18 Managing Access Control Lists over NFSv4 #
There is no single standard for Access Control Lists (ACLs) in Linux beyond
the simple read, write, and execute (rwx
) flags for user,
group, and others (ugo
). One option for finer control is
the Draft POSIX ACLs, which were never formally
standardized by POSIX. Another is the NFSv4 ACLs, which were designed to be
part of the NFSv4 network file system with the goal of making something that
provided reasonable compatibility between POSIX systems on Linux and WIN32
systems on Microsoft Windows.
NFSv4 ACLs are not sufficient to correctly implement Draft POSIX ACLs so no
attempt has been made to map ACL accesses on an NFSv4 client (such as using
setfacl
).
When using NFSv4, Draft POSIX ACLs cannot be used even in emulation and NFSv4
ACLs need to be used directly; that means while setfacl
can work on NFSv3, it cannot work on NFSv4. To allow NFSv4 ACLs to be used on
an NFSv4 file system, SUSE Linux Enterprise Server provides the
nfs4-acl-tools
package, which contains the following:
nfs4-getfacl
nfs4-setfacl
nfs4-editacl
These operate in a generally similar way to getfacl
and
setfacl
for examining and modifying NFSv4 ACLs. These
commands are effective only if the file system on the NFS server provides
full support for NFSv4 ACLs. Any limitation imposed by the server will affect
programs running on the client in that some particular combinations of Access
Control Entries (ACEs) might not be possible.
It is not supported to mount NFS volumes locally on the exporting NFS server.
Additional Information#
For information, see Introduction to NFSv4 ACLs at http://wiki.linux-nfs.org/wiki/index.php/ACLs#Introduction_to_NFSv4_ACLs.