Print this page
4398 Extra spaces in man pages
Reviewed by: Marcel Telka <marcel@telka.sk>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/share_nfs.1m
+++ new/usr/src/man/man1m/share_nfs.1m
1 1 '\" te
2 2 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH SHARE_NFS 1M "May 6, 2009"
6 +.TH SHARE_NFS 1M "Mar 17, 2014"
7 7 .SH NAME
8 8 share_nfs \- make local NFS file systems available for mounting by remote
9 9 systems
10 10 .SH SYNOPSIS
11 11 .LP
12 12 .nf
13 13 \fBshare\fR [\fB-d\fR \fIdescription\fR] [\fB-F\fR nfs] [\fB-o\fR \fIspecific_options\fR] \fIpathname\fR
14 14 .fi
15 15
16 16 .SH DESCRIPTION
17 17 .sp
18 18 .LP
19 19 The \fBshare\fR utility makes local file systems available for mounting by
20 20 remote systems. It starts the \fBnfsd\fR(1M) and \fBmountd\fR(1M) daemons if
21 21 they are not already running.
22 22 .sp
23 23 .LP
24 24 If no argument is specified, then \fBshare\fR displays all file systems
25 25 currently shared, including \fBNFS\fR file systems and file systems shared
26 26 through other distributed file system packages.
27 27 .SH OPTIONS
28 28 .sp
29 29 .LP
30 30 The following options are supported:
31 31 .sp
32 32 .ne 2
33 33 .na
34 34 \fB\fB-d\fR \fIdescription\fR\fR
35 35 .ad
36 36 .sp .6
37 37 .RS 4n
38 38 Provide a comment that describes the file system to be shared.
39 39 .RE
40 40
41 41 .sp
42 42 .ne 2
43 43 .na
44 44 \fB\fB\fR\fB-F\fR \fBnfs\fR\fR
45 45 .ad
46 46 .sp .6
47 47 .RS 4n
48 48 Share \fBNFS\fR file system type.
49 49 .RE
50 50
51 51 .sp
52 52 .ne 2
53 53 .na
54 54 \fB\fB-o\fR \fIspecific_options\fR\fR
55 55 .ad
56 56 .sp .6
57 57 .RS 4n
58 58 Specify \fIspecific_options\fR in a comma-separated list of keywords and
59 59 attribute-value-assertions for interpretation by the file-system-type-specific
60 60 command. If \fIspecific_options\fR is not specified, then by default sharing is
61 61 read-write to all clients. \fIspecific_options\fR can be any combination of the
62 62 following:
63 63 .sp
64 64 .ne 2
65 65 .na
66 66 \fB\fBaclok\fR\fR
67 67 .ad
68 68 .sp .6
69 69 .RS 4n
70 70 Allows the \fBNFS\fR server to do access control for \fBNFS\fR Version 2
71 71 clients (running SunOS 2.4 or earlier). When \fBaclok\fR is set on the server,
72 72 maximal access is given to all clients. For example, with \fBaclok\fR set, if
73 73 anyone has read permissions, then everyone does. If \fBaclok\fR is not set,
74 74 minimal access is given to all clients.
75 75 .RE
76 76
77 77 .sp
78 78 .ne 2
79 79 .na
80 80 \fB\fBanon=\fR\fIuid\fR\fR
81 81 .ad
82 82 .sp .6
83 83 .RS 4n
84 84 Set \fIuid\fR to be the effective user \fBID\fR of unknown users. By default,
85 85 unknown users are given the effective user \fBID\fR \fBUID_NOBODY\fR. If
86 86 \fIuid\fR is set to \fB\(mi1\fR, access is denied.
87 87 .RE
88 88
89 89 .sp
90 90 .ne 2
91 91 .na
92 92 \fB\fIcharset\fR=\fIaccess_list\fR\fR
93 93 .ad
94 94 .sp .6
95 95 .RS 4n
96 96 Where \fIcharset\fR is one of: \fBeuc-cn\fR, \fBeuc-jp\fR, \fBeuc-jpms\fR,
97 97 \fBeuc-kr\fR, \fBeuc-tw\fR, \fBiso8859-1\fR, \fBiso8859-2\fR, \fBiso8859-5\fR,
98 98 \fBiso8859-6\fR, \fBiso8859-7\fR, \fBiso8859-8\fR, \fBiso8859-9\fR,
99 99 \fBiso8859-13\fR, \fBiso8859-15\fR, \fBkoi8-r\fR.
100 100 .sp
101 101 Clients that match the \fIaccess_list\fR for one of these properties will be
102 102 assumed to be using that character set and file and path names will be
103 103 converted to UTF-8 for the server.
104 104 .RE
105 105
106 106 .sp
107 107 .ne 2
108 108 .na
109 109 \fB\fBindex=\fR\fBfile\fR\fR
110 110 .ad
111 111 .sp .6
112 112 .RS 4n
113 113 Load \fBfile\fR rather than a listing of the directory containing this file
114 114 when the directory is referenced by an \fBNFS URL\fR.
115 115 .RE
116 116
117 117 .sp
118 118 .ne 2
119 119 .na
120 120 \fB\fBlog=tag\fR\fR
121 121 .ad
122 122 .sp .6
123 123 .RS 4n
124 124 Enables \fBNFS\fR server logging for the specified file system. The optional
125 125 tag determines the location of the related log files. The \fBtag\fR is defined
126 126 in \fBetc/nfs/nfslog.conf\fR. If no \fBtag\fR is specified, the default values
127 127 associated with the \fBglobal\fR \fBtag\fR in \fBetc/nfs/nfslog.conf\fR is
128 128 used. Support of NFS server logging is only available for NFS Version 2 and
129 129 Version 3 requests.
130 130 .RE
131 131
132 132 .sp
133 133 .ne 2
134 134 .na
135 135 \fB\fBnone=\fR\fIaccess_list\fR\fR
136 136 .ad
137 137 .sp .6
138 138 .RS 4n
139 139 Access is not allowed to any client that matches the access list. The exception
140 140 is when the access list is an asterisk (\fB*\fR), in which case \fBro\fR or
141 141 \fBrw\fR can override \fBnone\fR.
142 142 .RE
143 143
144 144 .sp
145 145 .ne 2
146 146 .na
147 147 \fB\fBnosub\fR\fR
148 148 .ad
149 149 .sp .6
150 150 .RS 4n
151 151 Prevents clients from mounting subdirectories of shared directories. For
152 152 example, if \fB/export\fR is shared with the \fBnosub\fR option on server
153 153 \fIfooey\fR then a \fBNFS\fR client cannot do:
154 154 .sp
155 155 .in +2
156 156 .nf
157 157 mount -F nfs fooey:/export/home/mnt
158 158 .fi
159 159 .in -2
160 160 .sp
161 161
162 162 NFS Version 4 does not use the \fBMOUNT\fR protocol. The \fBnosub\fR option
163 163 only applies to NFS Version 2 and Version 3 requests.
164 164 .RE
165 165
166 166 .sp
167 167 .ne 2
168 168 .na
169 169 \fB\fBnosuid\fR\fR
170 170 .ad
171 171 .sp .6
172 172 .RS 4n
173 173 By default, clients are allowed to create files on the shared file system with
174 174 the setuid or setgid mode enabled. Specifying \fBnosuid\fR causes the server
175 175 file system to silently ignore any attempt to enable the setuid or setgid mode
176 176 bits.
177 177 .RE
178 178
179 179 .sp
180 180 .ne 2
181 181 .na
182 182 \fB\fBpublic\fR\fR
183 183 .ad
184 184 .sp .6
185 185 .RS 4n
186 186 Moves the location of the public file handle from \fBroot\fR (\fB/\fR) to the
187 187 exported directory for Web\fBNFS\fR-enabled browsers and clients. This option
188 188 does not enable Web\fBNFS\fR service; Web\fBNFS\fR is always on. Only one file
189 189 system per server may use this option. Any other option, including the
190 190 \fB-ro=list\fR and \fB-rw=list\fR options can be included with the \fBpublic\fR
191 191 option.
192 192 .RE
193 193
194 194 .sp
195 195 .ne 2
196 196 .na
197 197 \fB\fBro\fR\fR
198 198 .ad
199 199 .sp .6
200 200 .RS 4n
201 201 Sharing is read-only to all clients.
202 202 .RE
203 203
204 204 .sp
205 205 .ne 2
206 206 .na
207 207 \fB\fBro=\fR\fIaccess_list\fR\fR
208 208 .ad
209 209 .sp .6
210 210 .RS 4n
211 211 Sharing is read-only to the clients listed in \fIaccess_list\fR; overrides the
212 212 \fBrw\fR suboption for the clients specified. See \fIaccess_list\fR below.
213 213 .RE
214 214
215 215 .sp
|
↓ open down ↓ |
199 lines elided |
↑ open up ↑ |
216 216 .ne 2
217 217 .na
218 218 \fB\fBroot=\fR\fIaccess_list\fR\fR
219 219 .ad
220 220 .sp .6
221 221 .RS 4n
222 222 Only root users from the hosts specified in \fIaccess_list\fR have root access.
223 223 See \fIaccess_list\fR below. By default, no host has root access, so root users
224 224 are mapped to an anonymous user \fBID\fR (see the \fBanon=\fR\fIuid\fR option
225 225 described above). Netgroups can be used if the file system shared is using UNIX
226 -authentication ( \fBAUTH_SYS\fR).
226 +authentication (\fBAUTH_SYS\fR).
227 227 .RE
228 228
229 229 .sp
230 230 .ne 2
231 231 .na
232 232 \fB\fBroot_mapping=\fIuid\fR\fR\fR
233 233 .ad
234 234 .sp .6
235 235 .RS 4n
236 236 For a client that is allowed root access, map the root UID to the specified
237 237 user id.
238 238 .RE
239 239
240 240 .sp
241 241 .ne 2
242 242 .na
243 243 \fB\fBrw\fR\fR
244 244 .ad
245 245 .sp .6
246 246 .RS 4n
247 247 Sharing is read-write to all clients.
248 248 .RE
249 249
250 250 .sp
251 251 .ne 2
252 252 .na
253 253 \fB\fBrw=\fR\fIaccess_list\fR\fR
254 254 .ad
255 255 .sp .6
256 256 .RS 4n
257 257 Sharing is read-write to the clients listed in \fIaccess_list\fR; overrides the
258 258 \fBro\fR suboption for the clients specified. See \fIaccess_list\fR below.
259 259 .RE
260 260
261 261 .sp
262 262 .ne 2
263 263 .na
264 264 \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR
265 265 .ad
266 266 .sp .6
267 267 .RS 4n
268 268 Sharing uses one or more of the specified security modes. The \fImode\fR in the
269 269 \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the
270 270 \fBsec=\fR option is not specified, the default security mode used is
271 271 \fBAUTH_SYS.\fR Multiple \fBsec=\fR options can be specified on the command
272 272 line, although each mode can appear only once. The security modes are defined
273 273 in \fBnfssec\fR(5).
274 274 .sp
275 275 Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=,
276 276 rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another
277 277 \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context,
278 278 so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and
279 279 \fBroot=\fR options can be supplied for additional modes.
280 280 .RE
281 281
282 282 .sp
283 283 .ne 2
284 284 .na
285 285 \fB\fBsec=\fR\fInone\fR\fR
286 286 .ad
287 287 .sp .6
288 288 .RS 4n
289 289 If the option \fBsec=\fR\fInone\fR is specified when the client uses
290 290 \fBAUTH_NONE,\fR or if the client uses a security mode that is not one that the
291 291 file system is shared with, then the credential of each \fBNFS\fR request is
292 292 treated as unauthenticated. See the \fBanon=\fR\fIuid\fR option for a
293 293 description of how unauthenticated requests are handled.
294 294 .RE
295 295
296 296 .sp
297 297 .ne 2
298 298 .na
299 299 \fB\fBsecure\fR\fR
300 300 .ad
301 301 .sp .6
302 302 .RS 4n
303 303 This option has been deprecated in favor of the \fBsec=\fR\fIdh\fR option.
304 304 .RE
305 305
306 306 .sp
307 307 .ne 2
308 308 .na
309 309 \fB\fBwindow=\fR\fIvalue\fR\fR
310 310 .ad
311 311 .sp .6
312 312 .RS 4n
313 313 When sharing with \fBsec=\fR\fIdh\fR, set the maximum life time (in seconds) of
314 314 the \fBRPC\fR request's credential (in the authentication header) that the
315 315 \fBNFS\fR server allows. If a credential arrives with a life time larger than
316 316 what is allowed, the \fBNFS\fR server rejects the request. The default value is
317 317 30000 seconds (8.3 hours).
318 318 .RE
319 319
320 320 .RE
321 321
322 322 .SS "\fIaccess_list\fR"
323 323 .sp
324 324 .LP
325 325 The \fIaccess_list\fR argument is a colon-separated list whose components may
326 326 be any number of the following:
327 327 .sp
328 328 .ne 2
329 329 .na
330 330 \fBhostname\fR
331 331 .ad
332 332 .sp .6
333 333 .RS 4n
334 334 The name of a host. With a server configured for \fBDNS\fR or \fBLDAP\fR naming
335 335 in the \fBnsswitch\fR "hosts" entry, any hostname must be represented as a
336 336 fully qualified \fBDNS\fR or \fBLDAP\fR name.
337 337 .RE
338 338
339 339 .sp
340 340 .ne 2
341 341 .na
342 342 \fBnetgroup\fR
343 343 .ad
344 344 .sp .6
345 345 .RS 4n
346 346 A netgroup contains a number of hostnames. With a server configured for
347 347 \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR "hosts" entry, any
348 348 hostname in a netgroup must be represented as a fully qualified \fBDNS\fR or
349 349 \fBLDAP\fR name.
350 350 .RE
351 351
352 352 .sp
353 353 .ne 2
354 354 .na
355 355 \fBdomain name suffix\fR
356 356 .ad
357 357 .sp .6
358 358 .RS 4n
359 359 To use domain membership the server must use \fBDNS\fR or \fBLDAP\fR to resolve
360 360 hostnames to \fBIP\fR addresses; that is, the "hosts" entry in the
361 361 \fB/etc/nsswitch.conf\fR must specify "dns" or "ldap" ahead of "nis" or
362 362 "nisplus", since only \fBDNS\fR and \fBLDAP\fR return the full domain name of
363 363 the host. Other name services like \fBNIS\fR or \fBNIS+\fR cannot be used to
364 364 resolve hostnames on the server because when mapping an \fBIP\fR address to a
365 365 hostname they do not return domain information. For example,
366 366 .sp
367 367 .in +2
368 368 .nf
369 369 NIS or NIS+ 172.16.45.9 --> "myhost"
370 370 .fi
371 371 .in -2
372 372 .sp
373 373
374 374 and
375 375 .sp
376 376 .in +2
377 377 .nf
378 378 DNS or LDAP 172.16.45.9 -->
379 379 "myhost.mydomain.mycompany.com"
380 380 .fi
381 381 .in -2
382 382 .sp
383 383
384 384 The domain name suffix is distinguished from hostnames and netgroups by a
385 385 prefixed dot. For example,
386 386 .sp
387 387 \fBrw=.mydomain.mycompany.com\fR
388 388 .sp
389 389 A single dot can be used to match a hostname with no suffix. For example,
390 390 .sp
391 391 \fBrw=.\fR
392 392 .sp
393 393 matches "mydomain" but not "mydomain.mycompany.com". This feature can be used
394 394 to match hosts resolved through \fBNIS\fR and \fBNIS+\fR rather than \fBDNS\fR
395 395 and \fBLDAP\fR.
396 396 .RE
397 397
398 398 .sp
399 399 .ne 2
400 400 .na
401 401 \fBnetwork\fR
402 402 .ad
403 403 .sp .6
404 404 .RS 4n
405 405 The network or subnet component is preceded by an at-sign (\fB@\fR). It can be
406 406 either a name or a dotted address. If a name, it is converted to a dotted
407 407 address by \fBgetnetbyname\fR(3SOCKET). For example,
408 408 .sp
409 409 \fB=@mynet\fR
410 410 .sp
411 411 would be equivalent to:
412 412 .sp
413 413 \fB=@172.16\fR or \fB=@172.16.0.0\fR
414 414 .sp
415 415 The network prefix assumes an octet-aligned netmask determined from the zeroth
416 416 octet in the low-order part of the address up to and including the high-order
417 417 octet, if you want to specify a single IP address (see below). In the case
418 418 where network prefixes are not byte-aligned, the syntax allows a mask length to
419 419 be specified explicitly following a slash (\fB/\fR) delimiter. For example,
420 420 .sp
421 421 \fB=@theothernet/17\fR or \fB=@172.16.132/22\fR
422 422 .sp
423 423 \&...where the mask is the number of leftmost contiguous significant bits in
424 424 the corresponding IP address.
425 425 .sp
426 426 When specifying individual IP addresses, use the same \fB@\fR notation
427 427 described above, without a netmask specification. For example:
428 428 .sp
429 429 .in +2
430 430 .nf
431 431 =@172.16.132.14
432 432 .fi
433 433 .in -2
434 434 .sp
435 435
436 436 Multiple, individual IP addresses would be specified, for example, as:
437 437 .sp
438 438 .in +2
439 439 .nf
440 440 root=@172.16.132.20:@172.16.134.20
441 441 .fi
442 442 .in -2
443 443 .sp
444 444
445 445 .RE
446 446
447 447 .sp
448 448 .LP
449 449 A prefixed minus sign (\fB\(mi\fR) denies access to that component of
450 450 \fIaccess_list\fR. The list is searched sequentially until a match is found
451 451 that either grants or denies access, or until the end of the list is reached.
452 452 For example, if host "terra" is in the "engineering" netgroup, then
453 453 .sp
454 454 .in +2
455 455 .nf
456 456 rw=-terra:engineering
457 457 .fi
458 458 .in -2
459 459 .sp
460 460
461 461 .sp
462 462 .LP
463 463 denies access to \fBterra\fR but
464 464 .sp
465 465 .in +2
466 466 .nf
467 467 rw=engineering:-terra
468 468 .fi
469 469 .in -2
470 470 .sp
471 471
472 472 .sp
473 473 .LP
474 474 grants access to \fBterra\fR.
475 475 .SH OPERANDS
476 476 .sp
477 477 .LP
478 478 The following operands are supported:
479 479 .sp
480 480 .ne 2
481 481 .na
482 482 \fB\fIpathname\fR\fR
483 483 .ad
484 484 .sp .6
485 485 .RS 4n
486 486 The pathname of the file system to be shared.
487 487 .RE
488 488
489 489 .SH EXAMPLES
490 490 .LP
491 491 \fBExample 1 \fRSharing A File System With Logging Enabled
492 492 .sp
493 493 .LP
494 494 The following example shows the \fB/export\fR file system shared with logging
495 495 enabled:
496 496
497 497 .sp
498 498 .in +2
499 499 .nf
500 500 example% \fBshare -o log /export\fR
501 501 .fi
502 502 .in -2
503 503 .sp
504 504
505 505 .sp
506 506 .LP
507 507 The default global logging parameters are used since no tag identifier is
508 508 specified. The location of the log file, as well as the necessary logging work
509 509 files, is specified by the global entry in \fB/etc/nfs/nfslog.conf\fR. The
510 510 \fBnfslogd\fR(1M) daemon runs only if at least one file system entry in
511 511 \fB/etc/dfs/dfstab\fR is shared with logging enabled upon starting or rebooting
512 512 the system. Simply sharing a file system with logging enabled from the command
513 513 line does not start the \fBnfslogd\fR(1M).
514 514
515 515 .SH EXIT STATUS
516 516 .sp
517 517 .LP
518 518 The following exit values are returned:
519 519 .sp
520 520 .ne 2
521 521 .na
522 522 \fB\fB0\fR\fR
523 523 .ad
524 524 .sp .6
525 525 .RS 4n
526 526 Successful completion.
527 527 .RE
528 528
529 529 .sp
530 530 .ne 2
531 531 .na
532 532 \fB\fB>0\fR\fR
533 533 .ad
534 534 .sp .6
535 535 .RS 4n
536 536 An error occurred.
537 537 .RE
538 538
539 539 .SH FILES
540 540 .sp
541 541 .ne 2
542 542 .na
543 543 \fB\fB/etc/dfs/fstypes\fR\fR
544 544 .ad
545 545 .sp .6
546 546 .RS 4n
547 547 list of system types, \fBNFS\fR by default
548 548 .RE
549 549
550 550 .sp
551 551 .ne 2
552 552 .na
553 553 \fB\fB/etc/dfs/sharetab\fR\fR
554 554 .ad
555 555 .sp .6
556 556 .RS 4n
557 557 system record of shared file systems
558 558 .RE
559 559
560 560 .sp
561 561 .ne 2
562 562 .na
563 563 \fB\fB/etc/nfs/nfslogtab\fR\fR
564 564 .ad
565 565 .sp .6
566 566 .RS 4n
567 567 system record of logged file systems
568 568 .RE
569 569
570 570 .sp
571 571 .ne 2
572 572 .na
573 573 \fB\fB/etc/nfs/nfslog.conf\fR\fR
574 574 .ad
575 575 .sp .6
576 576 .RS 4n
577 577 logging configuration file
578 578 .RE
579 579
580 580 .SH SEE ALSO
581 581 .sp
582 582 .LP
583 583 \fBmount\fR(1M), \fBmountd\fR(1M), \fBnfsd\fR(1M), \fBnfslogd\fR(1M),
584 584 \fBshare\fR(1M), \fBunshare\fR(1M), \fBgetnetbyname\fR(3SOCKET),
585 585 \fBnfslog.conf\fR(4), \fBnetgroup\fR(4), \fBattributes\fR(5), \fBnfssec\fR(5)
586 586 .SH NOTES
587 587 .sp
588 588 .LP
589 589 If the \fBsec=\fR option is presented at least once, all uses of the
590 590 \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options
591 591 must come \fBafter\fR the first \fBsec=\fR option. If the \fBsec=\fR option is
592 592 not presented, then \fBsec=\fR\fIsys\fR is implied.
593 593 .sp
594 594 .LP
595 595 If one or more explicit \fBsec=\fR options are presented, \fIsys\fR must appear
596 596 in one of the options mode lists for accessing using the \fBAUTH_SYS\fR
597 597 security mode to be allowed. For example:
598 598 .sp
599 599 .in +2
600 600 .nf
601 601 \fBshare\fR \fB-F\fR \fBnfs /var\fR
602 602 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=sys /var\fR
603 603 .fi
604 604 .in -2
605 605 .sp
606 606
607 607 .sp
608 608 .LP
609 609 grants read-write access to any host using \fBAUTH_SYS,\fR but
610 610 .sp
611 611 .in +2
612 612 .nf
613 613 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh /var\fR
614 614 .fi
615 615 .in -2
616 616 .sp
617 617
618 618 .sp
619 619 .LP
620 620 grants no access to clients that use \fBAUTH_SYS.\fR
621 621 .sp
622 622 .LP
623 623 Unlike previous implementations of \fBshare_nfs\fR, access checking for the
624 624 \fBwindow=, rw, ro, rw=,\fR and \fBro=\fR options is done per \fBNFS\fR
625 625 request, instead of per mount request.
626 626 .sp
627 627 .LP
628 628 Combining multiple security modes can be a security hole in situations where
629 629 the \fBro=\fR and \fBrw=\fR options are used to control access to weaker
630 630 security modes. In this example,
631 631 .sp
632 632 .in +2
633 633 .nf
634 634 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,rw=hosta /var\fR
635 635 .fi
636 636 .in -2
637 637 .sp
638 638
639 639 .sp
640 640 .LP
641 641 an intruder can forge the IP address for \fBhosta\fR (albeit on each \fBNFS\fR
642 642 request) to side-step the stronger controls of \fBAUTH_DES.\fR Something like:
643 643 .sp
644 644 .in +2
645 645 .nf
646 646 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,ro /var\fR
647 647 .fi
648 648 .in -2
649 649 .sp
650 650
651 651 .sp
652 652 .LP
653 653 is safer, because any client (intruder or legitimate) that avoids
654 654 \fBAUTH_DES\fR only gets read-only access. In general, multiple security modes
655 655 per \fBshare\fR command should only be used in situations where the clients
656 656 using more secure modes get stronger access than clients using less secure
657 657 modes.
658 658 .sp
659 659 .LP
660 660 If \fBrw=,\fR and \fBro=\fR options are specified in the same \fBsec=\fR
661 661 clause, and a client is in both lists, the order of the two options determines
662 662 the access the client gets. If client \fBhosta\fR is in two netgroups -
663 663 \fBgroup1\fR and \fBgroup2\fR - in this example, the client would get read-only
664 664 access:
665 665 .sp
666 666 .in +2
667 667 .nf
668 668 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=group1,rw=group2 /var\fR
669 669 .fi
670 670 .in -2
671 671 .sp
672 672
673 673 .sp
674 674 .LP
675 675 In this example \fBhosta\fR would get read-write access:
676 676 .sp
677 677 .in +2
678 678 .nf
679 679 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBrw=group2,ro=group1 /var\fR
680 680 .fi
681 681 .in -2
682 682 .sp
683 683
684 684 .sp
685 685 .LP
686 686 If within a \fBsec=\fR clause, both the \fBro\fR and \fBrw=\fR options are
687 687 specified, for compatibility, the order of the options rule is not enforced.
688 688 All hosts would get read-only access, with the exception to those in the
689 689 read-write list. Likewise, if the \fBro=\fR and \fBrw\fR options are specified,
690 690 all hosts get read-write access with the exceptions of those in the read-only
691 691 list.
692 692 .sp
693 693 .LP
694 694 The \fBro=\fR and \fBrw=\fR options are guaranteed to work over \fBUDP\fR and
695 695 \fBTCP\fR but may not work over other transport providers.
696 696 .sp
697 697 .LP
698 698 The \fBroot=\fR option with \fBAUTH_SYS\fR is guaranteed to work over \fBUDP\fR
699 699 and \fBTCP\fR but may not work over other transport providers.
700 700 .sp
701 701 .LP
702 702 The \fBroot=\fR option with \fBAUTH_DES\fR is guaranteed to work over any
703 703 transport provider.
704 704 .sp
705 705 .LP
706 706 There are no interactions between the \fBroot=\fR option and the \fBrw, ro,
707 707 rw=,\fR and \fBro=\fR options. Putting a host in the \fBroot\fR list does not
708 708 override the semantics of the other options. The access the host gets is the
709 709 same as when the \fBroot=\fR options is absent. For example, the following
710 710 \fBshare\fR command denies access to \fBhostb:\fR
711 711 .sp
712 712 .in +2
713 713 .nf
714 714 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,root=hostb /var\fR
715 715 .fi
716 716 .in -2
717 717 .sp
718 718
719 719 .sp
720 720 .LP
721 721 The following gives read-only permissions to \fBhostb:\fR
722 722 .sp
723 723 .in +2
724 724 .nf
725 725 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hostb,root=hostb /var\fR
726 726 .fi
727 727 .in -2
728 728 .sp
729 729
730 730 .sp
731 731 .LP
732 732 The following gives read-write permissions to \fBhostb:\fR
733 733 .sp
734 734 .in +2
735 735 .nf
736 736 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,rw=hostb,root=hostb /var\fR
737 737 .fi
738 738 .in -2
739 739 .sp
740 740
741 741 .sp
742 742 .LP
743 743 If the file system being shared is a symbolic link to a valid pathname, the
744 744 canonical path (the path which the symbolic link follows) are shared. For
745 745 example, if \fB/export/foo\fR is a symbolic link to \fB/export/bar\fR
746 746 (\fB/export/foo -> /export/bar\fR), the following \fBshare\fR command results
747 747 in \fB/export/bar\fR as the shared pathname (and not \fB/export/foo\fR).
748 748 .sp
749 749 .in +2
750 750 .nf
751 751 \fBexample# share\fR \fB-F\fR \fBnfs /export/foo\fR
752 752 .fi
753 753 .in -2
754 754 .sp
755 755
756 756 .sp
757 757 .LP
758 758 An \fBNFS\fR mount of \fBserver:/export/foo\fR results in
759 759 \fBserver:/export/bar\fR really being mounted.
760 760 .sp
761 761 .LP
762 762 This line in the \fB/etc/dfs/dfstab\fR file shares the \fB/disk\fR file system
763 763 read-only at boot time:
764 764 .sp
765 765 .in +2
766 766 .nf
767 767 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro /disk\fR
768 768 .fi
769 769 .in -2
770 770 .sp
771 771
772 772 .sp
773 773 .LP
774 774 The same command entered from the command line does not share the \fB/disk\fR
775 775 file system unless there is at least one file system entry in the
776 776 \fB/etc/dfs/dfstab\fR file. The \fBmountd\fR(1M) and \fBnfsd\fR(1M) daemons
777 777 only run if there is a file system entry in \fB/etc/dfs/dfstab\fR when starting
778 778 or rebooting the system.
779 779 .sp
780 780 .LP
781 781 The \fBmountd\fR(1M) process allows the processing of a path name the contains
782 782 a symbolic link. This allows the processing of paths that are not themselves
783 783 explicitly shared with \fBshare_nfs\fR. For example, \fB/export/foo\fR might be
784 784 a symbolic link that refers to \fB/export/bar\fR which has been specifically
785 785 shared. When the client mounts \fB/export/foo\fR the \fBmountd\fR processing
786 786 follows the symbolic link and responds with the \fB/export/bar\fR. The NFS
787 787 Version 4 protocol does not use the \fBmountd\fR processing and the client's
788 788 use of \fB/export/foo\fR does not work as it does with NFS Version 2 and
789 789 Version 3 and the client receives an error when attempting to mount
790 790 \fB/export/foo\fR.
|
↓ open down ↓ |
554 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX