3

1. The question

I have a directory dir, which has (NFS) ACL default permissions, so that every file and folder created in it can be written by the user 1001too by default. This directory is shared on NFS v4.

How do I make sure, that every file and folder I create through NFS inherits this permission?

2. Commands I ran exactly

I ran the following commands on the NFS client side.

client@nfsclient $ nfs4_getfacl dir

# file: dir
A::OWNER@:rwaDxtTcCy
A::1001:rwaDxtcy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:1001:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdi:EVERYONE@:rxtcy

However, when I create a new file in it, it's permissions don't allow user 1001 to write this file.

client@nfsclient $ touch dir/file
client@nfsclient $ nfs4_getfacl dir/file

# file: dir/file
A::OWNER@:rwatTcCy
A::1001:rtcy
A::GROUP@:rtcy
A::EVERYONE@:rtcy

Why don't the user 1001 have write permission to dir/file in this case?

When I look at this same dir/file on the NFS server, the permissions somehow don't allow it to write because of the mask.

server@nfsserver $ getfacl dir/file
# file: dir/file
# owner: client
# group: client
user::rw-
user:1001:rwx                   #effective:r--
group::r-x                      #effective:r--
mask::r--
other::r--

Is there a way to make sure that on file creation the mask is correct?

3. It works on serverside

When I run the same exact commands on serverside, the default permissions are obeyed.

server@nfsserver $ getfacl dir
# file: dir
# owner: client
# group: client
user::rwx
user:1001:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:1001:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

And it creates the permissions just right.

server@nfsserver $ touch dir/file
server@nfsserver $ getfacl dir/file
# file: dir/file
# owner: server
# group: server
user::rw-
user:1001:rwx                   #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

I'm using NFS v4, and ext4 filesystem.

Improve this question

3 Answers 3

Reset to default
0

For this to work you need identical UIDs and GIDs on both systems. Ideally, you should run some sort of domain software to accomplish this (LDAP, NIS, NISplus, etc.)

There are a number of other Q&A threads on these topics if you look at https://serverfault.com or https://unix.stackexchange.com/

If you don't have a system like that in place it might be easier for you to make identical GIDs on each system. Set group permissions. Then put the proper users in to the proper groups. That way the users can change but the group based permissions stay. This makes administration of ACLs much easier than specifying per-user permissions all over the place.

Improve this answer
8
  • I have modified the nfsclient and 1001's users uids and gids to be the same on both machines, and the issue still persists. Maybe I missed some groups or user that was relevant?
    – Gabor
    Commented May 7, 2019 at 10:30
  • Is the umask setting also identical on each system? (That's what defines the permissions of new objects, not NFS)
    – HackSlash
    Commented May 7, 2019 at 15:37
  • Yes, they are identical. However, you are probably right, that the users and mappings need to be adjusted, probably in /etc/idmapd.conf. It still doesn't work, but I'm working on it.=
    – Gabor
    Commented May 7, 2019 at 19:48
  • I have configured now both the server and client to use username@domain format. But, the mask is still r-- by default for a newly created file. The user/group configuration didn't help.
    – Gabor
    Commented May 12, 2019 at 6:39
  • Both the text and the UID numbers in /etc/passwd are identical? As well as the text and GUID numbers in /etc/groups. All have to match on all systems.
    – HackSlash
    Commented May 13, 2019 at 15:13
0

Unfortunately, I was not able to find any good solution. The only thing I could do is the following.

Set umask to at most 002 on the client.

client@nfsclient $ umask 002

This will set the mask on the server properly, so it will make any default permissions correctly too. However, this will create writable files for the group by default.

I also tried sshfs, and the exact same thing happens there too.

See also https://serverfault.com/questions/544194/nfs-v4-acl-inheritance-problems-i-flag-set-but-not-wanted/544771.

Improve this answer
0

hey i know its a old threat but i want to point out that with nfs 4.2 it works on my system rhel8. I can set default acls with permissions and the umask doesnt mask them away.

On Server:

vi /etc/exports
/export/c       -root_squash,rw [Client]
/export/d       -root_squash,rw [Client]

getfacl Group1
# file: Group1
# owner: root
# group: nfs
# flags: -st
user::rwx
group::rwx
group:access:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:access:r-x
default:mask::rwx
default:other::---

The Directory Group1 exists on Directory c and d

On Client:

vi /etc/fstab
[server]:/export/c         /mnt/nfs/c      nfs4    defaults,nfsvers=4.0    0       0
[server]:/export/d         /mnt/nfs/d      nfs4    defaults,nfsvers=4.2    0       0


#User with group nfs
umask 0027

mkdir /mnt/nfs/c/Group1/a
mkdir /mnt/nfs/d/Group1/a

ll -d /mnt/nfs/c/Group1/a
drwxr-s---. 2 Daniel nfs 6 Nov 25 16:02 a

ll -d /mnt/nfs/d/Group1/a
drwxrws---. 2 Daniel nfs 6 Nov 26 09:05 a

Correct me if i am wrong but i also testet it on nfsvers=4.1 and it also wont work, so i assume that thing got fixed in nfsv4.2

Improve this answer
1
  • You need nfs4_getfacl for NFSv4. getfacl is for POSIX permissions.
    – mr.zog
    Commented Dec 20, 2023 at 17:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .