NFS4 Permissions and Ownership

This document describes the NFS4_getfacls and NFS4_setfacls commands to change permission and ownership of files and directories on NFS4 file systems. All Linux/UNIX COM S computers are NFS4 file systems.

Viewing Permissions

To view permissions on a NFS4 file system, use the nfs4_getfacl filename command.

Here is an example:

UNIX>$ ls

file1   file2

UNIX>$ nfs4_getfacl file1









​When you view a permission, it will show you in ACL format. An ACL format is made up of type flag principal permissions.

Type can be either 'A' for allow or 'D' for deny. So in the above example, A:g:GROUP@:rtncy is allowing GROUP to have the given permissions and D:g:GROUP@:waxTC is denying GROUP to have the given permissions.

Flag is on optional field. If you are changing permissions for a user, the flag is not needed. If you are changing permissions for a group, there are three different flags:

Flag Meaning
g Used to give groups the ACL to all members of the group.
d Used to give subdirectories the ACL from the target directory.
f Used to give files the ACL from the target directory.

Principal is either the users, OWNER@, GROUP@, or EVERYONE@. In the example, bob@IASTATE.EDU is an example of the users principal in the Iowa State Universities domain.

Permissions are the symbols that come at the end. The main ones have the following meanings:

Symbol Meaning
r Has permission to read the file/directory.
w Has permission to write (change) to the file/directory.
x Has permission to execute the file (program).

So in the example, Alice can read and execute, Bob can read and write and the groups GROUP and EVERYONE can read. For more information on these symbols visit nfs4_acl.

Changing Permissions

To change permissions, use nfs4_setfacl command fileFile is the file name you want to change permissions on. Command can be one of the following:

Command Meaning
-a acl Add an ACL permission.
-m fromACL toACL Modify an ACL from fromACL​ to toACL​.
-x acl Deletes an ACL permission.

The ACL is in the same format as described above. An example of changing Bob's permissions so that he can execute in the example above would be:

UNIX>$ nfs4_setfacl -a A::bob@IASTATE.EDU:X file1

​An example of remove Alice's permissions from the example above would be:

UNIX>$ nfs4_setfacl -x A::alice@IASTATE.EDU:RX file1

UNIX>$ nfs4_setfacl -x D:alice@IASTATE.EDU:W file1

For more information on nfs4_setfacl, visit nfs4_setfacl.