@:rxtcy