POSIX ACLs, NFSv4 and umask discrepancy

Robert Marcano robert at marcanoonline.com
Mon Jul 25 22:50:53 UTC 2011


I have a network environment using Fedora 15 as clients and EL 5 as an 
NFSv4 Server. Everything running with Kerberos thanks to FeeIPA. The 
question is more related to POSIX ACLs and NFS that any FreeIPA special 
setup, so asking here first.

FreeIPA uses a default configuration for user creation than plain Fedora 
15, it adds all users to the same primary group named ipausers and do 
not create a group for each user (1). Fedora correctly detects this 
configuration when the group is not named equals to the user and does 
not set the default umask 002 instead it use 022 (2) (see /etc/profile)

############################################################
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
     umask 002
else
     umask 022
fi
############################################################

Trying to setup a NFS export with files that are shared by a group of 
user, not using group sticky bit instead POSIX ACLs (3), I created it 
with the following ACL

############################################################
# file: directory
# owner: root
# group: root
user::rwx
group::r-x
group:sharedgroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sharedgroup:rwx
default:mask::rwx
default:other::---
############################################################

group 'sharedgroup' has access to rwx on 'directory' and default ACLs 
for new files is the same for the same group. When creating a file on 
the server and on the NFS client with umask 022 and the same user I get 
the following ACLs on the files

############################################################
# file: client
# owner: test
# group: ipausers
user::rw-
group::r-x			#effective:r--
group:sharedgroup:rwx		#effective:r--
mask::r--
other::r--

# file: server
# owner: test
# group: ipausers
user::rw-
group::r-x			#effective:r--
group:sharedgroup:rwx		#effective:rw-
mask::rw-
other::r--
############################################################

So the first thing to notice is that everything is exactly the same with 
the exception to the mask, when created from the client it is not 
assigned the same mask that when it is created on the server.

I know Linux implements a NFSv4 ACL to POSIX ACL mapping as explained 
here http://wiki.linux-nfs.org/wiki/index.php/ACLs#Strict_Mapping ,but 
Why the difference in behavior? Is it right? how to share files via NFS 
with an environment where the users has umask 022 (2) and not 002, with 
anyone adding, reading and writing files simply using the directory 
(that is the reason of using POSIX ACLs)?

Thanks in advance.

(1) I am not a fan of the ipausers default group, but the like or 
dislike of a group per user generate discussions like vi vs emacs
(2) Or a more strict one like 077
(3) Not feasible using an umask 022 because file group is assigned 
correctly but still only readable


More information about the users mailing list