Skip to content
flexFS

Access Control

FlexFS provides multiple layers of access control that work together to protect data and enforce security policies.

POSIX permissions

Section titled “POSIX permissions”

FlexFS is a fully POSIX-compliant filesystem and enforces standard Unix file permissions (owner, group, other with read/write/execute bits). All permission checks are performed on the mount client based on the calling process’s UID and GID.

Root squashing

Section titled “Root squashing”

Root squashing maps uid=0 and gid=0 to a specified non-root user, preventing root users on mount clients from having root-level access to the filesystem.

Enabling root squashing

Section titled “Enabling root squashing”

On the mount client:

Terminal window
mount.flexfs start my-volume /mnt/data --rootSquash

By default, root is mapped to uid=65534 / gid=65534 (the nobody user). You can customize the mapping:

Terminal window
mount.flexfs start my-volume /mnt/data \
  --rootSquash \
  --rootSquashUID 1000 \
  --rootSquashGID 1000

Root squashing can also be set as a volume-level flag via configure.flexfs, in which case it applies to all mounts of that volume.

Extended ACLs

Section titled “Extended ACLs”

FlexFS supports POSIX.1e extended access control lists (ACLs), which allow fine-grained per-user and per-group permissions beyond the standard owner/group/other model.

Enabling ACLs

Section titled “Enabling ACLs”

On the mount client:

Terminal window
mount.flexfs start my-volume /mnt/data --acl

Or as a volume-level flag via configure.flexfs.

Once enabled, use standard Linux ACL tools:

Terminal window
# Set an ACL
setfacl -m u:alice:rwx /mnt/data/project


# View ACLs
getfacl /mnt/data/project


# Remove an ACL
setfacl -x u:alice /mnt/data/project

Extended attributes (xattrs)

Section titled “Extended attributes (xattrs)”

Extended attributes are enabled with the --xAttr flag:

Terminal window
mount.flexfs start my-volume /mnt/data --xAttr

Xattrs are automatically enabled when ACLs or root squashing are active.

Umask

Section titled “Umask”

The umask controls the default permissions for newly created files and directories. FlexFS supports overriding the process umask at the mount level:

Terminal window
mount.flexfs start my-volume /mnt/data --umask 0027

This sets newly created files to 0640 and directories to 0750 regardless of the creating process’s umask. Umask can also be configured as a volume-level setting.

Volume-level flags

Section titled “Volume-level flags”

Several access control settings can be enforced at the volume level via configure.flexfs. When set on the volume, they apply to all mounts regardless of the mount client’s flags:

| Volume flag | Effect | |---|---| | acl | Enable extended ACLs (implies xattr) | | noexec | Prevent execution of files | | nosuid | Disable SUID/SGID special permissions | | ro | Read-only — no writes permitted | | rootsquash | Enable root squashing (implies acl) | | rootsquashgid=N | GID to map root to when rootsquash is set | | rootsquashuid=N | UID to map root to when rootsquash is set | | umask=NNNN | File creation mask in octal (e.g., 0027) | | xattr | Enable extended attributes |

These flags are set during volume creation or update in configure.flexfs and override mount-client options. Additional non-access-control flags (e.g., caching, prefetching, proxy behavior) are also supported — see the full flag reference.

Volume token mount paths

Section titled “Volume token mount paths”

Volume tokens can be scoped to a specific subdirectory within a volume. When a mount path is set on a token, the mount client only has access to that subdirectory and its contents — the rest of the volume is not visible.

This provides subdirectory isolation without creating separate volumes:

Volume: shared-data
  Token A (mount path: /team-alpha)   -> sees only /team-alpha/*
  Token B (mount path: /team-beta)    -> sees only /team-beta/*
  Token C (mount path: /)             -> sees entire volume

Mount path scoping is configured when creating or updating a volume token in configure.flexfs. The mount client automatically mounts at the scoped path.

Per-token mount flags

Section titled “Per-token mount flags”

In addition to mount path scoping, each volume token can carry its own set of mount flags (e.g., ro, noExec). These flags are merged with the volume-level flags, providing token-level access control.

Summary of access control layers

Section titled “Summary of access control layers”

| Layer | Scope | Configured via | |---|---|---| | POSIX permissions | Per-file/directory | Standard Unix tools (chmod, chown) | | Extended ACLs | Per-file/directory | setfacl / getfacl | | Root squashing | Per-mount or per-volume | --rootSquash flag or volume flag | | Umask | Per-mount or per-volume | --umask flag or volume setting | | Volume flags | Per-volume | configure.flexfs | | Token mount paths | Per-token | configure.flexfs | | Token flags | Per-token | configure.flexfs |

Next steps

Section titled “Next steps”