Академический Документы
Профессиональный Документы
Культура Документы
This document shows you how to use the NFSv4 ACL permissions system. An ACL (access control list)
is a list of permissions associated with a file or directory.
These permissions allow you to restrict access to a certain file or directory by user or group.
NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in
most systems.
NFSV4 ACL type implements access control as specified in the Network File System (NFS) version 4
Protocol RFC 3530. The JFS2 file system allows a maximum size of 64KB for NFSV4 ACLs.
Where:
IDENTITY_type => One of the following Identity type:
u : user
g : group
s : special => who string (IDENTITY_who must be a
special who)
IDENTITY_name => user/group name
IDENTITY_ID => user/group ID
IDENTITY_who => special who string (e.g. OWNER@, GROUP@, EVERYONE@)
ACE_TYPE => One of the following ACE Type:
a : allow
d : deny
l : alarm
u : audit
ACE_MASK => One or more of the following Mask value Key without
separator:
r : READ_DATA or LIST_DIRECTORY
w : WRITE_DATA or ADD_FILE
x : EXECUTE or SEARCH_DIRECTORY
p : APPEND_DATA or ADD_SUBDIRECTORY
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
o : WRITE_OWNER
s : SYNCHRONIZE
ACE_FLAGS (Optional) => One or more of the following Attribute Key without separater:
fi : FILE_INHERIT
di : DIRECTORY_INHERIT
oi : INHERIT_ONLY
ni : NO_PROPAGATE_INHERIT
sf : SUCCESSFUL_ACCESS_ACE_FLAG
ff : FAILED_ACCESS_ACE_FLAG
1.2 Setting up NFSV4 ACL Inheritance
In the below example, we create a simple NFSV4 ACL to apply the permissions inheritance based on
AIX ACL policy.
1. Use a JFS2 filesystem, either to create a new one or just use an existing JFS2 filesystem
# crfs -v jfs2 -g datavg -m /mash -A yes -a size=2G
2. Mount the file system and change it to use Extended Attributes Version 2
# mount /mash
# chfs -a ea=v2 /mash
6. To allow inheritance for all files and directories underneath this directory, add the strings "fi" (for
files) and "di" (for directories) to any ACLs you create. Those ACLs will be propagated to each file
created from now on.
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo
7. Create a file in your directory and check the ACL list on it:
# cd newdir
# touch newfile
# aclget newfile
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
Owner rights/authorities for any new created file/directory under /mash/newdir as per the previous
example will be:
r : READ_DATA
w : WRITE_DATA
p : APPEND_DATA
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
x : EXECUTE
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
s : SYNCHRONIZE