Skip to main content
NetApp Knowledge Base

Unix mode file permissions and NFSv4 ACL do not work as reported in RFC

Views:
259
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • NFSv4
  • Unix mode file permissions
  • ONTAP 9

Issue

  • When setting a permission using chmod or set an ACL using nfs4_setacl from client the displayed permissions are not the effective ones:
user@ubuntu:/mnt$ ls -l
-rw-r--r--  1 user group 40960 dec 16 15:03 file.tar

user@ubuntu:/mnt$ tar tvf file.tar
drwxr-xr-x user/group     0 2022-11-15 14:57 scripts/
-rwxr-xr-x user/group   289 2021-06-16 15:55 scripts/data1.bash
-rw-r--r-- user/group  2294 2020-01-29 15:54 scripts/data2.sh
-rwxr-xr-x user/group   578 2021-07-07 11:17 scripts/collect.bash
-rwxrwxr-x user/group  1804 2018-08-22 12:39 scripts/acltest.sh
-rwxr-xr-x user/group 15647 2021-05-28 13:23 scripts/parser.py
-rwxr-xr-x user/group  3479 2021-06-17 16:56 scripts/collection_1.1.bash
-rwxr-xr-x user/group   927 2020-01-28 11:38 scripts/memory_check.bash
-rwxr-xr-x user/group  2853 2021-06-16 15:54 scripts/collection_1.0.bash
-rwxr-xr-x user/group  2108 2019-09-26 10:38 scripts/ems_logdump
-rw-r--r-- user/group   111 2021-07-02 09:36 scripts/keep.csh

user@ubuntu:/mnt$ nfs4_getfacl /mnt/file.tar
# file: /mnt/file.tar
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy

user@ubuntu:/mnt$ nfs4_setfacl -m A:g:GROUP@:rtncy A:g:GROUP@:tcy /mnt/file.tar
user@ubuntu:/mnt$ nfs4_setfacl -m A::EVERYONE@:rtncy A::EVERYONE@:rwatTnNcy /mnt/file.tar
user@ubuntu:/mnt$ nfs4_setfacl -m A::OWNER@:rwatTnNcCy A::OWNER@:tcCy /mnt/file.tar

user@ubuntu:/mnt$ ls -la
-------rw-  1 user group 40960 dec 16 15:03 file.tar

user@ubuntu:/mnt$ nfs4_getfacl /mnt/scripts.tar
# file: /mnt/file.tar
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:rwatTnNcy

user@ubuntu:/mnt$ tar tvf file.tar
drwxr-xr-x user/group     0 2022-11-15 14:57 scripts/
-rwxr-xr-x user/group   289 2021-06-16 15:55 scripts/data1.bash
-rw-r--r-- user/group  2294 2020-01-29 15:54 scripts/data2.sh
-rwxr-xr-x user/group   578 2021-07-07 11:17 scripts/collect.bash
-rwxrwxr-x user/group  1804 2018-08-22 12:39 scripts/acltest.sh
-rwxr-xr-x user/group 15647 2021-05-28 13:23 scripts/parser.py
-rwxr-xr-x user/group  3479 2021-06-17 16:56 scripts/collection_1.1.bash
-rwxr-xr-x user/group   927 2020-01-28 11:38 scripts/memory_check.bash
-rwxr-xr-x user/group  2853 2021-06-16 15:54 scripts/collection_1.0.bash
-rwxr-xr-x user/group  2108 2019-09-26 10:38 scripts/ems_logdump
-rw-r--r-- user/group   111 2021-07-02 09:36 scripts/keep.csh

  • This is expected based on EVERYONE@ definition in protocol specification:

6.2.1.5.1.  Discussion of EVERYONE@

   It is important to note that "EVERYONE@" is not equivalent to the
   UNIX "other" entity.  This is because, by definition, UNIX "other"
   does not include the owner or owning group of a file.  "EVERYONE@"
   means literally everyone, including the owner or owning group.

  • However the output of ls is not matching the effective permissions as it should be per protocol definition as defined in sections 6.3.2 and 6.4
  • Similar behavior changing permissions using chmod: in this scenario owner is not entitled to open the file based on protocol definition, even if output from nfs4_getacl is suggesting it could:

user@ubuntu:/mnt$ ls -l
-rw-r--r--  1 user group 40960 dec 16 15:03 file.tar

user@ubuntu:/mnt$ chmod 006 file.tar
user@ubuntu:/mnt$ ls -l
-------rw-  1 user group 40960 dec 16 15:03 file.tar

user@ubuntu:/mnt$ nfs4_getfacl /mnt/file.tar
# file: /mnt/file.tar
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:rwatTnNcy

user@ubuntu:/mnt$ tar -xf file.tar
tar: /mnt/file.tar: Cannot open: Permission denied
tar: Error is not recoverable: exiting now

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.