I'm trying to export/mount a NFS volume with no ACL at all (POSIX or NFS one), but I fail about that.
Technical context: last current debian on both sides, ext4 volume.
Goal: I enforce strict access using POSIX ACLs on the server, and users can (will) access to the volume on an other machine, with NFS.
But any user owning a dir/file can change the ACLs, which is not good here. So I want to prevent users to change ACLs, and simply removing get/setfacl commands is not a good way. Removing ACL support on server-side volume is not good…
So my question: is it possible to prevent ACLs from a NFS mount, without removing ACLs on server-side volume? If yes how can it be performed?
I tested using no_acl / noacl without success: my exports are done in NFSv3 version, with "no_acl" option. In /etc/exports:
/exports ip-of-client-during-tests(rw,sync,no_acl,no_subtree_check,fsid=0)
/exports/data ip-of-client-during-tests(rw,sync,no_acl,no_subtree_check)
All services reloaded/restarted.
Then I mount it on client with "noacl" option (whatever):
mount -t nfs -o noacl,vers=3 my-server:/exports/data/ /var/data/
which gives in /proc/mounts:
server-name:/exports/data/ /var/data nfs rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,noacl,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=server-ip,mountvers=3,mountport=53844,mountproto=udp,local_lock=none,addr=server-ip 0 0
And I'm able on the client to get/set ACLs using get/setfacl on dir/files I own, and changes are visible on the server filesystem.
I also tried using NFSv4, no change.
BTW on server I can't see no "no_acl" option in /proc/fs/nfs/exports:
/exports/data client-ip(rw,root_squash,sync,wdelay,no_subtree_check,uuid=0bac8439:e7e2488e:817358d2:f2c94b85,sec=1)
even if it is visible with exportfs -v:
/exports/data client-ip(rw,wdelay,root_squash,no_subtree_check,no_acl,sec=sys,rw,root_squash,no_all_squash)
Best Answer
You can disable the server-side support by compiling the kernel without the
CONFIG_NFSD_V3_ACL
option.