Richacls - Native NFSv4 ACLs on Linux

Richacls are an implementation of NFSv4 ACLs which has been extended by file masks to better fit the standard POSIX file permission model. The main goal is to provide a consistent file permission model locally as well as over various remote file system protocols like NFSv4 and CIFS; this is expected to significantly improve interoperability in mixed operating system environments, both when Linux is used as a client and as a server.

Richacls share some design elements with POSIX ACLs, but they go beyond POSIX ACLs in several ways. Converting from POSIX ACLs to richacls is relatively easy, but converting back from richacls to POSIX ACLs is not possible without losing information.

Richacls can be enabled for an entire file system. Once enabled, that file system supports richacls instead of POSIX ACLs; a file system never supports both models at the same time.

Status

Richacls exist in the form of out-of-tree patches for the Linux kernel, user-space utilities for getting and setting richacls, and changes to the coreutils package for richacl support in the ls and cp utilities. The kernel patches currently include experimental support for the ext4, xfs, nfs, and nfsd file systems.

Download

  Repository Branch
Kernel https://git.kernel.org/cgit/linux/kernel/git/agruen/linux-richacl.git/ richacl-yyyy-mm-dd
richacl utilities https://github.com/andreas-gruenbacher/richacl master
coreutils + gnulib https://github.com/andreas-gruenbacher/coreutils,
https://github.com/andreas-gruenbacher/gnulib
richacl
e2fsprogs https://github.com/andreas-gruenbacher/e2fsprogs richacl
xfsprogs-dev https://github.com/andreas-gruenbacher/xfsprogs-dev richacl
Samba https://github.com/andreas-gruenbacher/samba richacl
nfs-utils https://github.com/andreas-gruenbacher/nfs-utils richacl

Getting Started

  1. Build the richacl branch of the kernel repository. If you want to use richacls on the ext4 filesystem, make sure to enable the CONFIG_EXT4_FS_RICHACL configuration option. For xfs, no additional configuration option is needed.
  2. Build and install the richacl user-space tools.
  3. Build an install the richacl branch of the e2fsprogs and/or xfsprogs-dev packages depending on which filesystems you want to use.
  4. Optionally, build and install the modified coreutils package with richacl support. With that, ls -l will indicate when a file has a richacl just as for posix acls, and cp --preserve=mode will preserve richacls as well.
    Note that this step depends on the previous step; if librichacl is not installed, coreutils will build with richacls disabled!
  5. Create a new ext4 or xfs file system with richacl support for testing:
  6. Mount the new file system.
  7. Use the getrichacl and setrichacl command-line utilities for getting and setting richacls.

More About Richacls

The richacl package includes the following man-pages:

The design of richacls is documented in NFSv4 ACLs in POSIX.

Richacls have been presented at the Ottawa Linux Symposium 2010 by Greg Banks. Greg's publications list includes the conference paper and slides he has used under the heading “Implementing An Advanced Access Control Security Model in Linux”.

The POSIX 1003.1e / 1003.2c draft 17 documents which describe POSIX ACLs, which have influenced the richacl design, can be found here.

An overview of POSIX ACLs on Linux can be found here.


Copyright (C) Andreas Grünbacher <agruen@kernel.org>, July 2016