Unix mode file permissions and NFSv4 ACL do not work as reported in RFC
Applies to
- NFSv4
- Unix mode file permissions
- ONTAP 9
Issue
- When setting a permission using
chmodor set an ACL usingnfs4_setaclfrom client the displayed permissions are not the effective ones:
user@ubuntu:/mnt$ ls -l
-rw-r--r-- 1 user group 40960 dec 16 15:03 file.taruser@ubuntu:/mnt$ tar tvf file.tar
drwxr-xr-x user/group 0 2022-11-15 14:57 scripts/
-rwxr-xr-x user/group 289 2021-06-16 15:55 scripts/data1.bash
-rw-r--r-- user/group 2294 2020-01-29 15:54 scripts/data2.sh
-rwxr-xr-x user/group 578 2021-07-07 11:17 scripts/collect.bash
-rwxrwxr-x user/group 1804 2018-08-22 12:39 scripts/acltest.sh
-rwxr-xr-x user/group 15647 2021-05-28 13:23 scripts/parser.py
-rwxr-xr-x user/group 3479 2021-06-17 16:56 scripts/collection_1.1.bash
-rwxr-xr-x user/group 927 2020-01-28 11:38 scripts/memory_check.bash
-rwxr-xr-x user/group 2853 2021-06-16 15:54 scripts/collection_1.0.bash
-rwxr-xr-x user/group 2108 2019-09-26 10:38 scripts/ems_logdump
-rw-r--r-- user/group 111 2021-07-02 09:36 scripts/keep.csh
user@ubuntu:/mnt$ nfs4_getfacl /mnt/file.tar
# file: /mnt/file.tar
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
user@ubuntu:/mnt$ nfs4_setfacl -m A:g:GROUP@:rtncy A:g:GROUP@:tcy /mnt/file.tar
user@ubuntu:/mnt$ nfs4_setfacl -m A::EVERYONE@:rtncy A::EVERYONE@:rwatTnNcy /mnt/file.tar
user@ubuntu:/mnt$ nfs4_setfacl -m A::OWNER@:rwatTnNcCy A::OWNER@:tcCy /mnt/file.tar
user@ubuntu:/mnt$ ls -la
-------rw- 1 user group 40960 dec 16 15:03 file.taruser@ubuntu:/mnt$ nfs4_getfacl /mnt/scripts.tar
# file: /mnt/file.tar
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:rwatTnNcy
user@ubuntu:/mnt$ tar tvf file.tar
drwxr-xr-x user/group 0 2022-11-15 14:57 scripts/
-rwxr-xr-x user/group 289 2021-06-16 15:55 scripts/data1.bash
-rw-r--r-- user/group 2294 2020-01-29 15:54 scripts/data2.sh
-rwxr-xr-x user/group 578 2021-07-07 11:17 scripts/collect.bash
-rwxrwxr-x user/group 1804 2018-08-22 12:39 scripts/acltest.sh
-rwxr-xr-x user/group 15647 2021-05-28 13:23 scripts/parser.py
-rwxr-xr-x user/group 3479 2021-06-17 16:56 scripts/collection_1.1.bash
-rwxr-xr-x user/group 927 2020-01-28 11:38 scripts/memory_check.bash
-rwxr-xr-x user/group 2853 2021-06-16 15:54 scripts/collection_1.0.bash
-rwxr-xr-x user/group 2108 2019-09-26 10:38 scripts/ems_logdump
-rw-r--r-- user/group 111 2021-07-02 09:36 scripts/keep.csh
- This is expected based on EVERYONE@ definition in protocol specification:
6.2.1.5.1. Discussion of EVERYONE@
It is important to note that "EVERYONE@" is not equivalent to the
UNIX "other" entity. This is because, by definition, UNIX "other"
does not include the owner or owning group of a file. "EVERYONE@"
means literally everyone, including the owner or owning group.
- However the output of
lsis not matching the effective permissions as it should be per protocol definition as defined in sections 6.3.2 and 6.4 - Similar behavior changing permissions using
chmod: in this scenario owner is not entitled to open the file based on protocol definition, even if output fromnfs4_getaclis suggesting it could:
user@ubuntu:/mnt$ ls -l
-rw-r--r-- 1 user group 40960 dec 16 15:03 file.tar
user@ubuntu:/mnt$ chmod 006 file.tar
user@ubuntu:/mnt$ ls -l
-------rw- 1 user group 40960 dec 16 15:03 file.tar
user@ubuntu:/mnt$ nfs4_getfacl /mnt/file.tar
# file: /mnt/file.tar
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:rwatTnNcy
user@ubuntu:/mnt$ tar -xf file.tar
tar: /mnt/file.tar: Cannot open: Permission denied
tar: Error is not recoverable: exiting now