Access Control
FlexFS provides multiple layers of access control that work together to protect data and enforce security policies.
POSIX permissions
Section titled “POSIX permissions”FlexFS is a fully POSIX-compliant filesystem and enforces standard Unix file permissions (owner, group, other with read/write/execute bits). All permission checks are performed on the mount client based on the calling process’s UID and GID.
Root squashing
Section titled “Root squashing”Root squashing maps uid=0 and gid=0 to a specified non-root user, preventing root users on mount clients from having root-level access to the filesystem.
Enabling root squashing
Section titled “Enabling root squashing”On the mount client:
mount.flexfs start my-volume /mnt/data --rootSquashBy default, root is mapped to uid=65534 / gid=65534 (the nobody user). You can customize the mapping:
mount.flexfs start my-volume /mnt/data \ --rootSquash \ --rootSquashUID 1000 \ --rootSquashGID 1000Root squashing can also be set as a volume-level flag via configure.flexfs, in which case it applies to all mounts of that volume.
Extended ACLs
Section titled “Extended ACLs”FlexFS supports POSIX.1e extended access control lists (ACLs), which allow fine-grained per-user and per-group permissions beyond the standard owner/group/other model.
Enabling ACLs
Section titled “Enabling ACLs”On the mount client:
mount.flexfs start my-volume /mnt/data --aclOr as a volume-level flag via configure.flexfs.
Once enabled, use standard Linux ACL tools:
# Set an ACLsetfacl -m u:alice:rwx /mnt/data/project
# View ACLsgetfacl /mnt/data/project
# Remove an ACLsetfacl -x u:alice /mnt/data/projectExtended attributes (xattrs)
Section titled “Extended attributes (xattrs)”Extended attributes are enabled with the --xAttr flag:
mount.flexfs start my-volume /mnt/data --xAttrXattrs are automatically enabled when ACLs or root squashing are active.
The umask controls the default permissions for newly created files and directories. FlexFS supports overriding the process umask at the mount level:
mount.flexfs start my-volume /mnt/data --umask 0027This sets newly created files to 0640 and directories to 0750 regardless of the creating process’s umask. Umask can also be configured as a volume-level setting.
Volume-level flags
Section titled “Volume-level flags”Several access control settings can be enforced at the volume level via configure.flexfs. When set on the volume, they apply to all mounts regardless of the mount client’s flags:
| Volume flag | Effect |
|---|---|
ro | Read-only — no writes permitted |
noatime | Do not update access times |
noexec | Prevent execution of files |
nosuid | Disable SUID/SGID special permissions |
acl | Enable extended ACLs |
rootsquash | Enable root squashing |
xattr | Enable extended attributes |
These flags are set during volume creation or update in configure.flexfs and override mount-client options.
Volume token mount paths
Section titled “Volume token mount paths”Volume tokens can be scoped to a specific subdirectory within a volume. When a mount path is set on a token, the mount client only has access to that subdirectory and its contents — the rest of the volume is not visible.
This provides subdirectory isolation without creating separate volumes:
Volume: shared-data Token A (mount path: /team-alpha) -> sees only /team-alpha/* Token B (mount path: /team-beta) -> sees only /team-beta/* Token C (mount path: /) -> sees entire volumeMount path scoping is configured when creating or updating a volume token in configure.flexfs. The mount client automatically mounts at the scoped path.
Per-token mount flags
Section titled “Per-token mount flags”In addition to mount path scoping, each volume token can carry its own set of mount flags (e.g., ro, noExec). These flags are merged with the volume-level flags, providing token-level access control.
Summary of access control layers
Section titled “Summary of access control layers”| Layer | Scope | Configured via |
|---|---|---|
| POSIX permissions | Per-file/directory | Standard Unix tools (chmod, chown) |
| Extended ACLs | Per-file/directory | setfacl / getfacl |
| Root squashing | Per-mount or per-volume | --rootSquash flag or volume flag |
| Umask | Per-mount or per-volume | --umask flag or volume setting |
| Volume flags | Per-volume | configure.flexfs |
| Token mount paths | Per-token | configure.flexfs |
| Token flags | Per-token | configure.flexfs |
Next steps
Section titled “Next steps”- Authentication — token model
- TLS Certificates — in-transit encryption
- End-to-end Encryption — data-at-rest encryption