NFSV4 Access Control List

Ahmed (Mash) Mashhour

IBM AIX Global SME
ahdmashr@eg.ibm.com
icemashhour@yahoo.com

This document shows you how to use the NFSv4 ACL permissions system. An ACL (access control list)
is a list of permissions associated with a file or directory.

These permissions allow you to restrict access to a certain file or directory by user or group.

NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in
most systems.

NFSV4 ACL type implements access control as specified in the Network File System (NFS) version 4
Protocol RFC 3530. The JFS2 file system allows a maximum size of 64KB for NFSV4 ACLs.

1.1 Important tips for setting NFSV4 ACL

a letter => means Allow
d letter => means Deny
fi context => means File Inheirt
di context => means Directory Inheirt

IDENTITY => Has format of:

'IDENTITY_type:(IDENTITY_name or IDENTITY_ID or IDENTITY_who):'
Like the example: s:(OWNER@): a rwpRWxDaAdcCs fidi

Where:
IDENTITY_type => One of the following Identity type:
u : user
g : group
s : special => who string (IDENTITY_who must be a
special who)
IDENTITY_name => user/group name
IDENTITY_ID => user/group ID
IDENTITY_who => special who string (e.g. OWNER@, GROUP@, EVERYONE@)
ACE_TYPE => One of the following ACE Type:
a : allow
d : deny
l : alarm
u : audit

ACE_MASK => One or more of the following Mask value Key without
separator:
r : READ_DATA or LIST_DIRECTORY
w : WRITE_DATA or ADD_FILE
x : EXECUTE or SEARCH_DIRECTORY
p : APPEND_DATA or ADD_SUBDIRECTORY
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
o : WRITE_OWNER
s : SYNCHRONIZE

ACE_FLAGS (Optional) => One or more of the following Attribute Key without separater:
fi : FILE_INHERIT
di : DIRECTORY_INHERIT
oi : INHERIT_ONLY
ni : NO_PROPAGATE_INHERIT
sf : SUCCESSFUL_ACCESS_ACE_FLAG
ff : FAILED_ACCESS_ACE_FLAG
1.2 Setting up NFSV4 ACL Inheritance
In the below example, we create a simple NFSV4 ACL to apply the permissions inheritance based on
AIX ACL policy.

1. Use a JFS2 filesystem, either to create a new one or just use an existing JFS2 filesystem
# crfs -v jfs2 -g datavg -m /mash -A yes -a size=2G

2. Mount the file system and change it to use Extended Attributes Version 2
# mount /mash
# chfs -a ea=v2 /mash

3. Create a directory, or identify an existing directory

# cd /mash
# mkdir newdir

4. Convert the directory to use NFS4 ACLs:

# aclconvert -t NFS4 newdir

5. Edit the ACL

# export EDITOR=/usr/bin/vi
# acledit newdir
<You should see this in the file>
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

6. To allow inheritance for all files and directories underneath this directory, add the strings "fi" (for
files) and "di" (for directories) to any ACLs you create. Those ACLs will be propagated to each file
created from now on.
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

7. Create a file in your directory and check the ACL list on it:
# cd newdir
# touch newfile
# aclget newfile
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi

8. The above example will:

a) allow the permissions of newdir directory to be inherited
to all sucdirectories and files under it.
b) Allow the following masks (rights) to be given to the

Owner rights/authorities for any new created file/directory under /mash/newdir as per the previous
example will be:
r : READ_DATA
w : WRITE_DATA
p : APPEND_DATA
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
x : EXECUTE
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
s : SYNCHRONIZE