[zfs-discuss] How to stop NFS files being world-writable

J. Roeleveld joost at antarean.org
Sat Nov 10 02:37:17 EST 2018

On Saturday, November 10, 2018 7:57:53 AM CET Adam Nielsen via zfs-discuss 
> Hi all,
> I'm new to ZFS and have a simple problem that I'm stuck on.
> I have exported a handful of shares via NFS
> (sharenfs=rw=@, but when I mount them on the client
> machines, any files or folders I create are world-writable:
>   $ mkdir example
>   $ ls -d example
>   drwxrwxrwx 2 adam users 2 Nov 10 10:05 example
>   $ umask
>   0022
> If I run the same command on the server it creates it with the correct
> 0755 permission, and I can chmod it to 0755 on the client, but it
> automatically gets created as 0777 for some reason (and 0666 for normal
> files).
> Creating files locally on the client, outside the NFS filesystem,
> correctly creates them as 0755/0644, so it doesn't seem to be a umask
> problem on the client.
> Since it only affects the ZFS NFS shares, is there some way to change
> this so that files created on the ZFS volumes by NFS clients aren't
> world-writable?
> I've had a look through all the mount.nfs and exportfs options and
> can't find anything that looks like it affects umasks.
> What am I missing?
> I'm running the Arch Linux precompiled version of ZFS
> (0.7.11_4.18.16.arch1.1-2) with kernel 4.18.16.

Can you test this using NFS shares directly? (Eg. not using ZFS "sharenfs" 

ZFS only uses the existing NFS tools and overrides the /etc/exports file for 
its own purposes, which makes it more likely to be caused by the NFS 
implementation on the host and/or client then ZFS.

For clarity, on my NFS shares (from ZFS host), I don't see this behaviour.
I do see a different issue where group-memberships don't work correctly, but 
that seems to be related to too many groups for which I had a working solution 
(with NFS3), but this doesn't seem stable using NFS4, see:


More information about the zfs-discuss mailing list