ACLs

NFS ACLs allow POSIX ACLs on the NFS servers to be exported to the shares' clients, enabling consistent access control across both the clients and server.

Enabling ACLs

All clients and servers should have the nfs4-acl-tools package installed. In Ubuntu:

sudo apt install nfs4-acl-tools

Setting ACLs

Set ACLs with the POSIX ACL tools:

sudo setfacl -Rm user:www-data:rx /export/my-share

Reading ACLs from an NFS server

We can read the ACLs back with the POSIX ACL tools:

$ sudo getfacl /export/my-share
getfacl: Removing leading '/' from absolute path names
# file: mnt/export/myuser
# owner: myuser
# group: myuser
user::rwx
user:www-data:r-x
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

Reading ACLs from a client

Unintuitively, it seems that the POSIX ACL tools we used above read the ACLs from extended file attributes directly, so they won't show complete results on mounted NFS shares:

$ sudo getfacl /home/myuser/data/base
getfacl: Removing leading '/' from absolute path names
# file: home/myuser/data/base
# owner: myuser
# group: myuser
user::rwx
group::rwx
other::r-x

The nfs4-acl-tools package provides a dedicated nfs4_getfacl tool for this:

$ sudo nfs4_getfacl /home/myuser/data/base
A::OWNER@:rwaDxtTcCy
D::33:waD
A::33:rxtcy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
D:fdi:33:waD
A:fdi:33:rxtcy
A:fdi:GROUP@:rwaDxtcy
A:fdi:EVERYONE@:rxtcy

Enabling ACLs

Setting ACLs

Reading ACLs from an NFS server

Reading ACLs from a client