I'm sharing a NFS folder among a user group. The default umask on the clients is 0700, and this is a problem because newly created files won't be readable/writable by another users.
So, I'm using ACLs to force the umask 0770 on the shared folder, and this works OK on the server, but not on the clients.
server # getfacl /export/proyectos getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: export/proyectos # owner: root # group: root user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:mask::rwx default:other::r-x server # getfacl /export/proyectos/innovacion getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: export/proyectos/innovacion # owner: root # group: proyecto-innovacion # flags: ss- user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:mask::rwx default:other::---
As you see, the default (and also a specific on the second directory) mask
ACLs are being applied.
I mount the whole share on the client:
172.16.54.56:/export/proyectos on /proyectos type nfs (rw,noatime,rsize=131072,wsize=131072,acregmin=10,acl,nfsvers=3,addr=172.16.54.56)
But the mask
and default:mask
ACLs are gone.
client $ getfacl /proyectos/ getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: proyectos/ # owner: root # group: root user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::r-x client $ getfacl /proyectos/innovacion getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: proyectos/innovacion # owner: root # group: proyecto-innovacion # flags: ss- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:other::---
It lacks the default:mask
and mask
ACLs, the only ones that I've setted. So the proposed solution to enforce umask won't work for me. Why is happening this?
Best Answer
It seems that, even when utilities like
getfacl
andls
show that ACLs are being applied, the ACL mask doesn't work as expected over NFS. Some subset of file/dir operations work as if the mask was applied, and others don't.Because of this, even though you can access those files in place, serving the folders through SFTP or Samba results on weird or no permissions at all.
I'm using now this ACL, that ensures all files have the correct permissions. Opposite to what could be expected, execution bit is not applied to new files by default, only if the user do so.
The ACL:
Edit: However, this won't work as expected for files copied by cp or by nautilus. They apply the user umask, even when an ACL exists, so this doesn't work.