Access Control Lists (ACL)
ACLs offer a more flexible way to control file and directory rights than the usual owner-group-other schema in Unix. We use them on some group shares for example. In a nutshell, with ACLs you can set separate permissions for every single user.
Please use ACLs only if really necessary. By design, group shares are meant to be accessible by the whole group, as the research data should remain accessible, even if individual members leave the group.
Note that the following commands should be executed on one of our managed Linux workstations, for instance
login.phys.ethz.ch. You will need to use a different set of tools to view and modify ACLs, depending on how the share is mounted. In most cases the NFSv4 documentation should apply.
How to detect ACLs
ls -l looks something like this
drwxrws---+ 4 daduke ast 4.0K 2011-10-28 10:41 test
+ sign at the end), then the directory in question has ACL rules applied.
How to view and modify ACL over NFSv4
nfs4_getfacl test # get current acls nfs4_setfacl -e test # edit acls in editor
Adapting NFSv4 ACLs from POSIX ACLs
To use bare usernames, they must now be qualified with a domain — for username
johndoe (and pretty much every D-PHYS user) this would now be
You can still use numeric IDs, as before, without resolving them to a domain.
For the familiar POSIX permissions shorthands
X exist, to avoid the complexities of the additional granularity offered by NFSv4.
Both these features only work when first setting the entry. To modify, you must resolve the result and adjust accordingly.
For example, to add an ACL entry for user
rwx permissions , you would run:
nfs4_setfacl -a A::email@example.com:RWX /path/to/file
To modify this in-place, to take away the
nfs4_getfacl /path/to/file D::OWNER@:x A::OWNER@:rwatTcCy A::1001:rwaxtcy # this is the resolved user id of the user in the previous example A::1002:rwaxtcy A::GROUP@:rwatcy A::EVERYONE@:rtcy nfs4_setfacl -m A::1001:RWX A::firstname.lastname@example.org:R /path/to/file
EVERYONE@ shorthands are equivalent to the
other fields in basic POSIX permissions.
Always make sure that the result, especially if using any of the aliases (user@domain and the RWX shortcuts), reflects your original intentions.
nfs4_getfacl /path/to/file D::OWNER@:x A::OWNER@:rwatTcCy D::1001:wa A::1001:rtcy A::1002:rwaxtcy A::GROUP@:rwatcy A::EVERYONE@:rtcy
For more details, please check the manual pages
man 5 nfs_acl and
And please be aware that, while NFSv4 does offer many more features, it is still possible to access these shares using NFSv3, samba, or directly over the filesystem, where they will be translated to POSIX ACLs, as best as that is possible. Usually as the least permissive intersection of features of both.
phd-san-gw2:~# getfacl /path/to/file/on/actual/filesystem getfacl: Removing leading '/' from absolute path names # file: path/to/file/on/actual/filesystem # owner: janedoe # group: isg user::rw- user:johndoe:r-- user:janedoe:rwx group::rw- mask::rwx other::r--
How to view and modify ACL over NFSv3
If a share is mounted via NFSv3, you can display ACLs by running
which will show
# file: test # owner: daduke # group: ast # flags: -s- user::rwx user:schmid:rwx user:kovac:rwx user:amaraa:rwx user:geersv:rwx group::--- mask::rwx other::---
To modify ACLs you just need something like
setfacl -m u:daduke:rw test
write permission on file
test to user
setfacl -x u:daduke test
to remove these permissions again. If you need more,
is your friend.
There is also a nice GUI that we have installed on our Linux workstations:
eiciel. Start it, open the file or directory you'd like to modify and then edit the users' permissions.