1 .\"
   2 .\" CDDL HEADER START
   3 .\"
   4 .\" The contents of this file are subject to the terms of the
   5 .\" Common Development and Distribution License (the "License").
   6 .\" You may not use this file except in compliance with the License.
   7 .\"
   8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9 .\" or http://www.opensolaris.org/os/licensing.
  10 .\" See the License for the specific language governing permissions
  11 .\" and limitations under the License.
  12 .\"
  13 .\" When distributing Covered Code, include this CDDL HEADER in each
  14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15 .\" If applicable, add the following below this CDDL HEADER, with the
  16 .\" fields enclosed by brackets "[]" replaced with your own identifying
  17 .\" information: Portions Copyright [yyyy] [name of copyright owner]
  18 .\"
  19 .\" CDDL HEADER END
  20 .\"
  21 .\"
  22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
  23 .\" Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  24 .\"
  25 .Dd November 10, 2014
  26 .Dt SHARE_NFS 1M
  27 .Os
  28 .Sh NAME
  29 .Nm share_nfs
  30 .Nd make local NFS file systems available for mounting by remote systems
  31 .Sh SYNOPSIS
  32 .Nm share
  33 .Op Fl d Ar description
  34 .Op Fl F Sy nfs
  35 .Op Fl o Ar specific_options
  36 .Ar pathname
  37 .Sh DESCRIPTION
  38 The
  39 .Nm share
  40 utility makes local file systems available for mounting by remote systems. It
  41 starts the
  42 .Xr nfsd 1M
  43 and
  44 .Xr mountd 1M
  45 daemons if they are not already running.
  46 .Pp
  47 If no argument is specified, then
  48 .Nm share
  49 displays all file systems currently shared, including NFS file systems and file
  50 systems shared through other distributed file system packages.
  51 .Sh OPTIONS
  52 The following options are supported:
  53 .Bl -tag -width "indented"
  54 .It Fl d Ar description
  55 Provide a comment that describes the file system to be shared.
  56 .It Fl F Sy nfs
  57 Share NFS file system type.
  58 .It Fl o Ar specific_options
  59 Specify
  60 .Ar specific_options
  61 in a comma-separated list of keywords and attribute-value-assertions for
  62 interpretation by the file-system-type-specific command. If
  63 .Ar specific_options
  64 is not specified, then by default sharing is read-write to all clients.
  65 .Ar specific_options
  66 can be any combination of the following:
  67 .Bl -tag -width "indented"
  68 .It Sy aclok
  69 Allows the NFS server to do access control for NFS Version 2 clients (running
  70 SunOS 2.4 or earlier). When
  71 .Sy aclok
  72 is set on the server, maximal access is given to all clients. For example, with
  73 .Sy aclok
  74 set, if anyone has read permissions, then everyone does. If
  75 .Sy aclok
  76 is not set, minimal access is given to all clients.
  77 .It Sy anon Ns = Ns Ar uid
  78 Set
  79 .Ar uid
  80 to be the effective user ID of unknown users. By default, unknown users are
  81 given the effective user ID UID_NOBODY. If uid is set to -1, access is denied.
  82 .It Ar charset Ns = Ns Ar access_list
  83 Where
  84 .Ar charset
  85 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2,
  86 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15,
  87 koi8-r.
  88 .Pp
  89 Clients that match the
  90 .Ar access_list
  91 for one of these properties will be assumed to be using that character set and
  92 file and path names will be converted to UTF-8 for the server.
  93 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
  94 Where
  95 .Ar mapping
  96 is:
  97 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
  98 .Pp
  99 Allows remapping the group ID (gid) in the incoming request to some other gid.
 100 This effectively changes the identity of the user in the request to that of
 101 some other local user.
 102 .Pp
 103 For clients where the gid in the incoming request is
 104 .Ar clnt
 105 and the client matches the
 106 .Ar access_list Ns
 107 , change the group ID to
 108 .Ar srv Ns .  If
 109 .Ar clnt
 110 is asterisk (*), all groups are mapped by this rule.  If
 111 .Ar clnt
 112 is omitted, all unknown groups are mapped by this rule.  If
 113 .Ar srv
 114 is set to -1, access is denied.  If
 115 .Ar srv
 116 is omitted, the gid is mapped to UID_NOBODY.
 117 .Pp
 118 The particular
 119 .Ar mapping Ns s
 120 are separated in the
 121 .Sy gidmap Ns =
 122 option by tilde (~) and are evaluated in the specified order until a match is
 123 found.  Both
 124 .Sy root Ns =
 125 and
 126 .Sy root_mapping Ns =
 127 options (if specified) are evaluated before the
 128 .Sy gidmap Ns =
 129 option.  The
 130 .Sy gidmap Ns =
 131 option is skipped in the case where the client matches the
 132 .Sy root Ns =
 133 option.
 134 .Pp
 135 The
 136 .Sy gidmap Ns =
 137 option is evaluated before the
 138 .Sy anon Ns =
 139 option.
 140 .Pp
 141 This option is supported only for AUTH_SYS.
 142 .It Sy index Ns = Ns Ar file
 143 Load
 144 .Ar file
 145 rather than a listing of the directory containing this file when the
 146 directory is referenced by an NFS URL.
 147 .It Sy log Ns Oo = Ns Ar tag Oc
 148 Enables NFS server logging for the specified file system. The optional
 149 .Ar tag
 150 determines the location of the related log files. The
 151 .Ar tag
 152 is defined in
 153 .Pa /etc/nfs/nfslog.conf .
 154 If no
 155 .Ar tag
 156 is specified, the default values associated with the global tag in
 157 .Pa /etc/nfs/nfslog.conf
 158 are used. Support of NFS server logging is only available for NFS Version 2 and
 159 Version 3 requests.
 160 .It Sy none Ns = Ns Ar access_list
 161 Access is not allowed to any client that matches the access list. The exception
 162 is when the access list is an asterisk (*), in which case
 163 .Sy ro
 164 or
 165 .Sy rw
 166 can override
 167 .Sy none .
 168 .It Sy nosub
 169 Prevents clients from mounting subdirectories of shared directories. For
 170 example, if
 171 .Pa /export
 172 is shared with the
 173 .Sy nosub
 174 option on server
 175 .Qq fooey
 176 then a NFS client cannot do:
 177 .Bd -literal -offset indent
 178 mount -F nfs fooey:/export/home/mnt
 179 .Ed
 180 .Pp
 181 NFS Version 4 does not use the MOUNT protocol. The
 182 .Sy nosub
 183 option only applies to NFS Version 2 and Version 3 requests.
 184 .It Sy nosuid
 185 By default, clients are allowed to create files on the shared file system with
 186 the setuid or setgid mode enabled. Specifying
 187 .Sy nosuid
 188 causes the server file system to silently ignore any attempt to enable the
 189 setuid or setgid mode bits.
 190 .It Sy public
 191 Moves the location of the public file handle from root
 192 .Pa ( / )
 193 to the exported directory for WebNFS-enabled browsers and clients. This option
 194 does not enable WebNFS service; WebNFS is always on. Only one file system per
 195 server may use this option. Any other option, including the
 196 .Sy ro Ns = Ns Ar list
 197 and
 198 .Sy rw Ns = Ns Ar list
 199 options can be included with the
 200 .Sy public
 201 option.
 202 .It Sy ro
 203 Sharing is read-only to all clients.
 204 .It Sy ro Ns = Ns Ar access_list
 205 Sharing is read-only to the clients listed in
 206 .Ar access_list ;
 207 overrides the
 208 .Sy rw
 209 suboption for the clients specified. See
 210 .Sx access_list
 211 below.
 212 .It Sy root Ns = Ns Ar access_list
 213 Only root users from the hosts specified in
 214 .Ar access_list
 215 have root access. See
 216 .Sx access_list
 217 below. By default, no host has root access, so root users are mapped to an
 218 anonymous user ID (see the
 219 .Sy anon Ns = Ns Ar uid
 220 option described above). Netgroups can be used if the file system shared is
 221 using UNIX authentication (AUTH_SYS).
 222 .It Sy root_mapping Ns = Ns Ar uid
 223 For a client that is allowed root access, map the root UID to the specified
 224 user id.
 225 .It Sy rw
 226 Sharing is read-write to all clients.
 227 .It Sy rw Ns = Ns Ar access_list
 228 Sharing is read-write to the clients listed in
 229 .Ar access_list ;
 230 overrides the
 231 .Sy ro
 232 suboption for the clients specified. See
 233 .Sx access_list
 234 below.
 235 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ...
 236 Sharing uses one or more of the specified security modes. The
 237 .Ar mode
 238 in the
 239 .Sy sec Ns = Ns Ar mode
 240 option must be a mode name supported on the client. If the
 241 .Sy sec Ns =
 242 option is not specified, the default security mode used is AUTH_SYS. Multiple
 243 .Sy sec Ns =
 244 options can be specified on the command line, although each mode can appear
 245 only once. The security modes are defined in
 246 .Xr nfssec 5 .
 247 .Pp
 248 Each
 249 .Sy sec Ns =
 250 option specifies modes that apply to any subsequent
 251 .Sy window Ns = ,
 252 .Sy rw ,
 253 .Sy ro ,
 254 .Sy rw Ns = ,
 255 .Sy ro Ns = ,
 256 and
 257 .Sy root Ns =
 258 options that are provided before another
 259 .Sy sec Ns =
 260 option.
 261 Each additional
 262 .Sy sec Ns =
 263 resets the security mode context, so that more
 264 .Sy window Ns = ,
 265 .Sy rw ,
 266 .Sy ro ,
 267 .Sy rw Ns = ,
 268 .Sy ro Ns = ,
 269 and
 270 .Sy root Ns =
 271 options can be supplied for additional modes.
 272 .It Sy sec Ns = Ns Sy none
 273 If the option
 274 .Sy sec Ns = Ns Sy none
 275 is specified when the client uses AUTH_NONE, or if the client uses a security
 276 mode that is not one that the file system is shared with, then the credential
 277 of each NFS request is treated as unauthenticated. See the
 278 .Sy anon Ns = Ns Ar uid
 279 option for a description of how unauthenticated requests are handled.
 280 .It Sy secure
 281 This option has been deprecated in favor of the
 282 .Sy sec Ns = Ns Sy dh
 283 option.
 284 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
 285 Where
 286 .Ar mapping
 287 is:
 288 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
 289 .Pp
 290 Allows remapping the user ID (uid) in the incoming request to some other uid.
 291 This effectively changes the identity of the user in the request to that of
 292 some other local user.
 293 .Pp
 294 For clients where the uid in the incoming request is
 295 .Ar clnt
 296 and the client matches the
 297 .Ar access_list Ns
 298 , change the user ID to
 299 .Ar srv Ns .  If
 300 .Ar clnt
 301 is asterisk (*), all users are mapped by this rule.  If
 302 .Ar clnt
 303 is omitted, all unknown users are mapped by this rule.  If
 304 .Ar srv
 305 is set to -1, access is denied.  If
 306 .Ar srv
 307 is omitted, the uid is mapped to UID_NOBODY.
 308 .Pp
 309 The particular
 310 .Ar mapping Ns s
 311 are separated in the
 312 .Sy uidmap Ns =
 313 option by tilde (~) and are evaluated in the specified order until a match is
 314 found.  Both
 315 .Sy root Ns =
 316 and
 317 .Sy root_mapping Ns =
 318 options (if specified) are evaluated before the
 319 .Sy uidmap Ns =
 320 option.  The
 321 .Sy uidmap Ns =
 322 option is skipped in the case where the client matches the
 323 .Sy root Ns =
 324 option.
 325 .Pp
 326 The
 327 .Sy uidmap Ns =
 328 option is evaluated before the
 329 .Sy anon Ns =
 330 option.
 331 .Pp
 332 This option is supported only for AUTH_SYS.
 333 .It Sy window Ns = Ns Ar value
 334 When sharing with
 335 .Sy sec Ns = Ns Sy dh ,
 336 set the maximum life time (in seconds) of the RPC request's credential (in the
 337 authentication header) that the NFS server allows. If a credential arrives with
 338 a life time larger than what is allowed, the NFS server rejects the request. The
 339 default value is 30000 seconds (8.3 hours).
 340 .El
 341 .El
 342 .Ss access_list
 343 The
 344 .Ar access_list
 345 argument is a colon-separated list whose components may be any number of the
 346 following:
 347 .Bl -tag -width "indented"
 348 .It Sy hostname
 349 The name of a host. With a server configured for DNS or LDAP naming in the
 350 nsswitch
 351 .Sy hosts
 352 entry, any hostname must be represented as a fully qualified DNS or LDAP name.
 353 .It Sy netgroup
 354 A netgroup contains a number of hostnames. With a server configured for DNS or
 355 LDAP naming in the nsswitch
 356 .Sy hosts
 357 entry, any hostname in a netgroup must be represented as a fully qualified DNS
 358 or LDAP name.
 359 .It Sy domain name suffix
 360 To use domain membership the server must use DNS or LDAP to resolve hostnames to
 361 IP addresses; that is, the
 362 .Sy hosts
 363 entry in the
 364 .Pa /etc/nsswitch.conf
 365 must specify
 366 .Sy dns
 367 or
 368 .Sy ldap
 369 ahead of
 370 .Sy nis
 371 or
 372 .Sy nisplus ,
 373 since only DNS and LDAP return the full domain name of the host. Other name
 374 services like NIS or NIS+ cannot be used to resolve hostnames on the server
 375 because when mapping an IP address to a hostname they do not return domain
 376 information. For example,
 377 .Bd -literal -offset indent
 378 NIS or NIS+   172.16.45.9 --> "myhost"
 379 .Ed
 380 .Pp
 381 and
 382 .Bd -literal -offset indent
 383 DNS or LDAP   172.16.45.9 --> "myhost.mydomain.mycompany.com"
 384 .Ed
 385 .Pp
 386 The domain name suffix is distinguished from hostnames and netgroups by a
 387 prefixed dot. For example,
 388 .Bd -literal -offset indent
 389 rw=.mydomain.mycompany.com
 390 .Ed
 391 .Pp
 392 A single dot can be used to match a hostname with no suffix. For example,
 393 .Bd -literal -offset indent
 394 rw=.
 395 .Ed
 396 .Pp
 397 matches
 398 .Qq mydomain
 399 but not
 400 .Qq mydomain.mycompany.com .
 401 This feature can be used to match hosts resolved through NIS and NIS+ rather
 402 than DNS and LDAP.
 403 .It Sy network
 404 The network or subnet component is preceded by an at-sign (@). It can be either
 405 a name or a dotted address. If a name, it is converted to a dotted address by
 406 .Xr getnetbyname 3SOCKET .
 407 For example,
 408 .Bd -literal -offset indent
 409 =@mynet
 410 .Ed
 411 .Pp
 412 would be equivalent to:
 413 .Bd -literal -offset indent
 414 =@172.16 or =@172.16.0.0
 415 .Ed
 416 .Pp
 417 The network prefix assumes an octet-aligned netmask determined from the zeroth
 418 octet in the low-order part of the address up to and including the high-order
 419 octet, if you want to specify a single IP address (see below). In the case
 420 where network prefixes are not byte-aligned, the syntax allows a mask length to
 421 be specified explicitly following a slash (/) delimiter. For example,
 422 .Bd -literal -offset indent
 423 =@theothernet/17 or =@172.16.132/22
 424 .Ed
 425 .Pp
 426 where the mask is the number of leftmost contiguous significant bits in the
 427 corresponding IP address.
 428 .Pp
 429 When specifying individual IP addresses, use the same @ notation described
 430 above, without a netmask specification. For example:
 431 .Bd -literal -offset indent
 432 =@172.16.132.14
 433 .Ed
 434 .Pp
 435 Multiple, individual IP addresses would be specified, for example, as:
 436 .Bd -literal -offset indent
 437 root=@172.16.132.20:@172.16.134.20
 438 .Ed
 439 .El
 440 .Pp
 441 A prefixed minus sign (-) denies access to that component of
 442 .Ar access_list .
 443 The list is searched sequentially until a match is found that either grants or
 444 denies access, or until the end of the list is reached. For example, if host
 445 .Qq terra
 446 is in the
 447 .Qq engineering
 448 netgroup, then
 449 .Bd -literal -offset indent
 450 rw=-terra:engineering
 451 .Ed
 452 .Pp
 453 denies access to
 454 .Qq terra
 455 but
 456 .Bd -literal -offset indent
 457 rw=engineering:-terra
 458 .Ed
 459 .Pp
 460 grants access to
 461 .Qq terra .
 462 .Sh OPERANDS
 463 The following operands are supported:
 464 .Bl -tag -width "pathname"
 465 .It Sy pathname
 466 The pathname of the file system to be shared.
 467 .El
 468 .Sh FILES
 469 .Bl -tag -width "/etc/nfs/nfslog.conf"
 470 .It Pa /etc/dfs/fstypes
 471 list of system types, NFS by default
 472 .It Pa /etc/dfs/sharetab
 473 system record of shared file systems
 474 .It Pa /etc/nfs/nfslogtab
 475 system record of logged file systems
 476 .It Pa /etc/nfs/nfslog.conf
 477 logging configuration file
 478 .El
 479 .Sh EXIT STATUS
 480 .Ex -std
 481 .Sh EXAMPLES
 482 .Ss Example 1 Sharing A File System With Logging Enabled
 483 The following example shows the
 484 .Pa /export
 485 file system shared with logging enabled:
 486 .Bd -literal -offset indent
 487 share -o log /export
 488 .Ed
 489 .Pp
 490 The default global logging parameters are used since no tag identifier is
 491 specified. The location of the log file, as well as the necessary logging work
 492 files, is specified by the global entry in
 493 .Pa /etc/nfs/nfslog.conf .
 494 The
 495 .Xr nfslogd 1M
 496 daemon runs only if at least one file system entry in
 497 .Pa /etc/dfs/dfstab
 498 is shared with logging enabled upon starting or rebooting the system. Simply
 499 sharing a file system with logging enabled from the command line does not start
 500 the
 501 .Xr nfslogd 1M .
 502 .Ss Example 2 Remap A User Coming From The Particular NFS Client
 503 The following example remaps the user with uid
 504 .Sy 100
 505 at client
 506 .Sy 10.0.0.1
 507 to user
 508 .Sy joe Ns :
 509 .Bd -literal -offset indent
 510 share -o uidmap=100:joe:@10.0.0.1 /export
 511 .Ed
 512 .Sh SEE ALSO
 513 .Xr mount 1M ,
 514 .Xr mountd 1M ,
 515 .Xr nfsd 1M ,
 516 .Xr nfslogd 1M ,
 517 .Xr share 1M ,
 518 .Xr unshare 1M ,
 519 .Xr getnetbyname 3SOCKET ,
 520 .Xr netgroup 4 ,
 521 .Xr nfslog.conf 4 ,
 522 .Xr attributes 5 ,
 523 .Xr nfssec 5
 524 .Sh NOTES
 525 If the
 526 .Sy sec Ns =
 527 option is presented at least once, all uses of the
 528 .Sy window Ns = ,
 529 .Sy rw ,
 530 .Sy ro ,
 531 .Sy rw Ns = ,
 532 .Sy ro Ns = ,
 533 and
 534 .Sy root Ns =
 535 options must come after the first
 536 .Sy sec Ns =
 537 option. If the
 538 .Sy sec Ns =
 539 option is not presented, then
 540 .Sy sec Ns = Ns Sy sys
 541 is implied.
 542 .Pp
 543 If one or more explicit
 544 .Sy sec Ns =
 545 options are presented,
 546 .Sy sys
 547 must appear in one of the options mode lists for accessing using the AUTH_SYS
 548 security mode to be allowed. For example:
 549 .Bd -literal -offset indent
 550 share -F nfs /var
 551 share -F nfs -o sec=sys /var
 552 .Ed
 553 .Pp
 554 grants read-write access to any host using AUTH_SYS, but
 555 .Bd -literal -offset indent
 556 share -F nfs -o sec=dh /var
 557 .Ed
 558 .Pp
 559 grants no access to clients that use AUTH_SYS.
 560 .Pp
 561 Unlike previous implementations of
 562 .Nm ,
 563 access checking for the
 564 .Sy window Ns = ,
 565 .Sy rw ,
 566 .Sy ro ,
 567 .Sy rw Ns = ,
 568 and
 569 .Sy ro Ns =
 570 options is done per NFS request, instead of per mount request.
 571 .Pp
 572 Combining multiple security modes can be a security hole in situations where
 573 the
 574 .Sy ro Ns =
 575 and
 576 .Sy rw Ns =
 577 options are used to control access to weaker security modes. In this example,
 578 .Bd -literal -offset indent
 579 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
 580 .Ed
 581 .Pp
 582 an intruder can forge the IP address for
 583 .Qq hosta
 584 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES.
 585 Something like:
 586 .Bd -literal -offset indent
 587 share -F nfs -o sec=dh,rw,sec=sys,ro /var
 588 .Ed
 589 .Pp
 590 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only
 591 gets read-only access. In general, multiple security modes per share command
 592 should only be used in situations where the clients using more secure modes get
 593 stronger access than clients using less secure modes.
 594 .Pp
 595 If
 596 .Sy rw Ns =
 597 and
 598 .Sy ro Ns =
 599 options are specified in the same
 600 .Sy sec Ns =
 601 clause, and a client is in both lists, the order of the two options determines
 602 the access the client gets. If client
 603 .Qq hosta
 604 is in two netgroups,
 605 .Qq group1
 606 and
 607 .Qq group2 ,
 608 in this example, the client would get read-only access:
 609 .Bd -literal -offset indent
 610 share -F nfs -o ro=group1,rw=group2 /var
 611 .Ed
 612 .Pp
 613 In this example
 614 .Qq hosta
 615 would get read-write access:
 616 .Bd -literal -offset indent
 617 share -F nfs -o rw=group2,ro=group1 /var
 618 .Ed
 619 .Pp
 620 If within a
 621 .Sy sec Ns =
 622 clause, both the
 623 .Sy ro
 624 and
 625 .Sy rw Ns =
 626 options are specified, for compatibility, the order of the options rule is not
 627 enforced. All hosts would get read-only access, with the exception to those in
 628 the read-write list. Likewise, if the
 629 .Sy ro Ns =
 630 and
 631 .Sy rw
 632 options are specified, all hosts get read-write access with the exceptions of
 633 those in the read-only list.
 634 .Pp
 635 The
 636 .Sy ro Ns =
 637 and
 638 .Sy rw Ns =
 639 options are guaranteed to work over UDP and TCP but may not work over other
 640 transport providers.
 641 .Pp
 642 The
 643 .Sy root Ns =
 644 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work
 645 over other transport providers.
 646 .Pp
 647 The
 648 .Sy root Ns =
 649 option with AUTH_DES is guaranteed to work over any transport provider.
 650 .Pp
 651 There are no interactions between the
 652 .Sy root Ns =
 653 option and the
 654 .Sy rw ,
 655 .Sy ro ,
 656 .Sy rw Ns = ,
 657 and
 658 .Sy ro Ns =
 659 options. Putting a host in the root list does not override the semantics of the
 660 other options. The access the host gets is the same as when the
 661 .Sy root Ns =
 662 option is absent. For example, the following share command denies access to
 663 .Qq hostb :
 664 .Bd -literal -offset indent
 665 share -F nfs -o ro=hosta,root=hostb /var
 666 .Ed
 667 .Pp
 668 The following gives read-only permissions to
 669 .Qq hostb :
 670 .Bd -literal -offset indent
 671 share -F nfs -o ro=hostb,root=hostb /var
 672 .Ed
 673 .Pp
 674 The following gives read-write permissions to
 675 .Qq hostb :
 676 .Bd -literal -offset indent
 677 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var
 678 .Ed
 679 .Pp
 680 If the file system being shared is a symbolic link to a valid pathname, the
 681 canonical path (the path which the symbolic link follows) is shared. For
 682 example, if
 683 .Pa /export/foo
 684 is a symbolic link to
 685 .Pa /export/bar ,
 686 the following share command results in
 687 .Pa /export/bar
 688 as the shared pathname (and not
 689 .Pa /export/foo ) :
 690 .Bd -literal -offset indent
 691 share -F nfs /export/foo
 692 .Ed
 693 .Pp
 694 An NFS mount of
 695 .Lk server:/export/foo
 696 results in
 697 .Lk server:/export/bar
 698 really being mounted.
 699 .Pp
 700 This line in the
 701 .Pa /etc/dfs/dfstab
 702 file shares the
 703 .Pa /disk
 704 file system read-only at boot time:
 705 .Bd -literal -offset indent
 706 share -F nfs -o ro /disk
 707 .Ed
 708 .Pp
 709 The same command entered from the command line does not share the
 710 .Pa /disk
 711 file system unless there is at least one file system entry in the
 712 .Pa /etc/dfs/dfstab
 713 file. The
 714 .Xr mountd 1M
 715 and
 716 .Xr nfsd 1M
 717 daemons only run if there is a file system entry in
 718 .Pa /etc/dfs/dfstab
 719 when starting or rebooting the system.
 720 .Pp
 721 The
 722 .Xr mountd 1M
 723 process allows the processing of a path name the contains a symbolic link.
 724 This allows the processing of paths that are not themselves explicitly shared
 725 with
 726 .Nm .
 727 For example,
 728 .Pa /export/foo
 729 might be a symbolic link that refers to
 730 .Pa /export/bar
 731 which has been specifically shared. When the client mounts
 732 .Pa /export/foo
 733 the mountd processing follows the symbolic link and responds with the
 734 .Pa /export/bar .
 735 The NFS Version 4 protocol does not use the mountd processing and the client's
 736 use of
 737 .Pa /export/foo
 738 does not work as it does with NFS Version 2 and Version 3 and the client
 739 receives an error when attempting to mount
 740 .Pa /export/foo .