xref: /titanic_44/usr/src/man/man1m/share_nfs.1m (revision 073ec901764f0ff4a9110de0cfbc6b5ce426d99a)
1*073ec901SMarcel Telka.\"
2*073ec901SMarcel Telka.\" CDDL HEADER START
3*073ec901SMarcel Telka.\"
4*073ec901SMarcel Telka.\" The contents of this file are subject to the terms of the
5*073ec901SMarcel Telka.\" Common Development and Distribution License (the "License").
6*073ec901SMarcel Telka.\" You may not use this file except in compliance with the License.
7*073ec901SMarcel Telka.\"
8*073ec901SMarcel Telka.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*073ec901SMarcel Telka.\" or http://www.opensolaris.org/os/licensing.
10*073ec901SMarcel Telka.\" See the License for the specific language governing permissions
11*073ec901SMarcel Telka.\" and limitations under the License.
12*073ec901SMarcel Telka.\"
13*073ec901SMarcel Telka.\" When distributing Covered Code, include this CDDL HEADER in each
14*073ec901SMarcel Telka.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15*073ec901SMarcel Telka.\" If applicable, add the following below this CDDL HEADER, with the
16*073ec901SMarcel Telka.\" fields enclosed by brackets "[]" replaced with your own identifying
17*073ec901SMarcel Telka.\" information: Portions Copyright [yyyy] [name of copyright owner]
18*073ec901SMarcel Telka.\"
19*073ec901SMarcel Telka.\" CDDL HEADER END
20*073ec901SMarcel Telka.\"
21*073ec901SMarcel Telka.\"
22c10c16deSRichard Lowe.\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
23*073ec901SMarcel Telka.\" Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
24*073ec901SMarcel Telka.\"
25*073ec901SMarcel Telka.Dd November 10, 2014
26*073ec901SMarcel Telka.Dt SHARE_NFS 1M
27*073ec901SMarcel Telka.Os
28*073ec901SMarcel Telka.Sh NAME
29*073ec901SMarcel Telka.Nm share_nfs
30*073ec901SMarcel Telka.Nd make local NFS file systems available for mounting by remote systems
31*073ec901SMarcel Telka.Sh SYNOPSIS
32*073ec901SMarcel Telka.Nm share
33*073ec901SMarcel Telka.Op Fl d Ar description
34*073ec901SMarcel Telka.Op Fl F Sy nfs
35*073ec901SMarcel Telka.Op Fl o Ar specific_options
36*073ec901SMarcel Telka.Ar pathname
37*073ec901SMarcel Telka.Sh DESCRIPTION
38*073ec901SMarcel TelkaThe
39*073ec901SMarcel Telka.Nm share
40*073ec901SMarcel Telkautility makes local file systems available for mounting by remote systems. It
41*073ec901SMarcel Telkastarts the
42*073ec901SMarcel Telka.Xr nfsd 1M
43*073ec901SMarcel Telkaand
44*073ec901SMarcel Telka.Xr mountd 1M
45*073ec901SMarcel Telkadaemons if they are not already running.
46*073ec901SMarcel Telka.Pp
47*073ec901SMarcel TelkaIf no argument is specified, then
48*073ec901SMarcel Telka.Nm share
49*073ec901SMarcel Telkadisplays all file systems currently shared, including NFS file systems and file
50*073ec901SMarcel Telkasystems shared through other distributed file system packages.
51*073ec901SMarcel Telka.Sh OPTIONS
52c10c16deSRichard LoweThe following options are supported:
53*073ec901SMarcel Telka.Bl -tag -width "indented"
54*073ec901SMarcel Telka.It Fl d Ar description
55c10c16deSRichard LoweProvide a comment that describes the file system to be shared.
56*073ec901SMarcel Telka.It Fl F Sy nfs
57*073ec901SMarcel TelkaShare NFS file system type.
58*073ec901SMarcel Telka.It Fl o Ar specific_options
59*073ec901SMarcel TelkaSpecify
60*073ec901SMarcel Telka.Ar specific_options
61*073ec901SMarcel Telkain a comma-separated list of keywords and attribute-value-assertions for
62*073ec901SMarcel Telkainterpretation by the file-system-type-specific command. If
63*073ec901SMarcel Telka.Ar specific_options
64*073ec901SMarcel Telkais not specified, then by default sharing is read-write to all clients.
65*073ec901SMarcel Telka.Ar specific_options
66*073ec901SMarcel Telkacan be any combination of the following:
67*073ec901SMarcel Telka.Bl -tag -width "indented"
68*073ec901SMarcel Telka.It Sy aclok
69*073ec901SMarcel TelkaAllows the NFS server to do access control for NFS Version 2 clients (running
70*073ec901SMarcel TelkaSunOS 2.4 or earlier). When
71*073ec901SMarcel Telka.Sy aclok
72*073ec901SMarcel Telkais set on the server, maximal access is given to all clients. For example, with
73*073ec901SMarcel Telka.Sy aclok
74*073ec901SMarcel Telkaset, if anyone has read permissions, then everyone does. If
75*073ec901SMarcel Telka.Sy aclok
76*073ec901SMarcel Telkais not set, minimal access is given to all clients.
77*073ec901SMarcel Telka.It Sy anon Ns = Ns Ar uid
78*073ec901SMarcel TelkaSet
79*073ec901SMarcel Telka.Ar uid
80*073ec901SMarcel Telkato be the effective user ID of unknown users. By default, unknown users are
81*073ec901SMarcel Telkagiven the effective user ID UID_NOBODY. If uid is set to -1, access is denied.
82*073ec901SMarcel Telka.It Ar charset Ns = Ns Ar access_list
83*073ec901SMarcel TelkaWhere
84*073ec901SMarcel Telka.Ar charset
85*073ec901SMarcel Telkais one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2,
86*073ec901SMarcel Telkaiso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15,
87*073ec901SMarcel Telkakoi8-r.
88*073ec901SMarcel Telka.Pp
89*073ec901SMarcel TelkaClients that match the
90*073ec901SMarcel Telka.Ar access_list
91*073ec901SMarcel Telkafor one of these properties will be assumed to be using that character set and
92*073ec901SMarcel Telkafile and path names will be converted to UTF-8 for the server.
93*073ec901SMarcel Telka.It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
94*073ec901SMarcel TelkaWhere
95*073ec901SMarcel Telka.Ar mapping
96*073ec901SMarcel Telkais:
97*073ec901SMarcel Telka.Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
98*073ec901SMarcel Telka.Pp
995cb0d679SMarcel TelkaAllows remapping the group ID (gid) in the incoming request to some other gid.
1005cb0d679SMarcel TelkaThis effectively changes the identity of the user in the request to that of
1015cb0d679SMarcel Telkasome other local user.
102*073ec901SMarcel Telka.Pp
103*073ec901SMarcel TelkaFor clients where the gid in the incoming request is
104*073ec901SMarcel Telka.Ar clnt
105*073ec901SMarcel Telkaand the client matches the
106*073ec901SMarcel Telka.Ar access_list Ns
107*073ec901SMarcel Telka, change the group ID to
108*073ec901SMarcel Telka.Ar srv Ns .  If
109*073ec901SMarcel Telka.Ar clnt
110*073ec901SMarcel Telkais asterisk (*), all groups are mapped by this rule.  If
111*073ec901SMarcel Telka.Ar clnt
112*073ec901SMarcel Telkais omitted, all unknown groups are mapped by this rule.  If
113*073ec901SMarcel Telka.Ar srv
114*073ec901SMarcel Telkais set to -1, access is denied.  If
115*073ec901SMarcel Telka.Ar srv
116*073ec901SMarcel Telkais omitted, the gid is mapped to UID_NOBODY.
117*073ec901SMarcel Telka.Pp
118*073ec901SMarcel TelkaThe particular
119*073ec901SMarcel Telka.Ar mapping Ns s
120*073ec901SMarcel Telkaare separated in the
121*073ec901SMarcel Telka.Sy gidmap Ns =
122*073ec901SMarcel Telkaoption by tilde (~) and are evaluated in the specified order until a match is
123*073ec901SMarcel Telkafound.  Both
124*073ec901SMarcel Telka.Sy root Ns =
125*073ec901SMarcel Telkaand
126*073ec901SMarcel Telka.Sy root_mapping Ns =
127*073ec901SMarcel Telkaoptions (if specified) are evaluated before the
128*073ec901SMarcel Telka.Sy gidmap Ns =
129*073ec901SMarcel Telkaoption.  The
130*073ec901SMarcel Telka.Sy gidmap Ns =
131*073ec901SMarcel Telkaoption is skipped in the case where the client matches the
132*073ec901SMarcel Telka.Sy root Ns =
133c10c16deSRichard Loweoption.
134*073ec901SMarcel Telka.Pp
135*073ec901SMarcel TelkaThe
136*073ec901SMarcel Telka.Sy gidmap Ns =
137*073ec901SMarcel Telkaoption is evaluated before the
138*073ec901SMarcel Telka.Sy anon Ns =
139*073ec901SMarcel Telkaoption.
140*073ec901SMarcel Telka.Pp
141*073ec901SMarcel TelkaThis option is supported only for AUTH_SYS.
142*073ec901SMarcel Telka.It Sy index Ns = Ns Ar file
143*073ec901SMarcel TelkaLoad
144*073ec901SMarcel Telka.Ar file
145*073ec901SMarcel Telkarather than a listing of the directory containing this file when the
146*073ec901SMarcel Telkadirectory is referenced by an NFS URL.
147*073ec901SMarcel Telka.It Sy log Ns Oo = Ns Ar tag Oc
148*073ec901SMarcel TelkaEnables NFS server logging for the specified file system. The optional
149*073ec901SMarcel Telka.Ar tag
150*073ec901SMarcel Telkadetermines the location of the related log files. The
151*073ec901SMarcel Telka.Ar tag
152*073ec901SMarcel Telkais defined in
153*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf .
154*073ec901SMarcel TelkaIf no
155*073ec901SMarcel Telka.Ar tag
156*073ec901SMarcel Telkais specified, the default values associated with the global tag in
157*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf
158*073ec901SMarcel Telkaare used. Support of NFS server logging is only available for NFS Version 2 and
159*073ec901SMarcel TelkaVersion 3 requests.
160*073ec901SMarcel Telka.It Sy none Ns = Ns Ar access_list
161*073ec901SMarcel TelkaAccess is not allowed to any client that matches the access list. The exception
162*073ec901SMarcel Telkais when the access list is an asterisk (*), in which case
163*073ec901SMarcel Telka.Sy ro
164*073ec901SMarcel Telkaor
165*073ec901SMarcel Telka.Sy rw
166*073ec901SMarcel Telkacan override
167*073ec901SMarcel Telka.Sy none .
168*073ec901SMarcel Telka.It Sy nosub
169*073ec901SMarcel TelkaPrevents clients from mounting subdirectories of shared directories. For
170*073ec901SMarcel Telkaexample, if
171*073ec901SMarcel Telka.Pa /export
172*073ec901SMarcel Telkais shared with the
173*073ec901SMarcel Telka.Sy nosub
174*073ec901SMarcel Telkaoption on server
175*073ec901SMarcel Telka.Qq fooey
176*073ec901SMarcel Telkathen a NFS client cannot do:
177*073ec901SMarcel Telka.Bd -literal -offset indent
178*073ec901SMarcel Telkamount -F nfs fooey:/export/home/mnt
179*073ec901SMarcel Telka.Ed
180*073ec901SMarcel Telka.Pp
181*073ec901SMarcel TelkaNFS Version 4 does not use the MOUNT protocol. The
182*073ec901SMarcel Telka.Sy nosub
183*073ec901SMarcel Telkaoption only applies to NFS Version 2 and Version 3 requests.
184*073ec901SMarcel Telka.It Sy nosuid
185*073ec901SMarcel TelkaBy default, clients are allowed to create files on the shared file system with
186*073ec901SMarcel Telkathe setuid or setgid mode enabled. Specifying
187*073ec901SMarcel Telka.Sy nosuid
188*073ec901SMarcel Telkacauses the server file system to silently ignore any attempt to enable the
189*073ec901SMarcel Telkasetuid or setgid mode bits.
190*073ec901SMarcel Telka.It Sy public
191*073ec901SMarcel TelkaMoves the location of the public file handle from root
192*073ec901SMarcel Telka.Pa ( / )
193*073ec901SMarcel Telkato the exported directory for WebNFS-enabled browsers and clients. This option
194*073ec901SMarcel Telkadoes not enable WebNFS service; WebNFS is always on. Only one file system per
195*073ec901SMarcel Telkaserver may use this option. Any other option, including the
196*073ec901SMarcel Telka.Sy ro Ns = Ns Ar list
197*073ec901SMarcel Telkaand
198*073ec901SMarcel Telka.Sy rw Ns = Ns Ar list
199*073ec901SMarcel Telkaoptions can be included with the
200*073ec901SMarcel Telka.Sy public
201*073ec901SMarcel Telkaoption.
202*073ec901SMarcel Telka.It Sy ro
203c10c16deSRichard LoweSharing is read-only to all clients.
204*073ec901SMarcel Telka.It Sy ro Ns = Ns Ar access_list
205*073ec901SMarcel TelkaSharing is read-only to the clients listed in
206*073ec901SMarcel Telka.Ar access_list ;
207*073ec901SMarcel Telkaoverrides the
208*073ec901SMarcel Telka.Sy rw
209*073ec901SMarcel Telkasuboption for the clients specified. See
210*073ec901SMarcel Telka.Sx access_list
211*073ec901SMarcel Telkabelow.
212*073ec901SMarcel Telka.It Sy root Ns = Ns Ar access_list
213*073ec901SMarcel TelkaOnly root users from the hosts specified in
214*073ec901SMarcel Telka.Ar access_list
215*073ec901SMarcel Telkahave root access. See
216*073ec901SMarcel Telka.Sx access_list
217*073ec901SMarcel Telkabelow. By default, no host has root access, so root users are mapped to an
218*073ec901SMarcel Telkaanonymous user ID (see the
219*073ec901SMarcel Telka.Sy anon Ns = Ns Ar uid
220*073ec901SMarcel Telkaoption described above). Netgroups can be used if the file system shared is
221*073ec901SMarcel Telkausing UNIX authentication (AUTH_SYS).
222*073ec901SMarcel Telka.It Sy root_mapping Ns = Ns Ar uid
223c10c16deSRichard LoweFor a client that is allowed root access, map the root UID to the specified
224c10c16deSRichard Loweuser id.
225*073ec901SMarcel Telka.It Sy rw
226c10c16deSRichard LoweSharing is read-write to all clients.
227*073ec901SMarcel Telka.It Sy rw Ns = Ns Ar access_list
228*073ec901SMarcel TelkaSharing is read-write to the clients listed in
229*073ec901SMarcel Telka.Ar access_list ;
230*073ec901SMarcel Telkaoverrides the
231*073ec901SMarcel Telka.Sy ro
232*073ec901SMarcel Telkasuboption for the clients specified. See
233*073ec901SMarcel Telka.Sx access_list
234*073ec901SMarcel Telkabelow.
235*073ec901SMarcel Telka.It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ...
236*073ec901SMarcel TelkaSharing uses one or more of the specified security modes. The
237*073ec901SMarcel Telka.Ar mode
238*073ec901SMarcel Telkain the
239*073ec901SMarcel Telka.Sy sec Ns = Ns Ar mode
240*073ec901SMarcel Telkaoption must be a mode name supported on the client. If the
241*073ec901SMarcel Telka.Sy sec Ns =
242*073ec901SMarcel Telkaoption is not specified, the default security mode used is AUTH_SYS. Multiple
243*073ec901SMarcel Telka.Sy sec Ns =
244*073ec901SMarcel Telkaoptions can be specified on the command line, although each mode can appear
245*073ec901SMarcel Telkaonly once. The security modes are defined in
246*073ec901SMarcel Telka.Xr nfssec 5 .
247*073ec901SMarcel Telka.Pp
248*073ec901SMarcel TelkaEach
249*073ec901SMarcel Telka.Sy sec Ns =
250*073ec901SMarcel Telkaoption specifies modes that apply to any subsequent
251*073ec901SMarcel Telka.Sy window Ns = ,
252*073ec901SMarcel Telka.Sy rw ,
253*073ec901SMarcel Telka.Sy ro ,
254*073ec901SMarcel Telka.Sy rw Ns = ,
255*073ec901SMarcel Telka.Sy ro Ns = ,
256*073ec901SMarcel Telkaand
257*073ec901SMarcel Telka.Sy root Ns =
258*073ec901SMarcel Telkaoptions that are provided before another
259*073ec901SMarcel Telka.Sy sec Ns =
260*073ec901SMarcel Telkaoption.
261*073ec901SMarcel TelkaEach additional
262*073ec901SMarcel Telka.Sy sec Ns =
263*073ec901SMarcel Telkaresets the security mode context, so that more
264*073ec901SMarcel Telka.Sy window Ns = ,
265*073ec901SMarcel Telka.Sy rw ,
266*073ec901SMarcel Telka.Sy ro ,
267*073ec901SMarcel Telka.Sy rw Ns = ,
268*073ec901SMarcel Telka.Sy ro Ns = ,
269*073ec901SMarcel Telkaand
270*073ec901SMarcel Telka.Sy root Ns =
271*073ec901SMarcel Telkaoptions can be supplied for additional modes.
272*073ec901SMarcel Telka.It Sy sec Ns = Ns Sy none
273*073ec901SMarcel TelkaIf the option
274*073ec901SMarcel Telka.Sy sec Ns = Ns Sy none
275*073ec901SMarcel Telkais specified when the client uses AUTH_NONE, or if the client uses a security
276*073ec901SMarcel Telkamode that is not one that the file system is shared with, then the credential
277*073ec901SMarcel Telkaof each NFS request is treated as unauthenticated. See the
278*073ec901SMarcel Telka.Sy anon Ns = Ns Ar uid
279*073ec901SMarcel Telkaoption for a description of how unauthenticated requests are handled.
280*073ec901SMarcel Telka.It Sy secure
281*073ec901SMarcel TelkaThis option has been deprecated in favor of the
282*073ec901SMarcel Telka.Sy sec Ns = Ns Sy dh
283*073ec901SMarcel Telkaoption.
284*073ec901SMarcel Telka.It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
285*073ec901SMarcel TelkaWhere
286*073ec901SMarcel Telka.Ar mapping
287*073ec901SMarcel Telkais:
288*073ec901SMarcel Telka.Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
289*073ec901SMarcel Telka.Pp
2905cb0d679SMarcel TelkaAllows remapping the user ID (uid) in the incoming request to some other uid.
2915cb0d679SMarcel TelkaThis effectively changes the identity of the user in the request to that of
2925cb0d679SMarcel Telkasome other local user.
293*073ec901SMarcel Telka.Pp
294*073ec901SMarcel TelkaFor clients where the uid in the incoming request is
295*073ec901SMarcel Telka.Ar clnt
296*073ec901SMarcel Telkaand the client matches the
297*073ec901SMarcel Telka.Ar access_list Ns
298*073ec901SMarcel Telka, change the user ID to
299*073ec901SMarcel Telka.Ar srv Ns .  If
300*073ec901SMarcel Telka.Ar clnt
301*073ec901SMarcel Telkais asterisk (*), all users are mapped by this rule.  If
302*073ec901SMarcel Telka.Ar clnt
303*073ec901SMarcel Telkais omitted, all unknown users are mapped by this rule.  If
304*073ec901SMarcel Telka.Ar srv
305*073ec901SMarcel Telkais set to -1, access is denied.  If
306*073ec901SMarcel Telka.Ar srv
307*073ec901SMarcel Telkais omitted, the uid is mapped to UID_NOBODY.
308*073ec901SMarcel Telka.Pp
309*073ec901SMarcel TelkaThe particular
310*073ec901SMarcel Telka.Ar mapping Ns s
311*073ec901SMarcel Telkaare separated in the
312*073ec901SMarcel Telka.Sy uidmap Ns =
313*073ec901SMarcel Telkaoption by tilde (~) and are evaluated in the specified order until a match is
314*073ec901SMarcel Telkafound.  Both
315*073ec901SMarcel Telka.Sy root Ns =
316c10c16deSRichard Loweand
317*073ec901SMarcel Telka.Sy root_mapping Ns =
318*073ec901SMarcel Telkaoptions (if specified) are evaluated before the
319*073ec901SMarcel Telka.Sy uidmap Ns =
320*073ec901SMarcel Telkaoption.  The
321*073ec901SMarcel Telka.Sy uidmap Ns =
322*073ec901SMarcel Telkaoption is skipped in the case where the client matches the
323*073ec901SMarcel Telka.Sy root Ns =
324*073ec901SMarcel Telkaoption.
325*073ec901SMarcel Telka.Pp
326*073ec901SMarcel TelkaThe
327*073ec901SMarcel Telka.Sy uidmap Ns =
328*073ec901SMarcel Telkaoption is evaluated before the
329*073ec901SMarcel Telka.Sy anon Ns =
330*073ec901SMarcel Telkaoption.
331*073ec901SMarcel Telka.Pp
332*073ec901SMarcel TelkaThis option is supported only for AUTH_SYS.
333*073ec901SMarcel Telka.It Sy window Ns = Ns Ar value
334*073ec901SMarcel TelkaWhen sharing with
335*073ec901SMarcel Telka.Sy sec Ns = Ns Sy dh ,
336*073ec901SMarcel Telkaset the maximum life time (in seconds) of the RPC request's credential (in the
337*073ec901SMarcel Telkaauthentication header) that the NFS server allows. If a credential arrives with
338*073ec901SMarcel Telkaa life time larger than what is allowed, the NFS server rejects the request. The
339*073ec901SMarcel Telkadefault value is 30000 seconds (8.3 hours).
340*073ec901SMarcel Telka.El
341*073ec901SMarcel Telka.El
342*073ec901SMarcel Telka.Ss access_list
343*073ec901SMarcel TelkaThe
344*073ec901SMarcel Telka.Ar access_list
345*073ec901SMarcel Telkaargument is a colon-separated list whose components may be any number of the
346*073ec901SMarcel Telkafollowing:
347*073ec901SMarcel Telka.Bl -tag -width "indented"
348*073ec901SMarcel Telka.It Sy hostname
349*073ec901SMarcel TelkaThe name of a host. With a server configured for DNS or LDAP naming in the
350*073ec901SMarcel Telkansswitch
351*073ec901SMarcel Telka.Sy hosts
352*073ec901SMarcel Telkaentry, any hostname must be represented as a fully qualified DNS or LDAP name.
353*073ec901SMarcel Telka.It Sy netgroup
354*073ec901SMarcel TelkaA netgroup contains a number of hostnames. With a server configured for DNS or
355*073ec901SMarcel TelkaLDAP naming in the nsswitch
356*073ec901SMarcel Telka.Sy hosts
357*073ec901SMarcel Telkaentry, any hostname in a netgroup must be represented as a fully qualified DNS
358*073ec901SMarcel Telkaor LDAP name.
359*073ec901SMarcel Telka.It Sy domain name suffix
360*073ec901SMarcel TelkaTo use domain membership the server must use DNS or LDAP to resolve hostnames to
361*073ec901SMarcel TelkaIP addresses; that is, the
362*073ec901SMarcel Telka.Sy hosts
363*073ec901SMarcel Telkaentry in the
364*073ec901SMarcel Telka.Pa /etc/nsswitch.conf
365*073ec901SMarcel Telkamust specify
366*073ec901SMarcel Telka.Sy dns
367*073ec901SMarcel Telkaor
368*073ec901SMarcel Telka.Sy ldap
369*073ec901SMarcel Telkaahead of
370*073ec901SMarcel Telka.Sy nis
371*073ec901SMarcel Telkaor
372*073ec901SMarcel Telka.Sy nisplus ,
373*073ec901SMarcel Telkasince only DNS and LDAP return the full domain name of the host. Other name
374*073ec901SMarcel Telkaservices like NIS or NIS+ cannot be used to resolve hostnames on the server
375*073ec901SMarcel Telkabecause when mapping an IP address to a hostname they do not return domain
376*073ec901SMarcel Telkainformation. For example,
377*073ec901SMarcel Telka.Bd -literal -offset indent
378*073ec901SMarcel TelkaNIS or NIS+   172.16.45.9 --> "myhost"
379*073ec901SMarcel Telka.Ed
380*073ec901SMarcel Telka.Pp
381*073ec901SMarcel Telkaand
382*073ec901SMarcel Telka.Bd -literal -offset indent
383*073ec901SMarcel TelkaDNS or LDAP   172.16.45.9 --> "myhost.mydomain.mycompany.com"
384*073ec901SMarcel Telka.Ed
385*073ec901SMarcel Telka.Pp
386c10c16deSRichard LoweThe domain name suffix is distinguished from hostnames and netgroups by a
387c10c16deSRichard Loweprefixed dot. For example,
388*073ec901SMarcel Telka.Bd -literal -offset indent
389*073ec901SMarcel Telkarw=.mydomain.mycompany.com
390*073ec901SMarcel Telka.Ed
391*073ec901SMarcel Telka.Pp
392c10c16deSRichard LoweA single dot can be used to match a hostname with no suffix. For example,
393*073ec901SMarcel Telka.Bd -literal -offset indent
394*073ec901SMarcel Telkarw=.
395*073ec901SMarcel Telka.Ed
396*073ec901SMarcel Telka.Pp
397*073ec901SMarcel Telkamatches
398*073ec901SMarcel Telka.Qq mydomain
399*073ec901SMarcel Telkabut not
400*073ec901SMarcel Telka.Qq mydomain.mycompany.com .
401*073ec901SMarcel TelkaThis feature can be used to match hosts resolved through NIS and NIS+ rather
402*073ec901SMarcel Telkathan DNS and LDAP.
403*073ec901SMarcel Telka.It Sy network
404*073ec901SMarcel TelkaThe network or subnet component is preceded by an at-sign (@). It can be either
405*073ec901SMarcel Telkaa name or a dotted address. If a name, it is converted to a dotted address by
406*073ec901SMarcel Telka.Xr getnetbyname 3SOCKET .
407*073ec901SMarcel TelkaFor example,
408*073ec901SMarcel Telka.Bd -literal -offset indent
409*073ec901SMarcel Telka=@mynet
410*073ec901SMarcel Telka.Ed
411*073ec901SMarcel Telka.Pp
412c10c16deSRichard Lowewould be equivalent to:
413*073ec901SMarcel Telka.Bd -literal -offset indent
414*073ec901SMarcel Telka=@172.16 or =@172.16.0.0
415*073ec901SMarcel Telka.Ed
416*073ec901SMarcel Telka.Pp
417c10c16deSRichard LoweThe network prefix assumes an octet-aligned netmask determined from the zeroth
418c10c16deSRichard Loweoctet in the low-order part of the address up to and including the high-order
419c10c16deSRichard Loweoctet, if you want to specify a single IP address (see below). In the case
420c10c16deSRichard Lowewhere network prefixes are not byte-aligned, the syntax allows a mask length to
421*073ec901SMarcel Telkabe specified explicitly following a slash (/) delimiter. For example,
422*073ec901SMarcel Telka.Bd -literal -offset indent
423*073ec901SMarcel Telka=@theothernet/17 or =@172.16.132/22
424*073ec901SMarcel Telka.Ed
425*073ec901SMarcel Telka.Pp
426*073ec901SMarcel Telkawhere the mask is the number of leftmost contiguous significant bits in the
427*073ec901SMarcel Telkacorresponding IP address.
428*073ec901SMarcel Telka.Pp
429*073ec901SMarcel TelkaWhen specifying individual IP addresses, use the same @ notation described
430*073ec901SMarcel Telkaabove, without a netmask specification. For example:
431*073ec901SMarcel Telka.Bd -literal -offset indent
432c10c16deSRichard Lowe=@172.16.132.14
433*073ec901SMarcel Telka.Ed
434*073ec901SMarcel Telka.Pp
435c10c16deSRichard LoweMultiple, individual IP addresses would be specified, for example, as:
436*073ec901SMarcel Telka.Bd -literal -offset indent
437c10c16deSRichard Loweroot=@172.16.132.20:@172.16.134.20
438*073ec901SMarcel Telka.Ed
439*073ec901SMarcel Telka.El
440*073ec901SMarcel Telka.Pp
441*073ec901SMarcel TelkaA prefixed minus sign (-) denies access to that component of
442*073ec901SMarcel Telka.Ar access_list .
443*073ec901SMarcel TelkaThe list is searched sequentially until a match is found that either grants or
444*073ec901SMarcel Telkadenies access, or until the end of the list is reached. For example, if host
445*073ec901SMarcel Telka.Qq terra
446*073ec901SMarcel Telkais in the
447*073ec901SMarcel Telka.Qq engineering
448*073ec901SMarcel Telkanetgroup, then
449*073ec901SMarcel Telka.Bd -literal -offset indent
450c10c16deSRichard Lowerw=-terra:engineering
451*073ec901SMarcel Telka.Ed
452*073ec901SMarcel Telka.Pp
453*073ec901SMarcel Telkadenies access to
454*073ec901SMarcel Telka.Qq terra
455*073ec901SMarcel Telkabut
456*073ec901SMarcel Telka.Bd -literal -offset indent
457c10c16deSRichard Lowerw=engineering:-terra
458*073ec901SMarcel Telka.Ed
459*073ec901SMarcel Telka.Pp
460*073ec901SMarcel Telkagrants access to
461*073ec901SMarcel Telka.Qq terra .
462*073ec901SMarcel Telka.Sh OPERANDS
463c10c16deSRichard LoweThe following operands are supported:
464*073ec901SMarcel Telka.Bl -tag -width "pathname"
465*073ec901SMarcel Telka.It Sy pathname
466c10c16deSRichard LoweThe pathname of the file system to be shared.
467*073ec901SMarcel Telka.El
468*073ec901SMarcel Telka.Sh FILES
469*073ec901SMarcel Telka.Bl -tag -width "/etc/nfs/nfslog.conf"
470*073ec901SMarcel Telka.It Pa /etc/dfs/fstypes
471*073ec901SMarcel Telkalist of system types, NFS by default
472*073ec901SMarcel Telka.It Pa /etc/dfs/sharetab
473*073ec901SMarcel Telkasystem record of shared file systems
474*073ec901SMarcel Telka.It Pa /etc/nfs/nfslogtab
475*073ec901SMarcel Telkasystem record of logged file systems
476*073ec901SMarcel Telka.It Pa /etc/nfs/nfslog.conf
477*073ec901SMarcel Telkalogging configuration file
478*073ec901SMarcel Telka.El
479*073ec901SMarcel Telka.Sh EXIT STATUS
480*073ec901SMarcel Telka.Ex -std
481*073ec901SMarcel Telka.Sh EXAMPLES
482*073ec901SMarcel Telka.Ss Example 1 Sharing A File System With Logging Enabled
483*073ec901SMarcel TelkaThe following example shows the
484*073ec901SMarcel Telka.Pa /export
485*073ec901SMarcel Telkafile system shared with logging enabled:
486*073ec901SMarcel Telka.Bd -literal -offset indent
487*073ec901SMarcel Telkashare -o log /export
488*073ec901SMarcel Telka.Ed
489*073ec901SMarcel Telka.Pp
490c10c16deSRichard LoweThe default global logging parameters are used since no tag identifier is
491c10c16deSRichard Lowespecified. The location of the log file, as well as the necessary logging work
492*073ec901SMarcel Telkafiles, is specified by the global entry in
493*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf .
494*073ec901SMarcel TelkaThe
495*073ec901SMarcel Telka.Xr nfslogd 1M
496*073ec901SMarcel Telkadaemon runs only if at least one file system entry in
497*073ec901SMarcel Telka.Pa /etc/dfs/dfstab
498*073ec901SMarcel Telkais shared with logging enabled upon starting or rebooting the system. Simply
499*073ec901SMarcel Telkasharing a file system with logging enabled from the command line does not start
500*073ec901SMarcel Telkathe
501*073ec901SMarcel Telka.Xr nfslogd 1M .
502*073ec901SMarcel Telka.Ss Example 2 Remap A User Coming From The Particular NFS Client
503*073ec901SMarcel TelkaThe following example remaps the user with uid
504*073ec901SMarcel Telka.Sy 100
505*073ec901SMarcel Telkaat client
506*073ec901SMarcel Telka.Sy 10.0.0.1
507*073ec901SMarcel Telkato user
508*073ec901SMarcel Telka.Sy joe Ns :
509*073ec901SMarcel Telka.Bd -literal -offset indent
510*073ec901SMarcel Telkashare -o uidmap=100:joe:@10.0.0.1 /export
511*073ec901SMarcel Telka.Ed
512*073ec901SMarcel Telka.Sh SEE ALSO
513*073ec901SMarcel Telka.Xr mount 1M ,
514*073ec901SMarcel Telka.Xr mountd 1M ,
515*073ec901SMarcel Telka.Xr nfsd 1M ,
516*073ec901SMarcel Telka.Xr nfslogd 1M ,
517*073ec901SMarcel Telka.Xr share 1M ,
518*073ec901SMarcel Telka.Xr unshare 1M ,
519*073ec901SMarcel Telka.Xr getnetbyname 3SOCKET ,
520*073ec901SMarcel Telka.Xr nfslog.conf 4 ,
521*073ec901SMarcel Telka.Xr netgroup 4 ,
522*073ec901SMarcel Telka.Xr attributes 5 ,
523*073ec901SMarcel Telka.Xr nfssec 5
524*073ec901SMarcel Telka.Sh NOTES
525*073ec901SMarcel TelkaIf the
526*073ec901SMarcel Telka.Sy sec Ns =
527*073ec901SMarcel Telkaoption is presented at least once, all uses of the
528*073ec901SMarcel Telka.Sy window Ns = ,
529*073ec901SMarcel Telka.Sy rw ,
530*073ec901SMarcel Telka.Sy ro ,
531*073ec901SMarcel Telka.Sy rw Ns = ,
532*073ec901SMarcel Telka.Sy ro Ns = ,
533*073ec901SMarcel Telkaand
534*073ec901SMarcel Telka.Sy root Ns =
535*073ec901SMarcel Telkaoptions must come after the first
536*073ec901SMarcel Telka.Sy sec Ns =
537*073ec901SMarcel Telkaoption. If the
538*073ec901SMarcel Telka.Sy sec Ns =
539*073ec901SMarcel Telkaoption is not presented, then
540*073ec901SMarcel Telka.Sy sec Ns = Ns Sy sys
541*073ec901SMarcel Telkais implied.
542*073ec901SMarcel Telka.Pp
543*073ec901SMarcel TelkaIf one or more explicit
544*073ec901SMarcel Telka.Sy sec Ns =
545*073ec901SMarcel Telkaoptions are presented,
546*073ec901SMarcel Telka.Sy sys
547*073ec901SMarcel Telkamust appear in one of the options mode lists for accessing using the AUTH_SYS
548c10c16deSRichard Lowesecurity mode to be allowed. For example:
549*073ec901SMarcel Telka.Bd -literal -offset indent
550*073ec901SMarcel Telkashare -F nfs /var
551*073ec901SMarcel Telkashare -F nfs -o sec=sys /var
552*073ec901SMarcel Telka.Ed
553*073ec901SMarcel Telka.Pp
554*073ec901SMarcel Telkagrants read-write access to any host using AUTH_SYS, but
555*073ec901SMarcel Telka.Bd -literal -offset indent
556*073ec901SMarcel Telkashare -F nfs -o sec=dh /var
557*073ec901SMarcel Telka.Ed
558*073ec901SMarcel Telka.Pp
559*073ec901SMarcel Telkagrants no access to clients that use AUTH_SYS.
560*073ec901SMarcel Telka.Pp
561*073ec901SMarcel TelkaUnlike previous implementations of
562*073ec901SMarcel Telka.Nm ,
563*073ec901SMarcel Telkaaccess checking for the
564*073ec901SMarcel Telka.Sy window Ns = ,
565*073ec901SMarcel Telka.Sy rw ,
566*073ec901SMarcel Telka.Sy ro ,
567*073ec901SMarcel Telka.Sy rw Ns = ,
568*073ec901SMarcel Telkaand
569*073ec901SMarcel Telka.Sy ro Ns =
570*073ec901SMarcel Telkaoptions is done per NFS request, instead of per mount request.
571*073ec901SMarcel Telka.Pp
572c10c16deSRichard LoweCombining multiple security modes can be a security hole in situations where
573*073ec901SMarcel Telkathe
574*073ec901SMarcel Telka.Sy ro Ns =
575*073ec901SMarcel Telkaand
576*073ec901SMarcel Telka.Sy rw Ns =
577*073ec901SMarcel Telkaoptions are used to control access to weaker security modes. In this example,
578*073ec901SMarcel Telka.Bd -literal -offset indent
579*073ec901SMarcel Telkashare -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
580*073ec901SMarcel Telka.Ed
581*073ec901SMarcel Telka.Pp
582*073ec901SMarcel Telkaan intruder can forge the IP address for
583*073ec901SMarcel Telka.Qq hosta
584*073ec901SMarcel Telka(albeit on each NFS request) to side-step the stronger controls of AUTH_DES.
585*073ec901SMarcel TelkaSomething like:
586*073ec901SMarcel Telka.Bd -literal -offset indent
587*073ec901SMarcel Telkashare -F nfs -o sec=dh,rw,sec=sys,ro /var
588*073ec901SMarcel Telka.Ed
589*073ec901SMarcel Telka.Pp
590*073ec901SMarcel Telkais safer, because any client (intruder or legitimate) that avoids AUTH_DES only
591*073ec901SMarcel Telkagets read-only access. In general, multiple security modes per share command
592*073ec901SMarcel Telkashould only be used in situations where the clients using more secure modes get
593*073ec901SMarcel Telkastronger access than clients using less secure modes.
594*073ec901SMarcel Telka.Pp
595*073ec901SMarcel TelkaIf
596*073ec901SMarcel Telka.Sy rw Ns =
597*073ec901SMarcel Telkaand
598*073ec901SMarcel Telka.Sy ro Ns =
599*073ec901SMarcel Telkaoptions are specified in the same
600*073ec901SMarcel Telka.Sy sec Ns =
601c10c16deSRichard Loweclause, and a client is in both lists, the order of the two options determines
602*073ec901SMarcel Telkathe access the client gets. If client
603*073ec901SMarcel Telka.Qq hosta
604*073ec901SMarcel Telkais in two netgroups,
605*073ec901SMarcel Telka.Qq group1
606*073ec901SMarcel Telkaand
607*073ec901SMarcel Telka.Qq group2 ,
608*073ec901SMarcel Telkain this example, the client would get read-only access:
609*073ec901SMarcel Telka.Bd -literal -offset indent
610*073ec901SMarcel Telkashare -F nfs -o ro=group1,rw=group2 /var
611*073ec901SMarcel Telka.Ed
612*073ec901SMarcel Telka.Pp
613*073ec901SMarcel TelkaIn this example
614*073ec901SMarcel Telka.Qq hosta
615*073ec901SMarcel Telkawould get read-write access:
616*073ec901SMarcel Telka.Bd -literal -offset indent
617*073ec901SMarcel Telkashare -F nfs -o rw=group2,ro=group1 /var
618*073ec901SMarcel Telka.Ed
619*073ec901SMarcel Telka.Pp
620*073ec901SMarcel TelkaIf within a
621*073ec901SMarcel Telka.Sy sec Ns =
622*073ec901SMarcel Telkaclause, both the
623*073ec901SMarcel Telka.Sy ro
624*073ec901SMarcel Telkaand
625*073ec901SMarcel Telka.Sy rw Ns =
626*073ec901SMarcel Telkaoptions are specified, for compatibility, the order of the options rule is not
627*073ec901SMarcel Telkaenforced. All hosts would get read-only access, with the exception to those in
628*073ec901SMarcel Telkathe read-write list. Likewise, if the
629*073ec901SMarcel Telka.Sy ro Ns =
630*073ec901SMarcel Telkaand
631*073ec901SMarcel Telka.Sy rw
632*073ec901SMarcel Telkaoptions are specified, all hosts get read-write access with the exceptions of
633*073ec901SMarcel Telkathose in the read-only list.
634*073ec901SMarcel Telka.Pp
635*073ec901SMarcel TelkaThe
636*073ec901SMarcel Telka.Sy ro Ns =
637*073ec901SMarcel Telkaand
638*073ec901SMarcel Telka.Sy rw Ns =
639*073ec901SMarcel Telkaoptions are guaranteed to work over UDP and TCP but may not work over other
640*073ec901SMarcel Telkatransport providers.
641*073ec901SMarcel Telka.Pp
642*073ec901SMarcel TelkaThe
643*073ec901SMarcel Telka.Sy root Ns =
644*073ec901SMarcel Telkaoption with AUTH_SYS is guaranteed to work over UDP and TCP but may not work
645*073ec901SMarcel Telkaover other transport providers.
646*073ec901SMarcel Telka.Pp
647*073ec901SMarcel TelkaThe
648*073ec901SMarcel Telka.Sy root Ns =
649*073ec901SMarcel Telkaoption with AUTH_DES is guaranteed to work over any transport provider.
650*073ec901SMarcel Telka.Pp
651*073ec901SMarcel TelkaThere are no interactions between the
652*073ec901SMarcel Telka.Sy root Ns =
653*073ec901SMarcel Telkaoption and the
654*073ec901SMarcel Telka.Sy rw ,
655*073ec901SMarcel Telka.Sy ro ,
656*073ec901SMarcel Telka.Sy rw Ns = ,
657*073ec901SMarcel Telkaand
658*073ec901SMarcel Telka.Sy ro Ns =
659*073ec901SMarcel Telkaoptions. Putting a host in the root list does not override the semantics of the
660*073ec901SMarcel Telkaother options. The access the host gets is the same as when the
661*073ec901SMarcel Telka.Sy root Ns =
662*073ec901SMarcel Telkaoption is absent. For example, the following share command denies access to
663*073ec901SMarcel Telka.Qq hostb :
664*073ec901SMarcel Telka.Bd -literal -offset indent
665*073ec901SMarcel Telkashare -F nfs -o ro=hosta,root=hostb /var
666*073ec901SMarcel Telka.Ed
667*073ec901SMarcel Telka.Pp
668*073ec901SMarcel TelkaThe following gives read-only permissions to
669*073ec901SMarcel Telka.Qq hostb :
670*073ec901SMarcel Telka.Bd -literal -offset indent
671*073ec901SMarcel Telkashare -F nfs -o ro=hostb,root=hostb /var
672*073ec901SMarcel Telka.Ed
673*073ec901SMarcel Telka.Pp
674*073ec901SMarcel TelkaThe following gives read-write permissions to
675*073ec901SMarcel Telka.Qq hostb :
676*073ec901SMarcel Telka.Bd -literal -offset indent
677*073ec901SMarcel Telkashare -F nfs -o ro=hosta,rw=hostb,root=hostb /var
678*073ec901SMarcel Telka.Ed
679*073ec901SMarcel Telka.Pp
680c10c16deSRichard LoweIf the file system being shared is a symbolic link to a valid pathname, the
681*073ec901SMarcel Telkacanonical path (the path which the symbolic link follows) is shared. For
682*073ec901SMarcel Telkaexample, if
683*073ec901SMarcel Telka.Pa /export/foo
684*073ec901SMarcel Telkais a symbolic link to
685*073ec901SMarcel Telka.Pa /export/bar ,
686*073ec901SMarcel Telkathe following share command results in
687*073ec901SMarcel Telka.Pa /export/bar
688*073ec901SMarcel Telkaas the shared pathname (and not
689*073ec901SMarcel Telka.Pa /export/foo ) :
690*073ec901SMarcel Telka.Bd -literal -offset indent
691*073ec901SMarcel Telkashare -F nfs /export/foo
692*073ec901SMarcel Telka.Ed
693*073ec901SMarcel Telka.Pp
694*073ec901SMarcel TelkaAn NFS mount of
695*073ec901SMarcel Telka.Lk server:/export/foo
696*073ec901SMarcel Telkaresults in
697*073ec901SMarcel Telka.Lk server:/export/bar
698*073ec901SMarcel Telkareally being mounted.
699*073ec901SMarcel Telka.Pp
700*073ec901SMarcel TelkaThis line in the
701*073ec901SMarcel Telka.Pa /etc/dfs/dfstab
702*073ec901SMarcel Telkafile shares the
703*073ec901SMarcel Telka.Pa /disk
704*073ec901SMarcel Telkafile system read-only at boot time:
705*073ec901SMarcel Telka.Bd -literal -offset indent
706*073ec901SMarcel Telkashare -F nfs -o ro /disk
707*073ec901SMarcel Telka.Ed
708*073ec901SMarcel Telka.Pp
709*073ec901SMarcel TelkaThe same command entered from the command line does not share the
710*073ec901SMarcel Telka.Pa /disk
711c10c16deSRichard Lowefile system unless there is at least one file system entry in the
712*073ec901SMarcel Telka.Pa /etc/dfs/dfstab
713*073ec901SMarcel Telkafile. The
714*073ec901SMarcel Telka.Xr mountd 1M
715*073ec901SMarcel Telkaand
716*073ec901SMarcel Telka.Xr nfsd 1M
717*073ec901SMarcel Telkadaemons only run if there is a file system entry in
718*073ec901SMarcel Telka.Pa /etc/dfs/dfstab
719*073ec901SMarcel Telkawhen starting or rebooting the system.
720*073ec901SMarcel Telka.Pp
721*073ec901SMarcel TelkaThe
722*073ec901SMarcel Telka.Xr mountd 1M
723*073ec901SMarcel Telkaprocess allows the processing of a path name the contains a symbolic link.
724*073ec901SMarcel TelkaThis allows the processing of paths that are not themselves explicitly shared
725*073ec901SMarcel Telkawith
726*073ec901SMarcel Telka.Nm .
727*073ec901SMarcel TelkaFor example,
728*073ec901SMarcel Telka.Pa /export/foo
729*073ec901SMarcel Telkamight be a symbolic link that refers to
730*073ec901SMarcel Telka.Pa /export/bar
731*073ec901SMarcel Telkawhich has been specifically shared. When the client mounts
732*073ec901SMarcel Telka.Pa /export/foo
733*073ec901SMarcel Telkathe mountd processing follows the symbolic link and responds with the
734*073ec901SMarcel Telka.Pa /export/bar .
735*073ec901SMarcel TelkaThe NFS Version 4 protocol does not use the mountd processing and the client's
736*073ec901SMarcel Telkause of
737*073ec901SMarcel Telka.Pa /export/foo
738*073ec901SMarcel Telkadoes not work as it does with NFS Version 2 and Version 3 and the client
739*073ec901SMarcel Telkareceives an error when attempting to mount
740*073ec901SMarcel Telka.Pa /export/foo .
741