User manual for share-dir-nfsfacl.py - a command-line tool for managing extended POSIX ACLs on NFS paths by applying changes directly on the storage server over SSH.
On front-end (FE) machines with NFS mounts, standard tools like ls may not reliably show extended ACLs, and setfacl may be unavailable or restricted.
share-dir-nfsfacl.py solves this by:
- detecting which NFS server backs a local path
- mapping local path to server-side filesystem path
- applying ACL changes on the storage server via
getfacl/setfaclover SSH - writing a local audit log for modifying operations
share-dir-nfsfacl.py [-v] [-n] [-r] ACTION ...
ACTION forms:
read PATH LOGIN|GROUP|@GROUP
readwrite PATH LOGIN|GROUP|@GROUP
undo [-p|--parent] PATH LOGIN|GROUP|@GROUP
show [--raw] PATH
list
Common flags -v, -n, -r are accepted both before and after ACTION.
Grant read access (r-X) to a user or group.
Grant read/write access (rwX) to a user or group.
Remove ACL entries for a user or group.
Show ACLs from storage using getfacl -p.
By default, output is reformatted per file into:
read user:...,group:...write user:...,group:...execute user:...,group:...
Use --raw to print original getfacl output unchanged.
Print the local audit log from ~/.shared_dirs.
share-dir-nfsfacl.py read /home/alice/share bobshare-dir-nfsfacl.py readwrite /home/alice/share bobshare-dir-nfsfacl.py read /home/alice/share @researchSubject resolution rules:
@groupforces group lookup- bare names are checked as user first, then group
- if neither exists locally, the command exits with a clear error instead of passing an invalid subject to
setfacl
share-dir-nfsfacl.py show /home/alice/shareshare-dir-nfsfacl.py show --raw /home/alice/shareshare-dir-nfsfacl.py listBy default, local target expansion is limited to the specified path and (for directories) immediate children.
Use -r / --recurse to run recursive operations on storage:
read/readwrite:setfacl -R -m ...undo:setfacl -R -x ...show:getfacl -R -p ...
Important detail:
- local enumeration stays limited to PATH + one level
- deep traversal is delegated to remote
-R - this keeps SSH command count low even for large trees
For directory targets, the tool also sets default ACLs (d:...) so new children inherit access.
When sharing to another subject, it also adds a default ACL entry for the current user:
d:u:<current_user>:rwX
Current user resolution order:
SUDO_USERUSERgetpass.getuser()fallback
This does not change file ownership.
share-dir-nfsfacl.py undo /home/alice/share bobThis removes:
- access ACL entries (
u:<name>/g:<name>) - default ACL entries on directories (
d:u:<name>/d:g:<name>)
share-dir-nfsfacl.py undo -p /home/alice/share bobWarning: -p / --parent removes the full ACL entry for that subject on parent directories up to the matched allowed root. This can break other sharing setups.
Undo is best-effort: failures in undo commands are logged as warnings and processing continues.
Use -n / --dry-run with read, readwrite, or undo to preview remote setfacl commands without modifying ACLs.
share-dir-nfsfacl.py readwrite -n -r /home/alice/share bobEnable debug logging with -v / --verbose.
This includes helper command and SSH command details.
The tool only operates under explicitly allowed roots configured by:
SHARE_DIR_ALLOWED_ROOTS="$HOME:/storage:/scratch"Rules:
- target path must be under one of these roots
- operating directly on the root itself is forbidden
If a path is outside allowed roots, the tool exits with code 3.
- Resolve local path and validate allowed root.
- Detect NFS mount and map local path to remote path.
- Resolve subject type (
userorgroup;@nameforces group). - Ensure parent directory traversal via
setfacl -m <u|g>:<subject>:--xup to allowed root boundary. - Build local target sets (PATH + immediate children).
- Build and run remote
setfaclcommands (optionally with-R), chunking long target lists. - Log operation to
~/.shared_dirs.
- Resolve subject and targets.
- Run remote remove commands for access ACL and default ACL (optionally
-R). - If
--parentis set, remove subject entry from parent directories up to allowed root. - Log operation.
- Map local path to remote path.
- Run
getfacl -p(and-Rwhen requested). - Print formatted view (default) or raw output (
--raw).
Print JSONL log entries from ~/.shared_dirs as readable one-line records.
Modifying actions (read, readwrite, undo) append JSON lines to:
~/.shared_dirs
Typical fields include timestamp, action, local path, NFS server/export, remote path, subject, permissions (for grants), recursion flag, and dry-run flag.
- ACL changes are applied on storage, not on FE.
lson FE may not reflect extended ACL state reliably.- use
showto inspect ACL state; useshow --rawfor exactgetfacloutput - recursive behavior depends on storage filesystem
setfacl/getfaclbehavior - undo operations are best-effort
You may see errors like:
setfacl: <PATH>: Operation not permitted
Common cause:
- write ACL allows another user to create files/directories
- those objects are owned by that other user
- later ACL modification on those objects is denied by the filesystem
This is a filesystem-level permission issue, not ownership override by ACL.
0- success2- path not on NFS3- security/configuration error130- interrupted by user
- start with
-nwhen unsure - prefer group sharing (
@group) for teams - avoid
--parentunless needed - use
show(orshow --raw) instead oflsfor ACL verification
End of manual.