Mount method
Actually we use the latest NFS file system, NFS 4.1 (minorversion 1)
Normally, to mount the NFS 4.1 file system:
On login server,replace -o option from exec to noexec to avoid running program on the mounted file system:
File System Access Control List, ACL
A file system ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files.(https://en.wikipedia.org/wiki/Access_control_list)
Linux ACL (before NFS 4)
Use command ls -rtl (ll for short) in the shell:
There is a plus(+) character at the end of accessing permissions of the File/Directory with ACL.
ACL commands(before NFS 4)
setfacl:
getfacl:
NFS 4 ACL, Permissions, Commands
Access permission options expand from rwx (linux normal accessing permissions) to rwaxdDtTnNcCoy.
Three commands introduced for manipulating the permissions: nfs4_setfacl, nfs4_getfacl, nfs4_editfacl(equal to nfs4_setfacl -e). Refer to for detail:
http://www.linuxcertif.com/man/1/nfs4_setfacl/145707/
http://linux.die.net/man/5/nfs4_acl
Frequency Used NFS 4 Permissions
Linux system, we have three frequency used permissions: rwx , r-x , ---. In NFS 4, the corresponding permissions are:
Affection of umask
Command umask will affect the permission of new file/directory only on A:g:Group@ and A::EVERYONE@. Command umask cannot control detail ACL of the file/directory.
Affection of chmod
Command chmod will change the the permission of file/directory only on A:g:Group@ and A::EVERYONE@. Command chmod cannot control detail ACL of the file/directory also.
Permissions Denied
Linux default umask is 0022, hardly we can control all user’s umask, default new file/directory can be accessed by every user, and tediously to modify ACL of every new creation.
The effective way is to set a permission deny on the directory (some how like 700 mode), and do nothing on its children file/directory. There is no way for the denied user to change directory to the directory and its subdirectories.
Permissions Allow
On the other hand, if we want allow some use/group to access directory permission denied , we need to modify detail ACL of the directory (we cannot use chmod here, use nfs4_setfacl/nfs4_editfacl instead). Like this:
Flow of Set a Directory ACL
1. chmod 700 of the directory.
2. “nfs4_setfacl -a A:g:GROUP@:rwaDxtTnNcCy $dir”, to allow same group user to create sub directory or “nfs4_setfacl -a A:g:GROUP@:rxtncy”, to allow same group user to access the directory.
3. “nfs4_setfacl -a A::user@domain:rwaDxtTnNcCy $dir”(A::liwen@HIGON.COM:rwaDxtTnNcCy), to allow user liwen to create sub directory of this directory.
4. “nfs4_setfacl -a A:g:group@domain:rwaDxtTnNcCy $dir”(A:g:socgroup@HIGON.COM:rwaDxtTnNcCy), to allow users of socgroup to create sub directory of this directory.
5. “nfs4_setfacl -a A::user@domain: rxtncy $dir”(A::zhangheng@HIGON.COM: rxtncy), to allow user zhangheng to access this directory.
6. “nfs4_setfacl -a A:g:group@domain: rxtncy $dir”(A:g:cad@HIGON.COM: rxtncy), to allow users of cad to access this directory.
Notice: we can use “nfs4_setfacl -e $dir” to input multi-ACL permission lines.
Set a Directory ACL Recursively
Normally we do not need to set ACL recursively, there is no necessary to set access recursively, only necessary to set full control, in following two conditions we need to do so.
1. Some superior users and groups need full control of a whole directory.
2. Files of a directory need to be modified by multi-users and groups.
Use “nfs4_setfacl -a A:fd:user@domain: rwaDxtTnNcCy $dir -R”(A:fd:liwen@domain: rwaDxtTnNcCy) to grant full control of this directory to user liwen.
Use “nfs4_setfacl -a A:fdg:group@domain: rwaDxtTnNcCy $dir -R”(A:fdg:socgroup@domain: rwaDxtTnNcCy) to grant full control of this directory to user of socgroup.
Notice: we cannot also use “nfs4_setfacl -e $dir” to set ACL Recursively, but when the directory is empty, we can use “nfs4_setfacl -e $dir” to set full control (A:fdg:group@domain: rwaDxtTnNcCy or A:fd:user@domain: rwaDxtTnNcCy ) of the directory, and the new sub file/directory will inherit these permissions(any permission start with A:fdg: or A:fd: will be inherited by new sub file/directory).
网友留言: