1 '\" te
   2 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH SHARE_NFS 1M "Mar 17, 2014"
   7 .SH NAME
   8 share_nfs \- make local NFS file systems available for mounting by remote
   9 systems
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBshare\fR [\fB-d\fR \fIdescription\fR] [\fB-F\fR nfs] [\fB-o\fR \fIspecific_options\fR] \fIpathname\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The \fBshare\fR utility makes local file systems available for mounting by
  20 remote systems. It starts the \fBnfsd\fR(1M) and \fBmountd\fR(1M) daemons if
  21 they are not already running.
  22 .sp
  23 .LP
  24 If no argument is specified, then \fBshare\fR displays all file systems
  25 currently shared, including \fBNFS\fR file systems and file systems shared
  26 through other distributed file system packages.
  27 .SH OPTIONS
  28 .sp
  29 .LP
  30 The following options are supported:
  31 .sp
  32 .ne 2
  33 .na
  34 \fB\fB-d\fR \fIdescription\fR\fR
  35 .ad
  36 .sp .6
  37 .RS 4n
  38 Provide a comment that describes the file system to be shared.
  39 .RE
  40 
  41 .sp
  42 .ne 2
  43 .na
  44 \fB\fB\fR\fB-F\fR \fBnfs\fR\fR
  45 .ad
  46 .sp .6
  47 .RS 4n
  48 Share \fBNFS\fR file system type.
  49 .RE
  50 
  51 .sp
  52 .ne 2
  53 .na
  54 \fB\fB-o\fR \fIspecific_options\fR\fR
  55 .ad
  56 .sp .6
  57 .RS 4n
  58 Specify \fIspecific_options\fR in a comma-separated list of keywords and
  59 attribute-value-assertions for interpretation by the file-system-type-specific
  60 command. If \fIspecific_options\fR is not specified, then by default sharing is
  61 read-write to all clients. \fIspecific_options\fR can be any combination of the
  62 following:
  63 .sp
  64 .ne 2
  65 .na
  66 \fB\fBaclok\fR\fR
  67 .ad
  68 .sp .6
  69 .RS 4n
  70 Allows the \fBNFS\fR server to do access control for \fBNFS\fR Version 2
  71 clients (running SunOS 2.4 or earlier). When \fBaclok\fR is set on the server,
  72 maximal access is given to all clients. For example, with \fBaclok\fR set, if
  73 anyone has read permissions, then everyone does. If \fBaclok\fR is not set,
  74 minimal access is given to all clients.
  75 .RE
  76 
  77 .sp
  78 .ne 2
  79 .na
  80 \fB\fBanon=\fR\fIuid\fR\fR
  81 .ad
  82 .sp .6
  83 .RS 4n
  84 Set \fIuid\fR to be the effective user \fBID\fR of unknown users. By default,
  85 unknown users are given the effective user \fBID\fR \fBUID_NOBODY\fR. If
  86 \fIuid\fR is set to \fB\(mi1\fR, access is denied.
  87 .RE
  88 
  89 .sp
  90 .ne 2
  91 .na
  92 \fB\fIcharset\fR=\fIaccess_list\fR\fR
  93 .ad
  94 .sp .6
  95 .RS 4n
  96 Where \fIcharset\fR is one of: \fBeuc-cn\fR, \fBeuc-jp\fR, \fBeuc-jpms\fR,
  97 \fBeuc-kr\fR, \fBeuc-tw\fR, \fBiso8859-1\fR, \fBiso8859-2\fR, \fBiso8859-5\fR,
  98 \fBiso8859-6\fR, \fBiso8859-7\fR, \fBiso8859-8\fR, \fBiso8859-9\fR,
  99 \fBiso8859-13\fR, \fBiso8859-15\fR, \fBkoi8-r\fR.
 100 .sp
 101 Clients that match the \fIaccess_list\fR for one of these properties will be
 102 assumed to be using that character set and file and path names will be
 103 converted to UTF-8 for the server.
 104 .RE
 105 
 106 .sp
 107 .ne 2
 108 .na
 109 \fB\fBindex=\fR\fBfile\fR\fR
 110 .ad
 111 .sp .6
 112 .RS 4n
 113 Load \fBfile\fR rather than a listing of the directory containing this file
 114 when the directory is referenced by an \fBNFS URL\fR.
 115 .RE
 116 
 117 .sp
 118 .ne 2
 119 .na
 120 \fB\fBlog=tag\fR\fR
 121 .ad
 122 .sp .6
 123 .RS 4n
 124 Enables \fBNFS\fR server logging for the specified file system. The optional
 125 tag determines the location of the related log files. The \fBtag\fR is defined
 126 in \fBetc/nfs/nfslog.conf\fR. If no \fBtag\fR is specified, the default values
 127 associated with the \fBglobal\fR \fBtag\fR in \fBetc/nfs/nfslog.conf\fR is
 128 used. Support of NFS server logging is only available for NFS Version 2 and
 129 Version 3 requests.
 130 .RE
 131 
 132 .sp
 133 .ne 2
 134 .na
 135 \fB\fBnone=\fR\fIaccess_list\fR\fR
 136 .ad
 137 .sp .6
 138 .RS 4n
 139 Access is not allowed to any client that matches the access list. The exception
 140 is when the access list is an asterisk (\fB*\fR), in which case \fBro\fR or
 141 \fBrw\fR can override \fBnone\fR.
 142 .RE
 143 
 144 .sp
 145 .ne 2
 146 .na
 147 \fB\fBnosub\fR\fR
 148 .ad
 149 .sp .6
 150 .RS 4n
 151 Prevents clients from mounting subdirectories of shared directories. For
 152 example, if \fB/export\fR is shared with the \fBnosub\fR option on server
 153 \fIfooey\fR then a \fBNFS\fR client cannot do:
 154 .sp
 155 .in +2
 156 .nf
 157 mount -F nfs fooey:/export/home/mnt
 158 .fi
 159 .in -2
 160 .sp
 161 
 162 NFS Version 4 does not use the \fBMOUNT\fR protocol. The \fBnosub\fR option
 163 only applies to NFS Version 2 and Version 3 requests.
 164 .RE
 165 
 166 .sp
 167 .ne 2
 168 .na
 169 \fB\fBnosuid\fR\fR
 170 .ad
 171 .sp .6
 172 .RS 4n
 173 By default, clients are allowed to create files on the shared file system with
 174 the setuid or setgid mode enabled. Specifying \fBnosuid\fR causes the server
 175 file system to silently ignore any attempt to enable the setuid or setgid mode
 176 bits.
 177 .RE
 178 
 179 .sp
 180 .ne 2
 181 .na
 182 \fB\fBpublic\fR\fR
 183 .ad
 184 .sp .6
 185 .RS 4n
 186 Moves the location of the public file handle from \fBroot\fR (\fB/\fR) to the
 187 exported directory for Web\fBNFS\fR-enabled browsers and clients. This option
 188 does not enable Web\fBNFS\fR service; Web\fBNFS\fR is always on. Only one file
 189 system per server may use this option. Any other option, including the
 190 \fB-ro=list\fR and \fB-rw=list\fR options can be included with the \fBpublic\fR
 191 option.
 192 .RE
 193 
 194 .sp
 195 .ne 2
 196 .na
 197 \fB\fBro\fR\fR
 198 .ad
 199 .sp .6
 200 .RS 4n
 201 Sharing is read-only to all clients.
 202 .RE
 203 
 204 .sp
 205 .ne 2
 206 .na
 207 \fB\fBro=\fR\fIaccess_list\fR\fR
 208 .ad
 209 .sp .6
 210 .RS 4n
 211 Sharing is read-only to the clients listed in \fIaccess_list\fR; overrides the
 212 \fBrw\fR suboption for the clients specified. See \fIaccess_list\fR below.
 213 .RE
 214 
 215 .sp
 216 .ne 2
 217 .na
 218 \fB\fBroot=\fR\fIaccess_list\fR\fR
 219 .ad
 220 .sp .6
 221 .RS 4n
 222 Only root users from the hosts specified in \fIaccess_list\fR have root access.
 223 See \fIaccess_list\fR below. By default, no host has root access, so root users
 224 are mapped to an anonymous user \fBID\fR (see the \fBanon=\fR\fIuid\fR option
 225 described above). Netgroups can be used if the file system shared is using UNIX
 226 authentication (\fBAUTH_SYS\fR).
 227 .RE
 228 
 229 .sp
 230 .ne 2
 231 .na
 232 \fB\fBroot_mapping=\fIuid\fR\fR\fR
 233 .ad
 234 .sp .6
 235 .RS 4n
 236 For a client that is allowed root access, map the root UID to the specified
 237 user id.
 238 .RE
 239 
 240 .sp
 241 .ne 2
 242 .na
 243 \fB\fBrw\fR\fR
 244 .ad
 245 .sp .6
 246 .RS 4n
 247 Sharing is read-write to all clients.
 248 .RE
 249 
 250 .sp
 251 .ne 2
 252 .na
 253 \fB\fBrw=\fR\fIaccess_list\fR\fR
 254 .ad
 255 .sp .6
 256 .RS 4n
 257 Sharing is read-write to the clients listed in \fIaccess_list\fR; overrides the
 258 \fBro\fR suboption for the clients specified. See \fIaccess_list\fR below.
 259 .RE
 260 
 261 .sp
 262 .ne 2
 263 .na
 264 \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR
 265 .ad
 266 .sp .6
 267 .RS 4n
 268 Sharing uses one or more of the specified security modes. The \fImode\fR in the
 269 \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the
 270 \fBsec=\fR option is not specified, the default security mode used is
 271 \fBAUTH_SYS.\fR Multiple \fBsec=\fR options can be specified on the command
 272 line, although each mode can appear only once. The security modes are defined
 273 in \fBnfssec\fR(5).
 274 .sp
 275 Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=,
 276 rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another
 277 \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context,
 278 so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and
 279 \fBroot=\fR options can be supplied for additional modes.
 280 .RE
 281 
 282 .sp
 283 .ne 2
 284 .na
 285 \fB\fBsec=\fR\fInone\fR\fR
 286 .ad
 287 .sp .6
 288 .RS 4n
 289 If the option \fBsec=\fR\fInone\fR is specified when the client uses
 290 \fBAUTH_NONE,\fR or if the client uses a security mode that is not one that the
 291 file system is shared with, then the credential of each \fBNFS\fR request is
 292 treated as unauthenticated. See the \fBanon=\fR\fIuid\fR option for a
 293 description of how unauthenticated requests are handled.
 294 .RE
 295 
 296 .sp
 297 .ne 2
 298 .na
 299 \fB\fBsecure\fR\fR
 300 .ad
 301 .sp .6
 302 .RS 4n
 303 This option has been deprecated in favor of the \fBsec=\fR\fIdh\fR option.
 304 .RE
 305 
 306 .sp
 307 .ne 2
 308 .na
 309 \fB\fBwindow=\fR\fIvalue\fR\fR
 310 .ad
 311 .sp .6
 312 .RS 4n
 313 When sharing with \fBsec=\fR\fIdh\fR, set the maximum life time (in seconds) of
 314 the \fBRPC\fR request's credential (in the authentication header) that the
 315 \fBNFS\fR server allows. If a credential arrives with a life time larger than
 316 what is allowed, the \fBNFS\fR server rejects the request. The default value is
 317 30000 seconds (8.3 hours).
 318 .RE
 319 
 320 .RE
 321 
 322 .SS "\fIaccess_list\fR"
 323 .sp
 324 .LP
 325 The \fIaccess_list\fR argument is a colon-separated list whose components may
 326 be any number of the following:
 327 .sp
 328 .ne 2
 329 .na
 330 \fBhostname\fR
 331 .ad
 332 .sp .6
 333 .RS 4n
 334 The name of a host. With a server configured for \fBDNS\fR or \fBLDAP\fR naming
 335 in the \fBnsswitch\fR "hosts" entry, any hostname must be represented as a
 336 fully qualified \fBDNS\fR or \fBLDAP\fR name.
 337 .RE
 338 
 339 .sp
 340 .ne 2
 341 .na
 342 \fBnetgroup\fR
 343 .ad
 344 .sp .6
 345 .RS 4n
 346 A netgroup contains a number of hostnames. With a server configured for
 347 \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR "hosts" entry, any
 348 hostname in a netgroup must be represented as a fully qualified \fBDNS\fR or
 349 \fBLDAP\fR name.
 350 .RE
 351 
 352 .sp
 353 .ne 2
 354 .na
 355 \fBdomain name suffix\fR
 356 .ad
 357 .sp .6
 358 .RS 4n
 359 To use domain membership the server must use \fBDNS\fR or \fBLDAP\fR to resolve
 360 hostnames to \fBIP\fR addresses; that is, the "hosts" entry in the
 361 \fB/etc/nsswitch.conf\fR must specify "dns" or "ldap" ahead of "nis" or
 362 "nisplus", since only \fBDNS\fR and \fBLDAP\fR return the full domain name of
 363 the host. Other name services like \fBNIS\fR or \fBNIS+\fR cannot be used to
 364 resolve hostnames on the server because when mapping an \fBIP\fR address to a
 365 hostname they do not return domain information. For example,
 366 .sp
 367 .in +2
 368 .nf
 369 NIS or NIS+   172.16.45.9 --> "myhost"
 370 .fi
 371 .in -2
 372 .sp
 373 
 374 and
 375 .sp
 376 .in +2
 377 .nf
 378 DNS or LDAP   172.16.45.9 -->
 379      "myhost.mydomain.mycompany.com"
 380 .fi
 381 .in -2
 382 .sp
 383 
 384 The domain name suffix is distinguished from hostnames and netgroups by a
 385 prefixed dot. For example,
 386 .sp
 387 \fBrw=.mydomain.mycompany.com\fR
 388 .sp
 389 A single dot can be used to match a hostname with no suffix. For example,
 390 .sp
 391 \fBrw=.\fR
 392 .sp
 393 matches "mydomain" but not "mydomain.mycompany.com". This feature can be used
 394 to match hosts resolved through \fBNIS\fR and \fBNIS+\fR rather than \fBDNS\fR
 395 and \fBLDAP\fR.
 396 .RE
 397 
 398 .sp
 399 .ne 2
 400 .na
 401 \fBnetwork\fR
 402 .ad
 403 .sp .6
 404 .RS 4n
 405 The network or subnet component is preceded by an at-sign (\fB@\fR). It can be
 406 either a name or a dotted address. If a name, it is converted to a dotted
 407 address by \fBgetnetbyname\fR(3SOCKET). For example,
 408 .sp
 409 \fB=@mynet\fR
 410 .sp
 411 would be equivalent to:
 412 .sp
 413 \fB=@172.16\fR or \fB=@172.16.0.0\fR
 414 .sp
 415 The network prefix assumes an octet-aligned netmask determined from the zeroth
 416 octet in the low-order part of the address up to and including the high-order
 417 octet, if you want to specify a single IP address (see below). In the case
 418 where network prefixes are not byte-aligned, the syntax allows a mask length to
 419 be specified explicitly following a slash (\fB/\fR) delimiter. For example,
 420 .sp
 421 \fB=@theothernet/17\fR or \fB=@172.16.132/22\fR
 422 .sp
 423 \&...where the mask is the number of leftmost contiguous significant bits in
 424 the corresponding IP address.
 425 .sp
 426 When specifying individual IP addresses, use the same \fB@\fR notation
 427 described above, without a netmask specification. For example:
 428 .sp
 429 .in +2
 430 .nf
 431 =@172.16.132.14
 432 .fi
 433 .in -2
 434 .sp
 435 
 436 Multiple, individual IP addresses would be specified, for example, as:
 437 .sp
 438 .in +2
 439 .nf
 440 root=@172.16.132.20:@172.16.134.20
 441 .fi
 442 .in -2
 443 .sp
 444 
 445 .RE
 446 
 447 .sp
 448 .LP
 449 A prefixed minus sign (\fB\(mi\fR) denies access to that component of
 450 \fIaccess_list\fR. The list is searched sequentially until a match is found
 451 that either grants or denies access, or until the end of the list is reached.
 452 For example, if host "terra" is in the "engineering" netgroup, then
 453 .sp
 454 .in +2
 455 .nf
 456 rw=-terra:engineering
 457 .fi
 458 .in -2
 459 .sp
 460 
 461 .sp
 462 .LP
 463 denies access to \fBterra\fR but
 464 .sp
 465 .in +2
 466 .nf
 467 rw=engineering:-terra
 468 .fi
 469 .in -2
 470 .sp
 471 
 472 .sp
 473 .LP
 474 grants access to \fBterra\fR.
 475 .SH OPERANDS
 476 .sp
 477 .LP
 478 The following operands are supported:
 479 .sp
 480 .ne 2
 481 .na
 482 \fB\fIpathname\fR\fR
 483 .ad
 484 .sp .6
 485 .RS 4n
 486 The pathname of the file system to be shared.
 487 .RE
 488 
 489 .SH EXAMPLES
 490 .LP
 491 \fBExample 1 \fRSharing A File System With Logging Enabled
 492 .sp
 493 .LP
 494 The following example shows the \fB/export\fR file system shared with logging
 495 enabled:
 496 
 497 .sp
 498 .in +2
 499 .nf
 500 example% \fBshare -o log /export\fR
 501 .fi
 502 .in -2
 503 .sp
 504 
 505 .sp
 506 .LP
 507 The default global logging parameters are used since no tag identifier is
 508 specified. The location of the log file, as well as the necessary logging work
 509 files, is specified by the global entry in \fB/etc/nfs/nfslog.conf\fR. The
 510 \fBnfslogd\fR(1M) daemon runs only if at least one file system entry in
 511 \fB/etc/dfs/dfstab\fR is shared with logging enabled upon starting or rebooting
 512 the system. Simply sharing a file system with logging enabled from the command
 513 line does not start the \fBnfslogd\fR(1M).
 514 
 515 .SH EXIT STATUS
 516 .sp
 517 .LP
 518 The following exit values are returned:
 519 .sp
 520 .ne 2
 521 .na
 522 \fB\fB0\fR\fR
 523 .ad
 524 .sp .6
 525 .RS 4n
 526 Successful completion.
 527 .RE
 528 
 529 .sp
 530 .ne 2
 531 .na
 532 \fB\fB>0\fR\fR
 533 .ad
 534 .sp .6
 535 .RS 4n
 536 An error occurred.
 537 .RE
 538 
 539 .SH FILES
 540 .sp
 541 .ne 2
 542 .na
 543 \fB\fB/etc/dfs/fstypes\fR\fR
 544 .ad
 545 .sp .6
 546 .RS 4n
 547 list of system types, \fBNFS\fR by default
 548 .RE
 549 
 550 .sp
 551 .ne 2
 552 .na
 553 \fB\fB/etc/dfs/sharetab\fR\fR
 554 .ad
 555 .sp .6
 556 .RS 4n
 557 system record of shared file systems
 558 .RE
 559 
 560 .sp
 561 .ne 2
 562 .na
 563 \fB\fB/etc/nfs/nfslogtab\fR\fR
 564 .ad
 565 .sp .6
 566 .RS 4n
 567 system record of logged file systems
 568 .RE
 569 
 570 .sp
 571 .ne 2
 572 .na
 573 \fB\fB/etc/nfs/nfslog.conf\fR\fR
 574 .ad
 575 .sp .6
 576 .RS 4n
 577 logging configuration file
 578 .RE
 579 
 580 .SH SEE ALSO
 581 .sp
 582 .LP
 583 \fBmount\fR(1M), \fBmountd\fR(1M), \fBnfsd\fR(1M), \fBnfslogd\fR(1M),
 584 \fBshare\fR(1M), \fBunshare\fR(1M), \fBgetnetbyname\fR(3SOCKET),
 585 \fBnfslog.conf\fR(4), \fBnetgroup\fR(4), \fBattributes\fR(5), \fBnfssec\fR(5)
 586 .SH NOTES
 587 .sp
 588 .LP
 589 If the \fBsec=\fR option is presented at least once, all uses of the
 590 \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options
 591 must come \fBafter\fR the first \fBsec=\fR option. If the \fBsec=\fR option is
 592 not presented, then \fBsec=\fR\fIsys\fR is implied.
 593 .sp
 594 .LP
 595 If one or more explicit \fBsec=\fR options are presented, \fIsys\fR must appear
 596 in one of the options mode lists for accessing using the \fBAUTH_SYS\fR
 597 security mode to be allowed. For example:
 598 .sp
 599 .in +2
 600 .nf
 601 \fBshare\fR \fB-F\fR \fBnfs /var\fR
 602 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=sys /var\fR
 603 .fi
 604 .in -2
 605 .sp
 606 
 607 .sp
 608 .LP
 609 grants read-write access to any host using \fBAUTH_SYS,\fR but
 610 .sp
 611 .in +2
 612 .nf
 613 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh /var\fR
 614 .fi
 615 .in -2
 616 .sp
 617 
 618 .sp
 619 .LP
 620 grants no access to clients that use \fBAUTH_SYS.\fR
 621 .sp
 622 .LP
 623 Unlike previous implementations of \fBshare_nfs\fR, access checking for the
 624 \fBwindow=, rw, ro, rw=,\fR and \fBro=\fR options is done per \fBNFS\fR
 625 request, instead of per mount request.
 626 .sp
 627 .LP
 628 Combining multiple security modes can be a security hole in situations where
 629 the \fBro=\fR and \fBrw=\fR options are used to control access to weaker
 630 security modes. In this example,
 631 .sp
 632 .in +2
 633 .nf
 634 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,rw=hosta /var\fR
 635 .fi
 636 .in -2
 637 .sp
 638 
 639 .sp
 640 .LP
 641 an intruder can forge the IP address for \fBhosta\fR (albeit on each \fBNFS\fR
 642 request) to side-step the stronger controls of \fBAUTH_DES.\fR Something like:
 643 .sp
 644 .in +2
 645 .nf
 646 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,ro /var\fR
 647 .fi
 648 .in -2
 649 .sp
 650 
 651 .sp
 652 .LP
 653 is safer, because any client (intruder or legitimate) that avoids
 654 \fBAUTH_DES\fR only gets read-only access. In general, multiple security modes
 655 per \fBshare\fR command should only be used in situations where the clients
 656 using more secure modes get stronger access than clients using less secure
 657 modes.
 658 .sp
 659 .LP
 660 If \fBrw=,\fR and \fBro=\fR options are specified in the same \fBsec=\fR
 661 clause, and a client is in both lists, the order of the two options determines
 662 the access the client gets. If client \fBhosta\fR is in two netgroups -
 663 \fBgroup1\fR and \fBgroup2\fR - in this example, the client would get read-only
 664 access:
 665 .sp
 666 .in +2
 667 .nf
 668 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=group1,rw=group2 /var\fR
 669 .fi
 670 .in -2
 671 .sp
 672 
 673 .sp
 674 .LP
 675 In this example \fBhosta\fR would get read-write access:
 676 .sp
 677 .in +2
 678 .nf
 679 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBrw=group2,ro=group1 /var\fR
 680 .fi
 681 .in -2
 682 .sp
 683 
 684 .sp
 685 .LP
 686 If within a \fBsec=\fR clause, both the \fBro\fR and \fBrw=\fR options are
 687 specified, for compatibility, the order of the options rule is not enforced.
 688 All hosts would get read-only access, with the exception to those in the
 689 read-write list. Likewise, if the \fBro=\fR and \fBrw\fR options are specified,
 690 all hosts get read-write access with the exceptions of those in the read-only
 691 list.
 692 .sp
 693 .LP
 694 The \fBro=\fR and \fBrw=\fR options are guaranteed to work over \fBUDP\fR and
 695 \fBTCP\fR but may not work over other transport providers.
 696 .sp
 697 .LP
 698 The \fBroot=\fR option with \fBAUTH_SYS\fR is guaranteed to work over \fBUDP\fR
 699 and \fBTCP\fR but may not work over other transport providers.
 700 .sp
 701 .LP
 702 The \fBroot=\fR option with \fBAUTH_DES\fR is guaranteed to work over any
 703 transport provider.
 704 .sp
 705 .LP
 706 There are no interactions between the \fBroot=\fR option and the \fBrw, ro,
 707 rw=,\fR and \fBro=\fR options. Putting a host in the \fBroot\fR list does not
 708 override the semantics of the other options. The access the host gets is the
 709 same as when the \fBroot=\fR options is absent. For example, the following
 710 \fBshare\fR command denies access to \fBhostb:\fR
 711 .sp
 712 .in +2
 713 .nf
 714 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,root=hostb /var\fR
 715 .fi
 716 .in -2
 717 .sp
 718 
 719 .sp
 720 .LP
 721 The following gives read-only permissions to \fBhostb:\fR
 722 .sp
 723 .in +2
 724 .nf
 725 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hostb,root=hostb /var\fR
 726 .fi
 727 .in -2
 728 .sp
 729 
 730 .sp
 731 .LP
 732 The following gives read-write permissions to \fBhostb:\fR
 733 .sp
 734 .in +2
 735 .nf
 736 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,rw=hostb,root=hostb /var\fR
 737 .fi
 738 .in -2
 739 .sp
 740 
 741 .sp
 742 .LP
 743 If the file system being shared is a symbolic link to a valid pathname, the
 744 canonical path (the path which the symbolic link follows) are shared. For
 745 example, if \fB/export/foo\fR is a symbolic link to \fB/export/bar\fR
 746 (\fB/export/foo -> /export/bar\fR), the following \fBshare\fR command results
 747 in \fB/export/bar\fR as the shared pathname (and not \fB/export/foo\fR).
 748 .sp
 749 .in +2
 750 .nf
 751 \fBexample# share\fR \fB-F\fR \fBnfs /export/foo\fR
 752 .fi
 753 .in -2
 754 .sp
 755 
 756 .sp
 757 .LP
 758 An \fBNFS\fR mount of \fBserver:/export/foo\fR results in
 759 \fBserver:/export/bar\fR really being mounted.
 760 .sp
 761 .LP
 762 This line in the \fB/etc/dfs/dfstab\fR file shares the \fB/disk\fR file system
 763 read-only at boot time:
 764 .sp
 765 .in +2
 766 .nf
 767 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro /disk\fR
 768 .fi
 769 .in -2
 770 .sp
 771 
 772 .sp
 773 .LP
 774 The same command entered from the command line does not share the \fB/disk\fR
 775 file system unless there is at least one file system entry in the
 776 \fB/etc/dfs/dfstab\fR file. The \fBmountd\fR(1M) and \fBnfsd\fR(1M) daemons
 777 only run if there is a file system entry in \fB/etc/dfs/dfstab\fR when starting
 778 or rebooting the system.
 779 .sp
 780 .LP
 781 The \fBmountd\fR(1M) process allows the processing of a path name the contains
 782 a symbolic link. This allows the processing of paths that are not themselves
 783 explicitly shared with \fBshare_nfs\fR. For example, \fB/export/foo\fR might be
 784 a symbolic link that refers to \fB/export/bar\fR which has been specifically
 785 shared. When the client mounts \fB/export/foo\fR the \fBmountd\fR processing
 786 follows the symbolic link and responds with the \fB/export/bar\fR. The NFS
 787 Version 4 protocol does not use the \fBmountd\fR processing and the client's
 788 use of \fB/export/foo\fR does not work as it does with NFS Version 2 and
 789 Version 3 and the client receives an error when attempting to mount
 790 \fB/export/foo\fR.