This topic describes how to configure Portable Operating System Interface (POSIX) access control lists (ACLs). You can use POSIX ACLs to control access to files and directories that reside in an NFSv3 file system.

Prerequisites

An NFSv3 file system is mounted. For more information, see Mount an NFS file system.
Note

The NFS ACL feature is available only for NFS file systems in the following regions: China (Zhangjiakou-Beijing Winter Olympics), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Chengdu), China (Hong Kong), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and India (Mumbai). If the region where your file system resides does not support the NFS ACL feature, submit a ticket.

Commands

Before you configure POSIX ACLs, we recommend that you familiarize yourself with the related commands.

Command Description
getfacl <filename> Shows the ACL that applies to the specified file.
setfacl -m g::w <filename> Grants the owing group the write access.
setfacl -m u:player:w <filename> Grants the player user the write access.
setfacl -m g:players:rwx <filename> Grants the players group the read, write, and execute access.
setfacl -x g:players <filename> Removes permissions from the players group
getfacl file1 | setfacl --set-file=- file2 Copies the ACL for the file1 file to the file2 file.
setfacl -b file1 Removes all extended ACEs from the file1 file. The base ACEs of the owner, group, and others are retained.
setfacl -k file1 Removes all default ACEs from the file1 file.
setfacl -R -m g:players:rw dir Grants the players group the read and write access to files and subdirectories in the dir directory.
setfacl -d -m g:players:rw dir1 Grants the players group the read and write access to the new files and subdirectories in the dir1 directory.

Procedure

To control access to files and directories by configuring NFS ACLs, follow these steps.

  1. Create users and groups.

    In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.

    sudo useradd player
    sudo groupadd players
    sudo usermod -g players player
    sudo useradd admini
    sudo groupadd adminis
    sudo usermod -g adminis admini
    sudo useradd anonym
  2. Configure POSIX ACLs to control access to files and directories.

    Use the following commands to complete the operations: create a directory named dir0 and grant the players group the read-only access, the adminis group the read, write, and execute permissions, and the others class no access to all the files in the dir0 directory.

    sudo umask 777
    sudo mkdir dir0
    sudo setfacl -m g:players:r-x dir0
    sudo setfacl -m g:adminis:rwx dir0
    sudo setfacl -m u::--- dir0
    sudo setfacl -m g::--x dir0
    sudo setfacl -m o::--- dir0
    sudo setfacl -d -m g:players:r-x dir0
    sudo setfacl -d -m g:adminis:rwx dir0
    sudo setfacl -d -m u::--- dir0
    sudo setfacl -d -m g::--x dir0
    sudo setfacl -d -m o::--- dir0
    Use the sudo getfacl dir0 command to verify the result after the configuration is complete.
    # file: dir0
    # owner: root
    # group: root
    user::---
    group::--x
    group:players:r-x
    group:adminis:rwx
    mask::rwx
    other::---
    default:user::---
    default:group::--x
    default:group:players:r-x
    default:group:adminis:rwx
    default:mask::rwx
    default:other::---
  3. Verify the ACL configuration.
    1. Use the following command to verify that the admini user has read and write access to the dir0/file file.
      [root@vbox test] sudo su admini -c 'touch dir0/file'
      [root@vbox test] sudo su admini -c 'echo 123 > dir0/file'
    2. Use the following command to verify the read-only access of the player user.
      [root@vbox test] sudo su player -c 'touch dir0/file'
      touch: cannot touch ‘dir0/file’: Permission denied
      [root@vbox test] sudo su player -c 'cat dir0/file'
      123
      [root@vbox test] sudo su player -c 'echo 456 >> dir0/file'
      bash: dir0/file: Permission denied
      [root@vbox test] sudo su player -c 'getfacl dir0/file'
      # file: dir0/file
      # owner: admini
      # group: adminis
      user::---
      group::---
      group:players:r-x
      group:adminis:rwx
      mask::rwx
      other::---
    3. Use the following command to verify that the anonym user does not have access to the dir0/file file.
      [root@vbox test] sudo su anonym -c 'ls dir0'
      ls: cannot open directory dir0: Permission denied
      [root@vbox test] sudo su anonym -c 'cat dir0/file'
      cat: dir0/file: Permission denied
      [root@vbox test] sudo su anonym -c 'getfacl dir0/file'
      getfacl: dir0/file: Permission denied

Related operations

If you want to remove user permissions, use the following method.

When you use NFSv4 ACLs, we recommend that you sort each user into different groups. This allows you to configure permissions for a group rather than a separate user. To disable access to an object from a user, you can remove the user from a group that has access to the object. For example, the following commands remove the admini user from the adminis group and add the user to the adminis2 group.

[root@vbox test] sudo groupadd adminis2
[root@vbox test] sudo usermod -g adminis2 admini
[root@vbox test] id admini
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
[root@vbox test] sudo su admini -c 'ls dir0'
ls: cannot open directory dir0: Permission denied
[root@vbox test] sudo su admini -c 'cat dir0/file'
cat: dir0/file: Permission denied
[root@vbox test] sudo su admini -c 'getfacl dir0/file'
getfacl: dir0/file: Permission denied