Print this page
nits pt 2
Fix nits
Updated wording
5032 share_nfs(1m): Documentation for "noaclfab" is needed
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/share_nfs.1m
+++ new/usr/src/man/man1m/share_nfs.1m
1 1 .\"
2 2 .\" CDDL HEADER START
3 3 .\"
4 4 .\" The contents of this file are subject to the terms of the
5 5 .\" Common Development and Distribution License (the "License").
6 6 .\" You may not use this file except in compliance with the License.
7 7 .\"
8 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 .\" or http://www.opensolaris.org/os/licensing.
10 10 .\" See the License for the specific language governing permissions
11 11 .\" and limitations under the License.
12 12 .\"
13 13 .\" When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 .\" If applicable, add the following below this CDDL HEADER, with the
16 16 .\" fields enclosed by brackets "[]" replaced with your own identifying
17 17 .\" information: Portions Copyright [yyyy] [name of copyright owner]
18 18 .\"
19 19 .\" CDDL HEADER END
20 20 .\"
21 21 .\"
22 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
23 23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
24 +.\" Copyright 2016 Jason King.
24 25 .\"
25 -.Dd November 10, 2014
26 +.Dd December 16, 2016
26 27 .Dt SHARE_NFS 1M
27 28 .Os
28 29 .Sh NAME
29 30 .Nm share_nfs
30 31 .Nd make local NFS file systems available for mounting by remote systems
31 32 .Sh SYNOPSIS
32 33 .Nm share
33 34 .Op Fl d Ar description
34 35 .Op Fl F Sy nfs
35 36 .Op Fl o Ar specific_options
36 37 .Ar pathname
37 38 .Sh DESCRIPTION
38 39 The
39 40 .Nm share
40 41 utility makes local file systems available for mounting by remote systems. It
41 42 starts the
42 43 .Xr nfsd 1M
43 44 and
44 45 .Xr mountd 1M
45 46 daemons if they are not already running.
46 47 .Pp
47 48 If no argument is specified, then
48 49 .Nm share
49 50 displays all file systems currently shared, including NFS file systems and file
50 51 systems shared through other distributed file system packages.
51 52 .Sh OPTIONS
52 53 The following options are supported:
53 54 .Bl -tag -width "indented"
54 55 .It Fl d Ar description
55 56 Provide a comment that describes the file system to be shared.
56 57 .It Fl F Sy nfs
57 58 Share NFS file system type.
58 59 .It Fl o Ar specific_options
59 60 Specify
60 61 .Ar specific_options
61 62 in a comma-separated list of keywords and attribute-value-assertions for
62 63 interpretation by the file-system-type-specific command. If
63 64 .Ar specific_options
64 65 is not specified, then by default sharing is read-write to all clients.
65 66 .Ar specific_options
66 67 can be any combination of the following:
67 68 .Bl -tag -width "indented"
68 69 .It Sy aclok
69 70 Allows the NFS server to do access control for NFS Version 2 clients (running
70 71 SunOS 2.4 or earlier). When
71 72 .Sy aclok
72 73 is set on the server, maximal access is given to all clients. For example, with
73 74 .Sy aclok
74 75 set, if anyone has read permissions, then everyone does. If
75 76 .Sy aclok
76 77 is not set, minimal access is given to all clients.
77 78 .It Sy anon Ns = Ns Ar uid
78 79 Set
79 80 .Ar uid
80 81 to be the effective user ID of unknown users. By default, unknown users are
81 82 given the effective user ID UID_NOBODY. If uid is set to -1, access is denied.
82 83 .It Ar charset Ns = Ns Ar access_list
83 84 Where
84 85 .Ar charset
85 86 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2,
86 87 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15,
87 88 koi8-r.
88 89 .Pp
89 90 Clients that match the
90 91 .Ar access_list
91 92 for one of these properties will be assumed to be using that character set and
92 93 file and path names will be converted to UTF-8 for the server.
93 94 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
94 95 Where
95 96 .Ar mapping
96 97 is:
97 98 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
98 99 .Pp
99 100 Allows remapping the group ID (gid) in the incoming request to some other gid.
100 101 This effectively changes the identity of the user in the request to that of
101 102 some other local user.
102 103 .Pp
103 104 For clients where the gid in the incoming request is
104 105 .Ar clnt
105 106 and the client matches the
106 107 .Ar access_list Ns
107 108 , change the group ID to
108 109 .Ar srv Ns . If
109 110 .Ar clnt
110 111 is asterisk (*), all groups are mapped by this rule. If
111 112 .Ar clnt
112 113 is omitted, all unknown groups are mapped by this rule. If
113 114 .Ar srv
114 115 is set to -1, access is denied. If
115 116 .Ar srv
116 117 is omitted, the gid is mapped to UID_NOBODY.
117 118 .Pp
118 119 The particular
119 120 .Ar mapping Ns s
120 121 are separated in the
121 122 .Sy gidmap Ns =
122 123 option by tilde (~) and are evaluated in the specified order until a match is
123 124 found. Both
124 125 .Sy root Ns =
125 126 and
126 127 .Sy root_mapping Ns =
127 128 options (if specified) are evaluated before the
128 129 .Sy gidmap Ns =
129 130 option. The
130 131 .Sy gidmap Ns =
131 132 option is skipped in the case where the client matches the
132 133 .Sy root Ns =
133 134 option.
134 135 .Pp
135 136 The
136 137 .Sy gidmap Ns =
137 138 option is evaluated before the
138 139 .Sy anon Ns =
139 140 option.
140 141 .Pp
141 142 This option is supported only for AUTH_SYS.
142 143 .It Sy index Ns = Ns Ar file
143 144 Load
144 145 .Ar file
145 146 rather than a listing of the directory containing this file when the
146 147 directory is referenced by an NFS URL.
147 148 .It Sy log Ns Oo = Ns Ar tag Oc
148 149 Enables NFS server logging for the specified file system. The optional
149 150 .Ar tag
|
↓ open down ↓ |
114 lines elided |
↑ open up ↑ |
150 151 determines the location of the related log files. The
151 152 .Ar tag
152 153 is defined in
153 154 .Pa /etc/nfs/nfslog.conf .
154 155 If no
155 156 .Ar tag
156 157 is specified, the default values associated with the global tag in
157 158 .Pa /etc/nfs/nfslog.conf
158 159 are used. Support of NFS server logging is only available for NFS Version 2 and
159 160 Version 3 requests.
161 +.It Sy noaclfab
162 +By default, the NFS server will fabricate POSIX-draft style ACLs in response
163 +to ACL requests from NFS Version 2 or Version 3 clients accessing shared
164 +file systems that do not support POSIX-draft ACLs (such as ZFS).
165 +Specifying
166 +.Sy noaclfab
167 +disables this behavior.
160 168 .It Sy none Ns = Ns Ar access_list
161 169 Access is not allowed to any client that matches the access list. The exception
162 170 is when the access list is an asterisk (*), in which case
163 171 .Sy ro
164 172 or
165 173 .Sy rw
166 174 can override
167 175 .Sy none .
168 176 .It Sy nosub
169 177 Prevents clients from mounting subdirectories of shared directories. For
170 178 example, if
171 179 .Pa /export
172 180 is shared with the
173 181 .Sy nosub
174 182 option on server
175 183 .Qq fooey
176 184 then a NFS client cannot do:
177 185 .Bd -literal -offset indent
178 186 mount -F nfs fooey:/export/home/mnt
179 187 .Ed
180 188 .Pp
181 189 NFS Version 4 does not use the MOUNT protocol. The
182 190 .Sy nosub
183 191 option only applies to NFS Version 2 and Version 3 requests.
184 192 .It Sy nosuid
185 193 By default, clients are allowed to create files on the shared file system with
186 194 the setuid or setgid mode enabled. Specifying
187 195 .Sy nosuid
188 196 causes the server file system to silently ignore any attempt to enable the
189 197 setuid or setgid mode bits.
190 198 .It Sy public
191 199 Moves the location of the public file handle from root
192 200 .Pa ( / )
193 201 to the exported directory for WebNFS-enabled browsers and clients. This option
194 202 does not enable WebNFS service; WebNFS is always on. Only one file system per
195 203 server may use this option. Any other option, including the
196 204 .Sy ro Ns = Ns Ar list
197 205 and
198 206 .Sy rw Ns = Ns Ar list
199 207 options can be included with the
200 208 .Sy public
201 209 option.
202 210 .It Sy ro
203 211 Sharing is read-only to all clients.
204 212 .It Sy ro Ns = Ns Ar access_list
205 213 Sharing is read-only to the clients listed in
206 214 .Ar access_list ;
207 215 overrides the
208 216 .Sy rw
209 217 suboption for the clients specified. See
210 218 .Sx access_list
211 219 below.
212 220 .It Sy root Ns = Ns Ar access_list
213 221 Only root users from the hosts specified in
214 222 .Ar access_list
215 223 have root access. See
216 224 .Sx access_list
217 225 below. By default, no host has root access, so root users are mapped to an
218 226 anonymous user ID (see the
219 227 .Sy anon Ns = Ns Ar uid
220 228 option described above). Netgroups can be used if the file system shared is
221 229 using UNIX authentication (AUTH_SYS).
222 230 .It Sy root_mapping Ns = Ns Ar uid
223 231 For a client that is allowed root access, map the root UID to the specified
224 232 user id.
225 233 .It Sy rw
226 234 Sharing is read-write to all clients.
227 235 .It Sy rw Ns = Ns Ar access_list
228 236 Sharing is read-write to the clients listed in
229 237 .Ar access_list ;
230 238 overrides the
231 239 .Sy ro
232 240 suboption for the clients specified. See
233 241 .Sx access_list
234 242 below.
235 243 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ...
236 244 Sharing uses one or more of the specified security modes. The
237 245 .Ar mode
238 246 in the
239 247 .Sy sec Ns = Ns Ar mode
240 248 option must be a mode name supported on the client. If the
241 249 .Sy sec Ns =
242 250 option is not specified, the default security mode used is AUTH_SYS. Multiple
243 251 .Sy sec Ns =
244 252 options can be specified on the command line, although each mode can appear
245 253 only once. The security modes are defined in
246 254 .Xr nfssec 5 .
247 255 .Pp
248 256 Each
249 257 .Sy sec Ns =
250 258 option specifies modes that apply to any subsequent
251 259 .Sy window Ns = ,
252 260 .Sy rw ,
253 261 .Sy ro ,
254 262 .Sy rw Ns = ,
255 263 .Sy ro Ns = ,
256 264 and
257 265 .Sy root Ns =
258 266 options that are provided before another
259 267 .Sy sec Ns =
260 268 option.
261 269 Each additional
262 270 .Sy sec Ns =
263 271 resets the security mode context, so that more
264 272 .Sy window Ns = ,
265 273 .Sy rw ,
266 274 .Sy ro ,
267 275 .Sy rw Ns = ,
268 276 .Sy ro Ns = ,
269 277 and
270 278 .Sy root Ns =
271 279 options can be supplied for additional modes.
272 280 .It Sy sec Ns = Ns Sy none
273 281 If the option
274 282 .Sy sec Ns = Ns Sy none
275 283 is specified when the client uses AUTH_NONE, or if the client uses a security
276 284 mode that is not one that the file system is shared with, then the credential
277 285 of each NFS request is treated as unauthenticated. See the
278 286 .Sy anon Ns = Ns Ar uid
279 287 option for a description of how unauthenticated requests are handled.
280 288 .It Sy secure
281 289 This option has been deprecated in favor of the
282 290 .Sy sec Ns = Ns Sy dh
283 291 option.
284 292 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
285 293 Where
286 294 .Ar mapping
287 295 is:
288 296 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
289 297 .Pp
290 298 Allows remapping the user ID (uid) in the incoming request to some other uid.
291 299 This effectively changes the identity of the user in the request to that of
292 300 some other local user.
293 301 .Pp
294 302 For clients where the uid in the incoming request is
295 303 .Ar clnt
296 304 and the client matches the
297 305 .Ar access_list Ns
298 306 , change the user ID to
299 307 .Ar srv Ns . If
300 308 .Ar clnt
301 309 is asterisk (*), all users are mapped by this rule. If
302 310 .Ar clnt
303 311 is omitted, all unknown users are mapped by this rule. If
304 312 .Ar srv
305 313 is set to -1, access is denied. If
306 314 .Ar srv
307 315 is omitted, the uid is mapped to UID_NOBODY.
308 316 .Pp
309 317 The particular
310 318 .Ar mapping Ns s
311 319 are separated in the
312 320 .Sy uidmap Ns =
313 321 option by tilde (~) and are evaluated in the specified order until a match is
314 322 found. Both
315 323 .Sy root Ns =
316 324 and
317 325 .Sy root_mapping Ns =
318 326 options (if specified) are evaluated before the
319 327 .Sy uidmap Ns =
320 328 option. The
321 329 .Sy uidmap Ns =
322 330 option is skipped in the case where the client matches the
323 331 .Sy root Ns =
324 332 option.
325 333 .Pp
326 334 The
327 335 .Sy uidmap Ns =
328 336 option is evaluated before the
329 337 .Sy anon Ns =
330 338 option.
331 339 .Pp
332 340 This option is supported only for AUTH_SYS.
333 341 .It Sy window Ns = Ns Ar value
334 342 When sharing with
335 343 .Sy sec Ns = Ns Sy dh ,
336 344 set the maximum life time (in seconds) of the RPC request's credential (in the
337 345 authentication header) that the NFS server allows. If a credential arrives with
338 346 a life time larger than what is allowed, the NFS server rejects the request. The
339 347 default value is 30000 seconds (8.3 hours).
340 348 .El
341 349 .El
342 350 .Ss access_list
343 351 The
344 352 .Ar access_list
345 353 argument is a colon-separated list whose components may be any number of the
346 354 following:
347 355 .Bl -tag -width "indented"
348 356 .It Sy hostname
349 357 The name of a host. With a server configured for DNS or LDAP naming in the
350 358 nsswitch
351 359 .Sy hosts
352 360 entry, any hostname must be represented as a fully qualified DNS or LDAP name.
353 361 .It Sy netgroup
354 362 A netgroup contains a number of hostnames. With a server configured for DNS or
355 363 LDAP naming in the nsswitch
356 364 .Sy hosts
357 365 entry, any hostname in a netgroup must be represented as a fully qualified DNS
358 366 or LDAP name.
359 367 .It Sy domain name suffix
360 368 To use domain membership the server must use DNS or LDAP to resolve hostnames to
361 369 IP addresses; that is, the
362 370 .Sy hosts
363 371 entry in the
364 372 .Pa /etc/nsswitch.conf
365 373 must specify
366 374 .Sy dns
367 375 or
368 376 .Sy ldap
369 377 ahead of
370 378 .Sy nis
371 379 or
372 380 .Sy nisplus ,
373 381 since only DNS and LDAP return the full domain name of the host. Other name
374 382 services like NIS or NIS+ cannot be used to resolve hostnames on the server
375 383 because when mapping an IP address to a hostname they do not return domain
376 384 information. For example,
377 385 .Bd -literal -offset indent
378 386 NIS or NIS+ 172.16.45.9 --> "myhost"
379 387 .Ed
380 388 .Pp
381 389 and
382 390 .Bd -literal -offset indent
383 391 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com"
384 392 .Ed
385 393 .Pp
386 394 The domain name suffix is distinguished from hostnames and netgroups by a
387 395 prefixed dot. For example,
388 396 .Bd -literal -offset indent
389 397 rw=.mydomain.mycompany.com
390 398 .Ed
391 399 .Pp
392 400 A single dot can be used to match a hostname with no suffix. For example,
393 401 .Bd -literal -offset indent
394 402 rw=.
395 403 .Ed
396 404 .Pp
397 405 matches
398 406 .Qq mydomain
399 407 but not
400 408 .Qq mydomain.mycompany.com .
401 409 This feature can be used to match hosts resolved through NIS and NIS+ rather
402 410 than DNS and LDAP.
403 411 .It Sy network
404 412 The network or subnet component is preceded by an at-sign (@). It can be either
405 413 a name or a dotted address. If a name, it is converted to a dotted address by
406 414 .Xr getnetbyname 3SOCKET .
407 415 For example,
408 416 .Bd -literal -offset indent
409 417 =@mynet
410 418 .Ed
411 419 .Pp
412 420 would be equivalent to:
413 421 .Bd -literal -offset indent
414 422 =@172.16 or =@172.16.0.0
415 423 .Ed
416 424 .Pp
417 425 The network prefix assumes an octet-aligned netmask determined from the zeroth
418 426 octet in the low-order part of the address up to and including the high-order
419 427 octet, if you want to specify a single IP address (see below). In the case
420 428 where network prefixes are not byte-aligned, the syntax allows a mask length to
421 429 be specified explicitly following a slash (/) delimiter. For example,
422 430 .Bd -literal -offset indent
423 431 =@theothernet/17 or =@172.16.132/22
424 432 .Ed
425 433 .Pp
426 434 where the mask is the number of leftmost contiguous significant bits in the
427 435 corresponding IP address.
428 436 .Pp
429 437 When specifying individual IP addresses, use the same @ notation described
430 438 above, without a netmask specification. For example:
431 439 .Bd -literal -offset indent
432 440 =@172.16.132.14
433 441 .Ed
434 442 .Pp
435 443 Multiple, individual IP addresses would be specified, for example, as:
436 444 .Bd -literal -offset indent
437 445 root=@172.16.132.20:@172.16.134.20
438 446 .Ed
439 447 .El
440 448 .Pp
441 449 A prefixed minus sign (-) denies access to that component of
442 450 .Ar access_list .
443 451 The list is searched sequentially until a match is found that either grants or
444 452 denies access, or until the end of the list is reached. For example, if host
445 453 .Qq terra
446 454 is in the
447 455 .Qq engineering
448 456 netgroup, then
449 457 .Bd -literal -offset indent
450 458 rw=-terra:engineering
451 459 .Ed
452 460 .Pp
453 461 denies access to
454 462 .Qq terra
455 463 but
456 464 .Bd -literal -offset indent
457 465 rw=engineering:-terra
458 466 .Ed
459 467 .Pp
460 468 grants access to
461 469 .Qq terra .
462 470 .Sh OPERANDS
463 471 The following operands are supported:
464 472 .Bl -tag -width "pathname"
465 473 .It Sy pathname
466 474 The pathname of the file system to be shared.
467 475 .El
468 476 .Sh FILES
469 477 .Bl -tag -width "/etc/nfs/nfslog.conf"
470 478 .It Pa /etc/dfs/fstypes
471 479 list of system types, NFS by default
472 480 .It Pa /etc/dfs/sharetab
473 481 system record of shared file systems
474 482 .It Pa /etc/nfs/nfslogtab
475 483 system record of logged file systems
476 484 .It Pa /etc/nfs/nfslog.conf
477 485 logging configuration file
478 486 .El
479 487 .Sh EXIT STATUS
480 488 .Ex -std
481 489 .Sh EXAMPLES
482 490 .Ss Example 1 Sharing A File System With Logging Enabled
483 491 The following example shows the
484 492 .Pa /export
485 493 file system shared with logging enabled:
486 494 .Bd -literal -offset indent
487 495 share -o log /export
488 496 .Ed
489 497 .Pp
490 498 The default global logging parameters are used since no tag identifier is
491 499 specified. The location of the log file, as well as the necessary logging work
492 500 files, is specified by the global entry in
493 501 .Pa /etc/nfs/nfslog.conf .
494 502 The
495 503 .Xr nfslogd 1M
496 504 daemon runs only if at least one file system entry in
497 505 .Pa /etc/dfs/dfstab
498 506 is shared with logging enabled upon starting or rebooting the system. Simply
499 507 sharing a file system with logging enabled from the command line does not start
500 508 the
501 509 .Xr nfslogd 1M .
502 510 .Ss Example 2 Remap A User Coming From The Particular NFS Client
503 511 The following example remaps the user with uid
504 512 .Sy 100
505 513 at client
506 514 .Sy 10.0.0.1
507 515 to user
508 516 .Sy joe Ns :
509 517 .Bd -literal -offset indent
510 518 share -o uidmap=100:joe:@10.0.0.1 /export
511 519 .Ed
|
↓ open down ↓ |
342 lines elided |
↑ open up ↑ |
512 520 .Sh SEE ALSO
513 521 .Xr mount 1M ,
514 522 .Xr mountd 1M ,
515 523 .Xr nfsd 1M ,
516 524 .Xr nfslogd 1M ,
517 525 .Xr share 1M ,
518 526 .Xr unshare 1M ,
519 527 .Xr getnetbyname 3SOCKET ,
520 528 .Xr netgroup 4 ,
521 529 .Xr nfslog.conf 4 ,
530 +.Xr acl 5 ,
522 531 .Xr attributes 5 ,
523 532 .Xr nfssec 5
524 533 .Sh NOTES
525 534 If the
526 535 .Sy sec Ns =
527 536 option is presented at least once, all uses of the
528 537 .Sy window Ns = ,
529 538 .Sy rw ,
530 539 .Sy ro ,
531 540 .Sy rw Ns = ,
532 541 .Sy ro Ns = ,
533 542 and
534 543 .Sy root Ns =
535 544 options must come after the first
536 545 .Sy sec Ns =
537 546 option. If the
538 547 .Sy sec Ns =
539 548 option is not presented, then
540 549 .Sy sec Ns = Ns Sy sys
541 550 is implied.
542 551 .Pp
543 552 If one or more explicit
544 553 .Sy sec Ns =
545 554 options are presented,
546 555 .Sy sys
547 556 must appear in one of the options mode lists for accessing using the AUTH_SYS
548 557 security mode to be allowed. For example:
549 558 .Bd -literal -offset indent
550 559 share -F nfs /var
551 560 share -F nfs -o sec=sys /var
552 561 .Ed
553 562 .Pp
554 563 grants read-write access to any host using AUTH_SYS, but
555 564 .Bd -literal -offset indent
556 565 share -F nfs -o sec=dh /var
557 566 .Ed
558 567 .Pp
559 568 grants no access to clients that use AUTH_SYS.
560 569 .Pp
561 570 Unlike previous implementations of
562 571 .Nm ,
563 572 access checking for the
564 573 .Sy window Ns = ,
565 574 .Sy rw ,
566 575 .Sy ro ,
567 576 .Sy rw Ns = ,
568 577 and
569 578 .Sy ro Ns =
570 579 options is done per NFS request, instead of per mount request.
571 580 .Pp
572 581 Combining multiple security modes can be a security hole in situations where
573 582 the
574 583 .Sy ro Ns =
575 584 and
576 585 .Sy rw Ns =
577 586 options are used to control access to weaker security modes. In this example,
578 587 .Bd -literal -offset indent
579 588 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
580 589 .Ed
581 590 .Pp
582 591 an intruder can forge the IP address for
583 592 .Qq hosta
584 593 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES.
585 594 Something like:
586 595 .Bd -literal -offset indent
587 596 share -F nfs -o sec=dh,rw,sec=sys,ro /var
588 597 .Ed
589 598 .Pp
590 599 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only
591 600 gets read-only access. In general, multiple security modes per share command
592 601 should only be used in situations where the clients using more secure modes get
593 602 stronger access than clients using less secure modes.
594 603 .Pp
595 604 If
596 605 .Sy rw Ns =
597 606 and
598 607 .Sy ro Ns =
599 608 options are specified in the same
600 609 .Sy sec Ns =
601 610 clause, and a client is in both lists, the order of the two options determines
602 611 the access the client gets. If client
603 612 .Qq hosta
604 613 is in two netgroups,
605 614 .Qq group1
606 615 and
607 616 .Qq group2 ,
608 617 in this example, the client would get read-only access:
609 618 .Bd -literal -offset indent
610 619 share -F nfs -o ro=group1,rw=group2 /var
611 620 .Ed
612 621 .Pp
613 622 In this example
614 623 .Qq hosta
615 624 would get read-write access:
616 625 .Bd -literal -offset indent
617 626 share -F nfs -o rw=group2,ro=group1 /var
618 627 .Ed
619 628 .Pp
620 629 If within a
621 630 .Sy sec Ns =
622 631 clause, both the
623 632 .Sy ro
624 633 and
625 634 .Sy rw Ns =
626 635 options are specified, for compatibility, the order of the options rule is not
627 636 enforced. All hosts would get read-only access, with the exception to those in
628 637 the read-write list. Likewise, if the
629 638 .Sy ro Ns =
630 639 and
631 640 .Sy rw
632 641 options are specified, all hosts get read-write access with the exceptions of
633 642 those in the read-only list.
634 643 .Pp
635 644 The
636 645 .Sy ro Ns =
637 646 and
638 647 .Sy rw Ns =
639 648 options are guaranteed to work over UDP and TCP but may not work over other
640 649 transport providers.
641 650 .Pp
642 651 The
643 652 .Sy root Ns =
644 653 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work
645 654 over other transport providers.
646 655 .Pp
647 656 The
648 657 .Sy root Ns =
649 658 option with AUTH_DES is guaranteed to work over any transport provider.
650 659 .Pp
651 660 There are no interactions between the
652 661 .Sy root Ns =
653 662 option and the
654 663 .Sy rw ,
655 664 .Sy ro ,
656 665 .Sy rw Ns = ,
657 666 and
658 667 .Sy ro Ns =
659 668 options. Putting a host in the root list does not override the semantics of the
660 669 other options. The access the host gets is the same as when the
661 670 .Sy root Ns =
662 671 option is absent. For example, the following share command denies access to
663 672 .Qq hostb :
664 673 .Bd -literal -offset indent
665 674 share -F nfs -o ro=hosta,root=hostb /var
666 675 .Ed
667 676 .Pp
668 677 The following gives read-only permissions to
669 678 .Qq hostb :
670 679 .Bd -literal -offset indent
671 680 share -F nfs -o ro=hostb,root=hostb /var
672 681 .Ed
673 682 .Pp
674 683 The following gives read-write permissions to
675 684 .Qq hostb :
676 685 .Bd -literal -offset indent
677 686 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var
678 687 .Ed
679 688 .Pp
680 689 If the file system being shared is a symbolic link to a valid pathname, the
681 690 canonical path (the path which the symbolic link follows) is shared. For
682 691 example, if
683 692 .Pa /export/foo
684 693 is a symbolic link to
685 694 .Pa /export/bar ,
686 695 the following share command results in
687 696 .Pa /export/bar
688 697 as the shared pathname (and not
689 698 .Pa /export/foo ) :
690 699 .Bd -literal -offset indent
691 700 share -F nfs /export/foo
692 701 .Ed
693 702 .Pp
694 703 An NFS mount of
695 704 .Lk server:/export/foo
696 705 results in
697 706 .Lk server:/export/bar
698 707 really being mounted.
699 708 .Pp
700 709 This line in the
701 710 .Pa /etc/dfs/dfstab
702 711 file shares the
703 712 .Pa /disk
704 713 file system read-only at boot time:
705 714 .Bd -literal -offset indent
706 715 share -F nfs -o ro /disk
707 716 .Ed
708 717 .Pp
709 718 The same command entered from the command line does not share the
710 719 .Pa /disk
711 720 file system unless there is at least one file system entry in the
712 721 .Pa /etc/dfs/dfstab
713 722 file. The
714 723 .Xr mountd 1M
715 724 and
716 725 .Xr nfsd 1M
717 726 daemons only run if there is a file system entry in
718 727 .Pa /etc/dfs/dfstab
719 728 when starting or rebooting the system.
720 729 .Pp
721 730 The
722 731 .Xr mountd 1M
723 732 process allows the processing of a path name the contains a symbolic link.
724 733 This allows the processing of paths that are not themselves explicitly shared
725 734 with
726 735 .Nm .
727 736 For example,
728 737 .Pa /export/foo
729 738 might be a symbolic link that refers to
730 739 .Pa /export/bar
731 740 which has been specifically shared. When the client mounts
732 741 .Pa /export/foo
733 742 the mountd processing follows the symbolic link and responds with the
734 743 .Pa /export/bar .
735 744 The NFS Version 4 protocol does not use the mountd processing and the client's
736 745 use of
737 746 .Pa /export/foo
738 747 does not work as it does with NFS Version 2 and Version 3 and the client
739 748 receives an error when attempting to mount
740 749 .Pa /export/foo .
|
↓ open down ↓ |
209 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX