nfs4_setfacl - how to use it to fine tune permissions?

[francisaugusto]

Hi,
I have a scanner that can upload files to smb servers. My idea is to have a folder structure on TrueNAS resembling this:

scans |_ usera |_ userb |_ allusers

The idea is that files uploaded to the folders could only be readable by the respective user, but a user called `scanner` should be able to write (but not read) to all folders.

The folders have writeable permissions for a group called `scan`, where the scanner user, and all the other users, are members. That's how the `scanner` user can write to th folders, but not read them.

I managed to do this using `nfs4_setfacl -e` to each folder, but if I don't set any inheritance permissions (ie., I leave it like it is). the new files are owned by the `scanner` user and not readable by anyone else. When I set `fd-----I`, then the are readable by everyone, including others.

Is there a way to make these files only readable by the group and/or the folder owner?

I found it pretty confusing because when I read the `nfs4_setfacl` manual, the permission options seem to differ from those available. For example, `t` and `T` do not seem available to be used.

And what's the sintaxe to add another single user to the folder's ACL using `nfs4-setfacl -e`?

Best,
Francis

 

[anodos]

Hi,
I have a scanner that can upload files to smb servers. My idea is to have a folder structure on TrueNAS resembling this:

scans |_ usera |_ userb |_ allusers

The idea is that files uploaded to the folders could only be readable by the respective user, but a user called `scanner` should be able to write (but not read) to all folders.

The folders have writeable permissions for a group called `scan`, where the scanner user, and all the other users, are members. That's how the `scanner` user can write to th folders, but not read them.

I managed to do this using `nfs4_setfacl -e` to each folder, but if I don't set any inheritance permissions (ie., I leave it like it is). the new files are owned by the `scanner` user and not readable by anyone else. When I set `fd-----I`, then the are readable by everyone, including others.

Is there a way to make these files only readable by the group and/or the folder owner?

I found it pretty confusing because when I read the `nfs4_setfacl` manual, the permission options seem to differ from those available. For example, `t` and `T` do not seem available to be used.

And what's the sintaxe to add another single user to the folder's ACL using `nfs4-setfacl -e`?

Best,
Francis

Are you doing this over NFS protocol or locally?

There is an NFS protocol tool `nfs4_setfacl` and a tool for editing local files ACL `nfs4xdr_setfacl`. They have different manpages and options. Latter uses FreeBSD acl_to_text() and acl_from_text() syntax.

 

[francisaugusto]

Are you doing this over NFS protocol or locally?

There is an NFS protocol tool `nfs4_setfacl` and a tool for editing local files ACL `nfs4xdr_setfacl`. They have different manpages and options. Latter uses FreeBSD acl_to_text() and acl_from_text() syntax.

I am using smb with nfs4 ACL. As I said, when looking for the man pages for nfs4_setfacl, it seems that the syntax for the permissions is different than what I get on truenas.

 

[anodos]

I am using smb with nfs4 ACL. As I said, when looking for the man pages for nfs4_setfacl, it seems that the syntax for the permissions is different than what I get on truenas.

You're looking at wrong manpage. `man nfs4xdr_setfacl`

 

[francisaugusto]

You're looking at wrong manpage. `man nfs4xdr_setfacl`

What’s the difference, if I may ask?
And what do you mean by “locally or NFS”?

 

[anodos]

What’s the difference, if I may ask?
And what do you mean by “locally or NFS”?

NFS is through the NFS protocol. The NFS kernel client in Linux presents the native NFS4 ACL to userspace via a special extended attribute in the system namespace. https://github.com/torvalds/linux/blob/master/fs/nfs_common/nfsacl.c

ZFS on TrueNAS with NFSv4 ACL presents the native ZFS ACL to userspace as a special extended attribute in system namespace.

zfs/module/os/linux/zfs/zpl_xattr.c at 88bdb2fd99a9bb1e610553d3e8be3f227baf4219 · truenas/zfs

OpenZFS on Linux and FreeBSD. Contribute to truenas/zfs development by creating an account on GitHub.

github.com

One tool modifies the ACL on remote NFS server, then other modifies the local ACL.

 

[anodos]

In general on Linux convention is to present ACLs to userspace via xattr handlers. This is also what happens behind the scenes with POSIX1E ACLs.

 

[francisaugusto]

In general on Linux convention is to present ACLs to userspace via xattr handlers. This is also what happens behind the scenes with POSIX1E ACLs.

Thanks for the info. But I wonder why `nfs4_setfacl -e` worked well, even if it was locally.

 

[anodos]

Thanks for the info. But I wonder why `nfs4_setfacl -e` worked well, even if it was locally.

That's quite frankly not possible:

Code:

root@truenas[/mnt/dozer/nfs]# nfs4_setfacl -e .
Operation to request attribute not supported.
Failed to instantiate ACL.

Code:

getxattr("/mnt/dozer/nfs", "system.nfs4_acl", NULL, 0) = -1 EOPNOTSUPP (Operation not supported)

What is output of df -T <path> for where you are seeing this?