xref: /freebsd/usr.sbin/mountd/exports.5 (revision 0e8011faf58b743cc652e3b2ad0f7671227610df)
1.\" Copyright (c) 1989, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd December 16, 2024
29.Dt EXPORTS 5
30.Os
31.Sh NAME
32.Nm exports
33.Nd define remote mount points for
34.Tn NFS
35mount requests
36.Sh SYNOPSIS
37.Nm
38.Sh DESCRIPTION
39The
40.Nm
41file specifies remote mount points for the
42.Tn NFS
43mount protocol per the
44.Tn NFS
45server specification; see
46.%T "Network File System Protocol Specification" ,
47RFC1094, Appendix A and
48.%T "NFS: Network File System Version 3 Specification" ,
49Appendix I.
50.Pp
51Each line in the file
52(other than comment lines that begin with a #)
53specifies the mount point(s) and export flags within one local server
54file system or the NFSv4 tree root for one or more hosts.
55A long line may be split over several lines by ending all but the
56last line with a backslash
57.Pq Ql \e .
58A host may be specified only once for each local file system or the NFSv4 tree
59root on the server and there may be only one default entry for each server
60file system that applies to all other hosts.
61The latter exports the file system to the
62.Dq world
63and should
64be used only when the file system contains public information.
65.Pp
66In a mount entry,
67the first field(s) specify the directory path(s) within a server file system
68that can be mounted on by the corresponding client(s).
69Note well that exporting a directory on the server does not guarantee that only
70files below the exported directory will be accessible.
71This is true even in the absence of the
72.Fl alldirs
73flag.
74To provide this guarantee, the exported directories must be local file system
75mount points on the server.
76For example, if one exports
77.Pa /home ,
78and
79.Pa /home
80is not a file system mount point, then clients will be able to access arbitrary
81files on the root file system.
82As such, to avoid confusion with respect to what is exported, it may be prudent
83to limit exported directories to server local file system mount points.
84When exporting ZFS datasets with the
85.Sy sharenfs
86property, this is auomatically the case.
87If the
88.Fl alldirs
89flag is specified and
90the
91.Fl a
92command line option is specified for
93.Xr mountd 8 ,
94the export will fail if the directory path is not a local file system
95mount point.
96.Pp
97There are three forms of the directory path specification.
98The first is to list all mount points as absolute
99directory paths separated by whitespace.
100This list of directory paths should be considered an
101.Dq administrative control ,
102since it is only enforced by the
103.Xr mountd 8
104daemon and not the kernel.
105As such, it only applies to NFSv2 and NFSv3 mounts and only
106with respect to the client's use of the mount protocol.
107The second is to specify the pathname of the root of the file system
108followed by the
109.Fl alldirs
110flag;
111this form allows the host(s) to mount at any point within the file system,
112including regular files if the
113.Fl r
114option is used on
115.Xr mountd 8 .
116Because NFSv4 does not use the mount protocol,
117the
118.Dq administrative controls
119are not applied and all directories within this server
120file system are mountable via NFSv4 even if the
121.Fl alldirs
122flag has not been specified.
123The third form has the string ``V4:'' followed by a single absolute path
124name, to specify the NFSv4 tree root.
125This line does not export any file system, but simply marks where the root
126of the server's directory tree is for NFSv4 clients.
127The exported file systems for NFSv4 are specified via the other lines
128in the
129.Nm
130file in the same way as for NFSv2 and NFSv3.
131The pathnames must not have any symbolic links in them and should not have
132any
133.Dq Pa \&.
134or
135.Dq Pa ..
136components.
137Pathnames are decoded by
138.Xr strunvis 3
139allowing special characters to be included in the directory name(s).
140In particular, whitespace, such as embedded blanks in directory names
141can be handled.
142For example, a blank can be encoded as \(rs040.
143.Xr vis 1
144with the
145.Fl M
146option may be used to encode directory name(s) with embedded special
147characters.
148Mount points for a file system may appear on multiple lines each with
149different sets of hosts and export options.
150.Pp
151The second component of a line specifies how the file system is to be
152exported to the host set.
153The option flags specify whether the file system
154is exported read-only or read-write and how the client UID is mapped to
155user credentials on the server.
156For the NFSv4 tree root, the only options that can be specified in this
157section are ones related to security:
158.Fl sec ,
159.Fl tls ,
160.Fl tlscert
161and
162.Fl tlscertuser .
163.Pp
164Export options are specified as follows:
165.Pp
166.Sm off
167.Fl maproot Li = Sy user
168.Sm on
169The credential of the specified user is used for remote access by root.
170The credential includes all the groups to which the user is a member
171on the local machine (see
172.Xr id 1 ) .
173The user may be specified by name or number.
174The user string may be quoted, or use backslash escaping.
175.Pp
176.Sm off
177.Fl maproot Li = Sy user:group1:group2:...
178.Sm on
179The colon separated list is used to specify the precise credential
180to be used for remote access by root.
181The elements of the list may be either names or numbers.
182Note that
183.Cm user:
184should be used to specify a credential containing no groups, in which case the
185established credential will use
186.Ql nogroup ,
187else 65533
188.Pq Dv GID_NOGROUP ,
189as the fallback group
190.Pq a credential object must have at least one group internally .
191Using just
192.Cm user
193.Pq without colon at end
194falls into the
195.Sm off
196.Fl maproot Li = Sy user
197.Sm on
198case described above.
199The group names may be quoted, or use backslash escaping.
200.Pp
201.Sm off
202.Fl mapall Li = Sy user
203.Sm on
204or
205.Sm off
206.Fl mapall Li = Sy user:group1:group2:...
207.Sm on
208specifies a mapping for all client UIDs (including root)
209using the same semantics as
210.Fl maproot .
211.Pp
212The option
213.Fl r
214is a synonym for
215.Fl maproot
216in an effort to be backward compatible with older export file formats.
217.Pp
218In the absence of
219.Fl maproot
220and
221.Fl mapall
222options, remote accesses by root will result in using a credential of 65534:65533.
223All other users will be mapped to their remote credential.
224If a
225.Fl maproot
226option is given,
227remote access by root will be mapped to that credential instead of 65534:65533.
228If a
229.Fl mapall
230option is given,
231all users (including root) will be mapped to that credential in
232place of their own.
233.Pp
234.Sm off
235.Fl sec Li = Sy flavor1:flavor2...
236.Sm on
237specifies a colon separated list of acceptable security flavors to be
238used for remote access.
239Supported security flavors are sys, krb5, krb5i and krb5p.
240If multiple flavors are listed, they should be ordered with the most
241preferred flavor first.
242If this option is not present,
243the default security flavor list of just sys is used.
244.Pp
245The
246.Fl ro
247option specifies that the file system should be exported read-only
248(default read/write).
249The option
250.Fl o
251is a synonym for
252.Fl ro
253in an effort to be backward compatible with older export file formats.
254.Pp
255.Tn WebNFS
256exports strictly according to the spec (RFC 2054 and RFC 2055) can
257be done with the
258.Fl public
259flag.
260However, this flag in itself allows r/w access to all files in
261the file system, not requiring reserved ports and not remapping UIDs.
262It
263is only provided to conform to the spec, and should normally not be used.
264For a
265.Tn WebNFS
266export,
267use the
268.Fl webnfs
269flag, which implies
270.Fl public ,
271.Sm off
272.Fl mapall No = Sy nobody
273.Sm on
274and
275.Fl ro .
276Note that only one file system can be
277.Tn WebNFS
278exported on a server.
279.Pp
280A
281.Sm off
282.Fl index No = Pa file
283.Sm on
284option can be used to specify a file whose handle will be returned if
285a directory is looked up using the public filehandle
286.Pq Tn WebNFS .
287This is to mimic the behavior of URLs.
288If no
289.Fl index
290option is specified, a directory filehandle will be returned as usual.
291The
292.Fl index
293option only makes sense in combination with the
294.Fl public
295or
296.Fl webnfs
297flags.
298.Pp
299The
300.Fl tls ,
301.Fl tlscert
302and
303.Fl tlscertuser
304export options are used to require the client to use TLS for the mount(s)
305per RFC 9289.
306For NFS mounts using TLS to work,
307.Xr rpc.tlsservd 8
308must be running on the server.
309.Bd -filled -offset indent
310.Fl tls
311requires that the client use TLS.
312.br
313.Fl tlscert
314requires that the client use TLS and provide a verifiable X.509 certificate
315during TLS handshake.
316.br
317.Fl tlscertuser
318requires that the client use TLS and provide a verifiable X.509 certificate.
319The otherName component of the certificate's subjAltName must have a
320an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form
321.Dq user@domain .
322.Dq user@domain
323will be translated to the credentials of the specified user in the same
324manner as
325.Xr nfsuserd 8 ,
326where
327.Dq user
328is normally a username is the server's password database and
329.Dq domain
330is the DNS domain name for the server.
331All RPCs will be performed using these credentials instead of the
332ones in the RPC header in a manner similar to
333.Sm off
334.Fl mapall Li = Sy user .
335.Sm on
336.Ed
337.Pp
338If none of these three flags are specified, TLS mounts are permitted but
339not required.
340.Pp
341Specifying the
342.Fl quiet
343option will inhibit some of the syslog diagnostics for bad lines in
344.Pa /etc/exports .
345This can be useful to avoid annoying error messages for known possible
346problems (see
347.Sx EXAMPLES
348below).
349.Pp
350The third component of a line specifies the host set to which the line applies.
351The set may be specified in three ways.
352The first way is to list the host name(s) separated by white space.
353(Standard Internet
354.Dq dot
355addresses may be used in place of names.)
356The second way is to specify a
357.Dq netgroup
358as defined in the
359.Pa netgroup
360file (see
361.Xr netgroup 5 ) .
362The third way is to specify an Internet subnetwork using a network and
363network mask that is defined as the set of all hosts with addresses within
364the subnetwork.
365This latter approach requires less overhead within the
366kernel and is recommended for cases where the export line refers to a
367large number of clients within an administrative subnet.
368.Pp
369The first two cases are specified by simply listing the name(s) separated
370by whitespace.
371All names are checked to see if they are
372.Dq netgroup
373names
374first and are assumed to be hostnames otherwise.
375Using the full domain specification for a hostname can normally
376circumvent the problem of a host that has the same name as a netgroup.
377The third case is specified by the flag
378.Sm off
379.Fl network Li = Sy netname Op Li / Ar prefixlength
380.Sm on
381and optionally
382.Sm off
383.Fl mask No = Sy netmask .
384.Sm on
385The netmask may be specified either by attaching a
386.Ar prefixlength
387to the
388.Fl network
389option, or by using a separate
390.Fl mask
391option.
392If the mask is not specified, it will default to the historical mask
393for that network class (A, B, or C; see
394.Xr inet 4 ) .
395This usage is deprecated, and will elicit a warning log message.
396See the
397.Sx EXAMPLES
398section below.
399.Pp
400Scoped IPv6 address must carry scope identifier as documented in
401.Xr inet6 4 .
402For example,
403.Dq Li fe80::%re2/10
404is used to specify
405.Li fe80::/10
406on
407.Li re2
408interface.
409.Pp
410For the third form which specifies the NFSv4 tree root, the directory path
411specifies the location within the server's file system tree which is the
412root of the NFSv4 tree.
413There can only be one NFSv4 root directory per server.
414As such, all entries of this form must specify the same directory path.
415For file systems other than ZFS,
416this location can be any directory and does not
417need to be within an exported file system.
418If it is not in an exported file system, a very limited set of operations
419are permitted, so that an NFSv4 client can traverse the tree to an
420exported file system.
421Although parts of the NFSv4 tree can be non-exported, the entire NFSv4 tree
422must consist of local file systems capable of being exported via NFS.
423All ZFS file systems in the subtree below the NFSv4 tree root must be
424exported.
425NFSv4 does not use the mount protocol and does permit clients to cross server
426mount point boundaries, although not all clients are capable of crossing the
427mount points.
428.Pp
429The
430.Fl sec
431option on these line(s) specifies what security flavors may be used for
432NFSv4 operations that do not use file handles.
433Since these operations (SetClientID, SetClientIDConfirm, Renew, DelegPurge
434and ReleaseLockOnwer) allocate/modify state in the server, it is possible
435to restrict some clients to the use of the krb5[ip] security flavors,
436via this option.
437See the
438.Sx EXAMPLES
439section below.
440This third form is meaningless for NFSv2 and NFSv3 and is ignored for them.
441.Pp
442The
443.Xr mountd 8
444utility can be made to re-read the
445.Nm
446file by sending it a hangup signal as follows:
447.Bd -literal -offset indent
448service mountd reload
449.Ed
450.Pp
451After sending the
452.Dv SIGHUP ,
453check the
454.Xr syslogd 8
455output to see whether
456.Xr mountd 8
457logged any parsing errors in the
458.Nm
459file.
460.Sh FILES
461.Bl -tag -width /etc/exports -compact
462.It Pa /etc/exports
463the default remote mount-point file
464.El
465.Sh EXAMPLES
466Given that
467.Pa /usr , /u , /a
468and
469.Pa /u2
470are
471local file system mount points, let's consider the following example:
472.Pp
473.Bd -literal -offset indent
474/usr /usr/local -maproot=0:10 friends
475/usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16
476/usr -ro -mapall=nobody
477/u -maproot=bin: -network 131.104.48 -mask 255.255.255.0
478/a -network 192.168.0/24
479/a -network 3ffe:1ce1:1:fe80::/64
480/u2 -maproot=root friends
481/u2 -alldirs -network cis-net -mask cis-mask
482/cdrom -alldirs,quiet,ro -network 192.168.33.0 -mask 255.255.255.0
483/private -sec=krb5i
484/secret -sec=krb5p
485V4: /	-sec=krb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255.0
486V4: /	-sec=sys:krb5:krb5i:krb5p grumpy.cis.uoguelph.ca
487.Ed
488.Pp
489The file systems rooted at
490.Pa /usr
491and
492.Pa /usr/local
493are exported to hosts within the
494.Dq friends
495network group
496with users mapped to their remote credentials and
497root mapped to UID 0 and group 10.
498They are exported read-write and the hosts in
499.Dq friends .
500.Pp
501The file system rooted at
502.Pa /usr
503is exported to
504.Em 131.104.48.16
505and
506.Em grumpy.cis.uoguelph.ca
507with users mapped to their remote credentials and
508root mapped to the user and groups associated with
509.Dq daemon ;
510it is exported to the rest of the world as read-only with
511all users mapped to the user and groups associated with
512.Dq nobody .
513.Pp
514The file system rooted at
515.Pa /u
516is exported to all hosts on the subnetwork
517.Em 131.104.48
518with root mapped to the UID for
519.Dq bin
520and with no group access.
521.Pp
522The file system rooted at
523.Pa /u2
524is exported to the hosts in
525.Dq friends
526with root mapped to UID and groups
527associated with
528.Dq root ;
529it is exported to all hosts on network
530.Dq cis-net
531allowing mounts at any
532directory within /u2.
533.Pp
534The file system rooted at
535.Pa /a
536is exported to the network 192.168.0.0, with a netmask of 255.255.255.0.
537However, the netmask length in the entry for
538.Pa /a
539is not specified through a
540.Fl mask
541option, but through the
542.Li / Ns Ar prefix
543notation.
544.Pp
545The file system rooted at
546.Pa /a
547is also exported to the IPv6 network
548.Li 3ffe:1ce1:1:fe80::
549address, using the upper 64 bits as the prefix.
550Note that, unlike with IPv4 network addresses, the specified network
551address must be complete, and not just contain the upper bits.
552With IPv6 addresses, the
553.Fl mask
554option must not be used.
555.Pp
556The file system rooted at
557.Pa /cdrom
558will be exported read-only to the entire network 192.168.33.0/24, including
559all its subdirectories.
560Since
561.Pa /cdrom
562is the conventional mountpoint for a CD-ROM device,
563for the case where the
564.Fl a
565option has been specified for
566.Xr mountd 8 ,
567this export will
568fail if no CD-ROM medium is currently mounted there
569since that line
570would then attempt to export a subdirectory of the root file system
571with the
572.Fl alldirs
573option.
574The
575.Fl quiet
576option will then suppress the error message for this condition that
577would normally be syslogged.
578As soon as an actual CD-ROM is going to be mounted,
579.Xr mount 8
580will notify
581.Xr mountd 8
582about this situation, and the
583.Pa /cdrom
584file system will be exported as intended.
585Note that without using the
586.Fl alldirs
587option, the export would always succeed.
588While there is no CD-ROM medium mounted under
589.Pa /cdrom ,
590it would export the (normally empty) directory
591.Pa /cdrom
592of the root file system instead.
593.Pp
594The file system rooted at
595.Pa /private
596will be exported using Kerberos 5 authentication and will require
597integrity protected messages for all accesses.
598The file system rooted at
599.Pa /secret
600will also be exported using Kerberos 5 authentication and all messages
601used to access it will be encrypted.
602.Pp
603For the experimental server, the NFSv4 tree is rooted at ``/'',
604and any client within the 131.104.48 subnet is permitted to perform NFSv4 state
605operations on the server, so long as valid Kerberos credentials are provided.
606The machine grumpy.cis.uoguelph.ca is permitted to perform NFSv4 state
607operations on the server using AUTH_SYS credentials, as well as Kerberos ones.
608.Pp
609In the following example some directories are exported as NFSv3 and NFSv4:
610.Bd -literal -offset indent
611V4: /wingsdl/nfsv4
612/wingsdl/nfsv4/usr-ports -maproot=root -network 172.16.0.0 -mask 255.255.0.0
613/wingsdl/nfsv4/clasper   -maproot=root clasper
614.Ed
615.Pp
616Only one V4: line is needed or allowed to declare where NFSv4 is
617rooted.
618The other lines declare specific exported directories with
619their absolute paths given in /etc/exports.
620.Pp
621The exported directories' paths are used for both v3 and v4.
622However, they are interpreted differently for v3 and v4.
623A client mount command for usr-ports would use the server-absolute name when
624using nfsv3:
625.Bd -literal -offset indent
626mount server:/wingsdl/nfsv4/usr-ports /mnt/tmp
627.Ed
628.Pp
629A mount command using NFSv4 would use the path relative to the NFSv4
630root:
631.Bd -literal -offset indent
632mount server:/usr-ports /mnt/tmp
633.Ed
634.Pp
635This also differentiates which version you want if the client can do
636both v3 and v4.
637The former will only ever do a v3 mount and the latter will only ever
638do a v4 mount.
639.Pp
640Note that due to different mount behavior between NFSv3 and NFSv4 a
641NFSv4 mount request for a directory that the client does not have
642permission for will succeed and read/write access will fail
643afterwards, whereas NFSv3 rejects the mount request.
644.Sh SEE ALSO
645.Xr vis 1 ,
646.Xr strunvis 3 ,
647.Xr nfsv4 4 ,
648.Xr netgroup 5 ,
649.Xr zfsprops 7 ,
650.Xr mountd 8 ,
651.Xr nfsd 8 ,
652.Xr rpc.tlsservd 8 ,
653.Xr service 8 ,
654.Xr showmount 8
655.Sh STANDARDS
656The implementation is based on the following documents:
657.Bl -dash
658.It
659.Rs
660.%T "Network File System Protocol Specification, Appendix A, RFC 1094"
661.Re
662.It
663.Rs
664.%T "NFS: Network File System Version 3, Appendix I, RFC 1813"
665.Re
666.It
667.Rs
668.%T "Towards Remote Procedure Call Encryption by Default, RFC 9289"
669.Re
670.El
671.Sh BUGS
672The export options are tied to the local mount points in the kernel and
673must be non-contradictory for any exported subdirectory of the local
674server mount point.
675It is recommended that all exported directories within the same server
676file system be specified on adjacent lines going down the tree.
677You cannot specify a hostname that is also the name of a netgroup.
678Specifying the full domain specification for a hostname can normally
679circumvent the problem.
680