From: "J. Bruce Fields" <bfields@fieldses.org>
To: Alex Bremer <albremer@googlemail.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: NFS4 ACL <-> Posix ACL
Date: Thu, 19 Mar 2009 15:35:14 -0400 [thread overview]
Message-ID: <20090319193514.GE3072@fieldses.org> (raw)
In-Reply-To: <7f62dcb30903181042n42bae0bbk99f5c91fce6e9e82-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Wed, Mar 18, 2009 at 06:42:10PM +0100, Alex Bremer wrote:
> Hello,
>
> I have a working NFS4 installation (kerberos + ldap) but some trouble
> understanding all these ACL mappings. On my server (ubuntu 8.04) the
> ext3 filesystems are mounted with the "acl" option and setting Posix
> ACLs works quite well.
>
> On the client side (ubuntu 8.10) my libacl seems to lack NFSv4 ACL
> support and therefore I can't see the acl list. However I installed
> nfs4 acl tools and now I can see the ACL permissions of a
> file/directory.
>
> Using Posix ACLs on the server I added a default mask so that newly
> created files/directories in the public area are group-writeable. This
> works quite well on the server and this used to work with NFS3 (which
> supports POSIX ACLs) on the client side, too. However on a client
> using NFS4, these Posix-ACLs don't seem to get mapped to NFS4-ACLs.
Actually, they do; what's happening (I believe--this is partly just
memory based on last time I looked at something like this) is more
subtle: the umask is being overridden by inheritance in the v2/v3 case,
and not in the v4 case.
Posix default acls are supposed to override the umask. This is tricky
for NFS, since the umask isn't sent over the wire on file creation,
leaving the client and server no way to distinguish the create mode from
the umask. The v2/v3 client currently works around this by doing the
whole inheritance calculation on the client (reading the directory's
acl, then explicitly setting the new child's acl based on it). The v4
client doesn't do that. So:
> Here are the ACLs:
> -----------------
> server> getfacl test/
>
> user::rwx
> group::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:other::---
>
> server> touch test/tmp
> server> ls -l test/tmp
> -rw-rw---- 1 albremer domusers 0 2009-03-18 18:32 test/tmp
> ---------------
> client> nfs4_getfacl test/
>
> A::OWNER@:rwaDxtTcCy
> A::GROUP@:rwaDxtcy
> A::EVERYONE@:tcy
> A:fdi:OWNER@:rwaDxtTcCy
> A:fdi:GROUP@:rwaDxtcy
> A:fdi:EVERYONE@:tcy
>
> client> touch test/tmp
> client> ls -l test/tmp
> -rw-r----- 1 albremer domusers 0 2009-03-18 18:32 test/tmp
> ---------------
If you do a getfacl on the server you'll probably see that it looks
like:
# file: test/tmp
# owner: root
# group: root
user::rw-
group::rwx #effective:r--
mask::r--
other::---
So note the "group" bits are set correctly, but the mask is limiting
permissions as a result of the open that created the file setting the
file to 644 (based on a 022 umask).
> Can anybody tell me what is wrong here? Is there any mapping between
> NFS4-ACLs and Posix-ACLs on the server side or are they handled
> seperately?
There are no nfsv4 acls on the filesystem at all, so everything is done
by mapping to and from the filesystem's posix acls.
> Another question: If I add the mount option "user_xattr" to the nfs4
> exported filesystems, on the client side all permissions are shown as
> "nobody:nogroup". Why is that?
That's bizarre. Neither server nor client nor idmapd should be using
user extended attributes at all. Are you sure you something else wasn't
changed at the same time?
--b.
next prev parent reply other threads:[~2009-03-19 19:35 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-18 17:42 NFS4 ACL <-> Posix ACL Alex Bremer
[not found] ` <7f62dcb30903181042n42bae0bbk99f5c91fce6e9e82-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-03-19 19:35 ` J. Bruce Fields [this message]
2009-03-23 13:46 ` Alex Bremer
[not found] ` <7f62dcb30903230646u183c79e0i4366edebe32654d5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-03-23 21:33 ` J. Bruce Fields
2009-03-24 1:56 ` Alex Bremer
[not found] ` <7f62dcb30903231856h7a17cea5ud7a22796ddfb6383-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-03-24 20:10 ` J. Bruce Fields
2009-03-24 21:44 ` Trond Myklebust
[not found] ` <1237931047.7516.15.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-03-24 22:15 ` J. Bruce Fields
2009-03-24 22:22 ` Trond Myklebust
[not found] ` <1237933367.7516.27.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-03-24 22:34 ` J. Bruce Fields
2009-03-24 22:54 ` Trond Myklebust
[not found] ` <1237935281.7516.40.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-03-24 23:02 ` J. Bruce Fields
2009-03-24 23:20 ` Trond Myklebust
[not found] ` <1237936852.7516.50.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-03-24 23:57 ` J. Bruce Fields
2009-03-24 22:21 ` J. Bruce Fields
2009-03-24 22:28 ` Trond Myklebust
[not found] ` <1237933686.7516.31.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-03-24 22:39 ` J. Bruce Fields
2009-03-24 3:09 ` Greg Banks
2009-03-24 12:08 ` Alex Bremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090319193514.GE3072@fieldses.org \
--to=bfields@fieldses.org \
--cc=albremer@googlemail.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.