Skip to main content
NetApp Knowledge Base

Directory/file created on NFSv4 mounted file system with inherited ACE may result in mode bits of the directory/file set to 0000

  1. Last updated
  2. Save as PDF
Views:
103
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • Unix/Linux client
  • NFSv4.0
  • 9.3 P9 and earlier

Issue

  • When creating a directory or a file on an NFSv4 mounted file system where the parent directory has an inheritable ACE (Access Control Entry), the directory or file may be created with the appropriate ACE but with the mode bits set to 0000. This is more likely to occur on a system that is busy.
  • This can cause access issues for users who would otherwise have access to the directory or file.

Example: Parent directory testdir2 has an inheritable group ACE.

[testuser@centos testdir]$ nfs4_getfacl .
A:fdg:testgroup@test.local:rwaDxtTnNcCy <<< Note: Inheritable group ACE of parent directory
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy

  • The following command searches the current directory for directories (-type d) where the mode bits are 0000 (-perm 0000) and then attempts to list it (-ls) which results in permission denied.

[testuser@centos testdir2]$ find . -type d -perm 0000 -ls
10151 4 d--------- 2 testuser testgroup 4096 Feb 26 12:53 ./test0169
find: ‘./test0169’: Permission denied <<< Error due to mode bits set to 0000

  • When viewed from the filer, we can see the inherited ACE and the UNIX Mode Bits:

::*> file-directory show -vserver svm01  -path /vol_test1/testuser/testdir2/test0169
(vserver security file-directory show)
Vserver: svm01
File Path: /vol_test1/testuser/testdir/test0169
File Inode Number: 10151
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 10000
UNIX Group Id: 10000
UNIX Mode Bits: 0UNIX Mode Bits in Text: ---------
ACLs: NFSV4 Security Descriptor
Control:0x8004
DACL - ACEs
ALLOW-group-testgroup-0x1601ff-FI|DI|IG

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
Scan to view the article on your device