Re: NFS4 ACL <-> Posix ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 18, 2009 at 06:42:10PM +0100, Alex Bremer wrote:
> Hello,
> 
> I have a working NFS4 installation (kerberos + ldap) but some trouble
> understanding all these ACL mappings. On my server (ubuntu 8.04) the
> ext3 filesystems are mounted with the "acl" option and setting Posix
> ACLs works quite well.
> 
> On the client side (ubuntu 8.10) my libacl seems to lack NFSv4 ACL
> support and therefore I can't see the acl list. However I installed
> nfs4 acl tools and now I can see the ACL permissions of a
> file/directory.
> 
> Using Posix ACLs on the server I added a default mask so that newly
> created files/directories in the public area are group-writeable. This
> works quite well on the server and this used to work with NFS3 (which
> supports POSIX ACLs) on the client side, too. However on a client
> using NFS4, these Posix-ACLs don't seem to get mapped to NFS4-ACLs.

Actually, they do; what's happening (I believe--this is partly just
memory based on last time I looked at something like this) is more
subtle: the umask is being overridden by inheritance in the v2/v3 case,
and not in the v4 case.

Posix default acls are supposed to override the umask.  This is tricky
for NFS, since the umask isn't sent over the wire on file creation,
leaving the client and server no way to distinguish the create mode from
the umask.  The v2/v3 client currently works around this by doing the
whole inheritance calculation on the client (reading the directory's
acl, then explicitly setting the new child's acl based on it).  The v4
client doesn't do that.  So:

> Here are the ACLs:
> -----------------
> server> getfacl test/
> 
> user::rwx
> group::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:other::---
> 
> server> touch test/tmp
> server> ls -l test/tmp
> -rw-rw---- 1 albremer domusers 0 2009-03-18 18:32 test/tmp
> ---------------
> client> nfs4_getfacl test/
> 
> A::OWNER@:rwaDxtTcCy
> A::GROUP@:rwaDxtcy
> A::EVERYONE@:tcy
> A:fdi:OWNER@:rwaDxtTcCy
> A:fdi:GROUP@:rwaDxtcy
> A:fdi:EVERYONE@:tcy
> 
> client> touch test/tmp
> client> ls -l test/tmp
> -rw-r----- 1 albremer domusers 0 2009-03-18 18:32 test/tmp
> ---------------

If you do a getfacl on the server you'll probably see that it looks
like:

# file: test/tmp
# owner: root
# group: root
user::rw-
group::rwx                      #effective:r--
mask::r--
other::---

So note the "group" bits are set correctly, but the mask is limiting
permissions as a result of the open that created the file setting the
file to 644 (based on a 022 umask).

> Can anybody tell me what is wrong here? Is there any mapping between
> NFS4-ACLs and Posix-ACLs on the server side or are they handled
> seperately?

There are no nfsv4 acls on the filesystem at all, so everything is done
by mapping to and from the filesystem's posix acls.

> Another question: If I add the mount option "user_xattr" to the nfs4
> exported filesystems, on the client side all permissions are shown as
> "nobody:nogroup". Why is that?

That's bizarre.  Neither server nor client nor idmapd should be using
user extended attributes at all.  Are you sure you something else wasn't
changed at the same time?

--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux