NFS4 Permissions and Ownership
This document describes the NFS4_getfacls and NFS4_setfacls commands to change permission and ownership of files and directories on NFS4 file systems. All Linux/UNIX COM S computers are NFS4 file systems.
Viewing Permissions
To view permissions on a NFS4 file system, use the nfs4_getfacl filename command.
Here is an example:
UNIX>$ ls
file1 file2
UNIX>$ nfs4_getfacl file1
A::OWNER@:rwatTnNcCy
A::alice@IASTATE.EDU:rxtncy
D::alice@IASTATE.EDU:w
A::bob@IASTATE.EDU:rwadtTnNcCy
A:g:GROUP@:rtncy
D:g:GROUP@:waxTC
A::EVERYONE@:rtncy
D::EVERYONE@:waxTC
When you view a permission, it will show you in ACL format. An ACL format is made up of type flag principal permissions.
Type can be either 'A' for allow or 'D' for deny. So in the above example, A:g:GROUP@:rtncy is allowing GROUP to have the given permissions and D:g:GROUP@:waxTC is denying GROUP to have the given permissions.
Flag is on optional field. If you are changing permissions for a user, the flag is not needed. If you are changing permissions for a group, there are three different flags:
| Flag | Meaning |
|---|---|
| g | Used to give groups the ACL to all members of the group. |
| d | Used to give subdirectories the ACL from the target directory. |
| f | Used to give files the ACL from the target directory. |
Principal is either the users, OWNER@, GROUP@, or EVERYONE@. In the example, bob@IASTATE.EDU is an example of the users principal in the Iowa State Universities domain.
Permissions are the symbols that come at the end. The main ones have the following meanings:
| Symbol | Meaning |
|---|---|
| r | Has permission to read the file/directory. |
| w | Has permission to write (change) to the file/directory. |
| x | Has permission to execute the file (program). |
So in the example, Alice can read and execute, Bob can read and write and the groups GROUP and EVERYONE can read. For more information on these symbols visit nfs4_acl.
Changing Permissions
To change permissions, use nfs4_setfacl command file. File is the file name you want to change permissions on. Command can be one of the following:
| Command | Meaning |
|---|---|
| -a acl | Add an ACL permission. |
| -m fromACL toACL | Modify an ACL from fromACL to toACL. |
| -x acl | Deletes an ACL permission. |
The ACL is in the same format as described above. An example of changing Bob's permissions so that he can execute in the example above would be:
UNIX>$ nfs4_setfacl -a A::bob@IASTATE.EDU:X file1
An example of remove Alice's permissions from the example above would be:
UNIX>$ nfs4_setfacl -x A::alice@IASTATE.EDU:RX file1
UNIX>$ nfs4_setfacl -x D:alice@IASTATE.EDU:W file1
For more information on nfs4_setfacl, visit nfs4_setfacl.