[Acl-Devel] Problems with ACL over NFS

George Montana Harkin george.harkin at oregonstate.edu
Fri Apr 28 02:06:18 CEST 2006 

Hello,
	We seem to be having some issues with ACL's over NFS. When running a batch 
script to update permissions on a directory, some of the acls specified are 
not applied at all. Usualy only the last specified ACL is set, and the rest 
are ignored. The same behavior occurs regardless of issuing only one setfacl 
command for all the acl entries or one setfacl command per acl entry. If we 
put a delay in the acl script between the running of the list of setfacl 
commands, the ACLs seem to be set correctly. 

We are running Kernel 2.6.16 on Debian. ACLs are enabled in the kernel. ACLs 
work correctly when set individually. Only in large batch processing does the 
setfacl command not work.

In addition, the setfacl command does not return as failed.

We have tried setting the nfs mount options: sync and tcp to no avail. We have 
also tried utilizing a different nfs server with the same results.

Here is an example of the commands being run sequentially:

setfacl  --set 
user::rwx,user:www-data:r-x,g::rwx,o:-,d:user::rwx,d:g::rwx,d:o:-,d:user:www-data:r-x /wwwdev/httpd-docs/testo/.
setfacl  -m user:mccammos:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:mccammos:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m user:brocks:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:brocks:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m user:reaneyk:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:reaneyk:rwx /wwwdev/httpd-docs/testo/.
...
setfacl  -m user:knodlew:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:knodlew:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m user:harrikat:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:harrikat:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m user:faabergr:rwx /wwwdev/httpd-docs/testo/.
setfacl  -m d:user:faabergr:rwx /wwwdev/httpd-docs/testo/.

This will set a default acl for user faabergr with rwx permissions, all others 
are ignored.

Another oddity is with the -b command

Running:
setfacl -b /wwwdev/httpd-docs/testo/.

Only removes the standard acls, and not the default acls.

Any help would be appreciated.

George Harkin
george.harkin at oregonstate.edu
-- 
George Montana Harkin
Web Application Developer
Central Web Servies, Media Services
Oregon State University
(541) 737-1335

More information about the acl-devel mailing list