This topic describes how to configure Portable Operating System Interface (POSIX) access control lists (ACLs). You can use POSIX ACLs to control access to files and directories that reside in an NFSv3 file system.
Prerequisites
The NFS ACL feature is available only for NFS file systems in the following regions: China (Zhangjiakou-Beijing Winter Olympics), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Chengdu), China (Hong Kong), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and India (Mumbai). If the region where your file system resides does not support the NFS ACL feature, submit a ticket.
Commands
Before you configure POSIX ACLs, we recommend that you familiarize yourself with the related commands.
Command | Description |
---|---|
getfacl <filename> | Shows the ACL that applies to the specified file. |
setfacl -m g::w <filename> | Grants the owing group the write access. |
setfacl -m u:player:w <filename> | Grants the player user the write access. |
setfacl -m g:players:rwx <filename> | Grants the players group the read, write, and execute access. |
setfacl -x g:players <filename> | Removes permissions from the players group |
getfacl file1 | setfacl --set-file=- file2 | Copies the ACL for the file1 file to the file2 file. |
setfacl -b file1 | Removes all extended ACEs from the file1 file. The base ACEs of the owner, group, and others are retained. |
setfacl -k file1 | Removes all default ACEs from the file1 file. |
setfacl -R -m g:players:rw dir | Grants the players group the read and write access to files and subdirectories in the dir directory. |
setfacl -d -m g:players:rw dir1 | Grants the players group the read and write access to the new files and subdirectories in the dir1 directory. |
Procedure
To control access to files and directories by configuring NFS ACLs, follow these steps.
Related operations
If you want to remove user permissions, use the following method.
When you use NFSv4 ACLs, we recommend that you sort each user into different groups. This allows you to configure permissions for a group rather than a separate user. To disable access to an object from a user, you can remove the user from a group that has access to the object. For example, the following commands remove the admini user from the adminis group and add the user to the adminis2 group.
[root@vbox test] sudo groupadd adminis2
[root@vbox test] sudo usermod -g adminis2 admini
[root@vbox test] id admini
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
[root@vbox test] sudo su admini -c 'ls dir0'
ls: cannot open directory dir0: Permission denied
[root@vbox test] sudo su admini -c 'cat dir0/file'
cat: dir0/file: Permission denied
[root@vbox test] sudo su admini -c 'getfacl dir0/file'
getfacl: dir0/file: Permission denied