Richacls - Native NFSv4 ACLs on Linux

Richacls are an implementation of NFSv4 ACLs which has been extended by file masks to better fit the standard POSIX file permission model. The main goal is to provide a consistent file permission model locally as well as over various remote file system protocols like NFSv4 and CIFS; this is expected to significantly improve interoperability in mixed operating system environments, both when Linux is used as a client and as a server.

Richacls share some design elements with POSIX ACLs, but they go beyond POSIX ACLs in several ways. Converting from POSIX ACLs to richacls is relatively easy, but converting back from richacls to POSIX ACLs is not possible without losing information.

Richacls can be enabled for an entire file system. Once enabled, that file system supports richacls instead of POSIX ACLs; a file system never supports both models at the same time.

Status

Richacls exist in the form of out-of-tree patches for the Linux kernel plus a user-space utility for getting and setting richacls. The kernel patches currently include experimental support for the ext4 file system.

Code for supporting richacls in nfsv4, samba, xfs, and newpynfs exists, but more work is needed in those areas.

Download

  Repository
Kernel (ext4) https://git.kernel.org/cgit/linux/kernel/git/agruen/linux-richacl.git/
Richacl utility https://github.com/andreas-gruenbacher/richacl
E2fsprogs https://github.com/andreas-gruenbacher/e2fsprogs
Older Kernel Code https://github.com/kvaneesh/linux/tree/richacl
https://github.com/kvaneesh/linux/tree/richacl-fullset

Getting Started

  1. Build the richacl branch of the kernel repository. Make sure to enable the CONFIG_EXT4_FS_RICHACL configuration option.
  2. Build and install the richacl user-space tools.
  3. Choose an existing or create a new ext4 file system for testing.
  4. Build and install a version of e2fsprogs with support for the richacl feature flag (optional).
  5. Select richacl support on that file system by enabling the richacl feature flag. Note that this will hide existing posix acls on the file system; they will become ineffective.
  6. Optionally, also set the "acl" default mount option with "tune2fs -o acl /dev/filesystem".
  7. Mount the ext4 file system.
    Use the richacl command-line utility for getting and setting richacls.
    A number of examples showing how richacls work in practice can be found here.

More About Richacls

The design of richacls is documented in NFSv4 ACLs in POSIX. This design dates back to 2006, and has been already been implemented in nfs4acls, the predecessor project of richacls.

Richacls have been presented at the Ottawa Linux Symposium 2010 by Greg Banks (link to the presentation slot). Greg's publications list includes the conference paper and slides he has used under the heading “Implementing An Advanced Access Control Security Model in Linux”.

The POSIX 1003.1e / 1003.2c draft 17 documents which describe POSIX ACLs, which have influenced the richacl design, can be found here. An overview of POSIX ACLs on Linux can be found here).


Copyright (C) Andreas Grünbacher <agruen@kernel.org>, February 2015