I have a network environment using Fedora 15 as clients and EL 5 as an
NFSv4 Server. Everything running with Kerberos thanks to FeeIPA. The
question is more related to POSIX ACLs and NFS that any FreeIPA special
setup, so asking here first.
FreeIPA uses a default configuration for user creation than plain Fedora
15, it adds all users to the same primary group named ipausers and do
not create a group for each user (1). Fedora correctly detects this
configuration when the group is not named equals to the user and does
not set the default umask 002 instead it use 022 (2) (see /etc/profile)
############################################################
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
############################################################
Trying to setup a NFS export with files that are shared by a group of
user, not using group sticky bit instead POSIX ACLs (3), I created it
with the following ACL
############################################################
# file: directory
# owner: root
# group: root
user::rwx
group::r-x
group:sharedgroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sharedgroup:rwx
default:mask::rwx
default:other::---
############################################################
group 'sharedgroup' has access to rwx on 'directory' and default ACLs
for new files is the same for the same group. When creating a file on
the server and on the NFS client with umask 022 and the same user I get
the following ACLs on the files
############################################################
# file: client
# owner: test
# group: ipausers
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:r--
mask::r--
other::r--
# file: server
# owner: test
# group: ipausers
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:rw-
mask::rw-
other::r--
############################################################
So the first thing to notice is that everything is exactly the same with
the exception to the mask, when created from the client it is not
assigned the same mask that when it is created on the server.
I know Linux implements a NFSv4 ACL to POSIX ACL mapping as explained
here
http://wiki.linux-nfs.org/wiki/index.php/ACLs#Strict_Mapping ,but
Why the difference in behavior? Is it right? how to share files via NFS
with an environment where the users has umask 022 (2) and not 002, with
anyone adding, reading and writing files simply using the directory
(that is the reason of using POSIX ACLs)?
Thanks in advance.
(1) I am not a fan of the ipausers default group, but the like or
dislike of a group per user generate discussions like vi vs emacs
(2) Or a more strict one like 077
(3) Not feasible using an umask 022 because file group is assigned
correctly but still only readable