...

Does NFS support ACLs?

No it does not. ACL are a M$ only mode. However, unix permissions will be kept via NFS, so if you have a mixed file system security you will be able to restore the ACLs from the unix premissions...

This isn't really true, although you could be forgiven for thinking it. The ACLs that you can see on a Mixed-Style file system aren't always real. Read on...

Filer Mixed-Style file systems are exposed to Windows clients as NTFS file systems. This means that Windows clients that connect to filer shares that take them to a Mixed-Style file system location, will "expect" to see ACLs on that file system. More specifically, they expect each file and directory on the file system to have a Windows NT Security Descriptor associated with it, which can be both queried and set (given the required perms).

Unlike the our "pure" NTFS-Style file system which is intended to be semantically compatible with the real NTFS file system, and on which all files and directories normally would be associated with a real Security Descriptor structure, the Mixed-Style file system is not 100% semantically compatible with NTFS because it can contain files and directories which do not feature that NT security information (so-called UNIX-Style files and directories). However, because the Mixed-Style file system is exposed to Windows clients as an NTFS file system, Security Descriptor functionality must be available to the clients even for the files/dirs that don't have real Security Descriptors (the UNIX-Style files). So.... to cut a long story short, this functionality is emulated by the filer for UNIX-Style files and directories. The ACL information you see for such a file from a Windows client is "artifically spun" from the UNIX rwxrwxrwx permissions on the file, and does normally represent a useful representation of what you can or can't do to that file from the Windows client. FYI, you can see the "real" UNIX security information on these files by installing the SecureShare Access Explorer extension on your Windows client.

Going back to the original question...

...

Does NFS support ACLs?

No, I think it's a technically defendable statement to say that it doesn't. Some UNIX file systems (e.g. Solaris) support an ACL model that is quite distinct from NTFS ACLs (the ones I've read about extend the notion of the 3 sets of rwx perms "out further" into an arbitrary length list). The NFS protocol doesn't know about these extensions to the UNIX permission model, although of course NFS servers can enforce the security represented in the UNIX ACLs on NFS requests that are being made by clients. Several vendors have cooked their own, outside-of-NFS protocols that allow clients to both read and set the UNIX ACLs available in the NFS servers file system, but that isn't really "NFS support for ACLs". If the planet standardizes on one of these protocols one day, the use of UNIX ACL security in NFS environments may become more widespread. Maybe...

Keith

The length isn't so arbitrary. I think Solaris has a limit of 1024, but don't quote me on this. Actually one of my beefs is that since ACLs aren't standard on UNIX systems and NFS doesn't support them, they simply aren't used. Many people are so entrenched in the old ways of UNIX that they don't even know about Solaris supporting ACLs. I think user editable

<nitpick> not just solaris, but irix, tru64/osf1/digital unix/todays name for it, also support ACLs </nitpick>

ACLs or security groups are generally a good thing allowing users to administer their data without help from administrators (giving them time to concentrate on tougher problems). I now get off my soap box.

ahh yes. ACLs are definately a good idea. but as far as users using them, i'm not so sure. a quick tour around most user space filesystems i have access to reveals many mode 777 files and directories. if i saw more people using the security controls which already exist, i'd be more apt to believe they would use a new feature set.

-steve