TransWikia.com

How to use NFS4_SETFACL to remove ONLY the GROUP@ ACL permission?

Unix & Linux Asked by Charlie Yang on December 6, 2021

Currently, I have a file in NFS where it has the permissions,

A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rwaDxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:fdi:EVERYONE@:tcy

However, now I want to perform something equivalent as

setfacl -m g::--- filename

to remove the GROUP permissions.

I tried using:

nfs4_setfacl -x "A::GROUP@:rwaDxtcy" filename
nfs4_setfacl -x 2 filename
nfs4_setfacl -m A::GROUP@:rwaDxtcy A::GROUP@:tcy filename

All of them didn’t change the permission for GROUP@ at all.

However, one thing I noticed while playing around with nfs4_setfacl is, if I run

nfs4_setfacl -a D::GROUP@:rwaDx filename

This will remove the permissions for GROUP@, however, it will also removes the permission for the OWNER@ as well, which is not what I want.

D::OWNER@:rwaDx
A::OWNER@:tTcCy
A::GROUP@:tcy
D::GROUP@:rwaDx
A::EVERYONE@:rwaDxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:fdi:EVERYONE@:tcy

Does anyone know how to just remove ACL permission for GROUP@?

aclnfspermissions

One Answer

Even though this is probably not relevant to you anymore, it is worth posting an answer as it may help anyone who has this same issue.

According to the nfs4_acl man page, these ACLs are default-deny, so if you do not explicitly specify @GROUP's permissions (and if it is set to --- in the default linux permissions), then @GROUP will be denied all permissions.

If you really want to explicitly state that @GROUP has no permissions, you can use deny ACLs:

D::GROUP@:RWX

These are not recommended as, according to the nfs4_acl man page:

Although they are a valid part of NFSv4 ACLs, Deny ACEs can be confusing and complicated. This stems primarily from the fact that, unlike POSIX ACLs and CIFS ACLs, the ordering of ACEs within NFSv4 ACLs affects how they are evaluated.

And, as mentioned before

NFSv4 ACLs are "default-deny" in practice. That is, if a permission is not explicitly granted, it is denied.

The man page goes onto explaining why exactly this is an issue, so if you're interested, have a read through.

Hope this helps anyone in doubt!

Answered by João Duarte on December 6, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP