0

I have ACLs on a dir exported by NFSv3:

$ getfacl t1
# file: t1
# owner: root
# group: some_group
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---

A member of some_group creates a file and a dir over the NFS mount:

$ umask
0027
$ touch file
$ mkdir dir
$ ls -l
total 1
drwxr-s---+ 2 some_user some_group 4096 Sep  2 17:27 dir/
-rw-r-----+ 1 some_user some_group    0 Sep  2 17:27 file
$ getfacl *
# file: dir
# owner: some_user
# group: some_group
# flags: -s-
user::rwx
group::rwx                      #effective:r-x
mask::r-x
other::---
default:user::rwx
default:group::rwx
default:other::---

# file: file
# owner: some_user
# group: some_group
user::rw-
group::rwx                      #effective:r--
mask::r--
other::---

First the group permissions look unexpected. But there's a post in the Redhat Knowledge Base (https://access.redhat.com/solutions/3951111) explaining that nfsv3 has no way to pass on both the requested file mode and the umask and so instead merges them before sending it to the server. With that the above result is explainable.

The resulting permissions are not what I wanted to achieve as other group members now cannot write to the files and dirs.

Using another dir where the ACLs got an additional explicit rule for some_group the behaviour regarding group permissions changed:

$ getfacl t2
# file: t2
# owner: root
# group: some_group
# flags: -s-
user::rwx
group::rwx
group:some_group:rwx   <- additional entry
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:some_group:rwx  <- additional entry
default:mask::rwx
default:other::---

Repeating file and dir creation as above leads to different group permissions:

$ umask
0027
$ touch file
$ mkdir dir
$ ls -l
total 1
drwxrws---+ 2 some_user some_group 4096 Sep  2 17:34 dir/
-rw-rw----+ 1 some_user some_group    0 Sep  2 17:34 file
$ getfacl *
# file: dir
# owner: some_user
# group: some_group
# flags: -s-
user::rwx
group::rwx
group:some_group:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:some_group:rwx
default:mask::rwx
default:other::---

# file: file
# owner: some_user
# group: some_group
user::rw-
group::rwx                      #effective:rw-
group:some_group:rwx            #effective:rw-
mask::rw-
other::---

While I really appreciate this (it is exactly what I wanted to accomplish with ACLs: users of the group can write to the files and dirs) I do not really understand why the permissions are calculated differently when there's an explicit ACL.

Is this some special case handling in the NFS client code?

Some more details:

  • the NFS server is RedHat EL 8.5
  • the client is CentOS 7.9
  • some_group is not the primary group of some_user
  • export: /test_acl centos7client(sync,no_wdelay,hide,no_subtree_check,fsid=210511,sec=sys,rw,secure,root_squash,no_all_squash)
  • mount: <serverip>:/test_acl on /test_acl type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=<serverip>,mountvers=3,mountport=597,mountproto=tcp,local_lock=none,addr=<serverip>)
uli42
  • 305
  • 1
  • 4
  • 9

0 Answers0