Print this page
*** NO COMMENTS ***
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/share_nfs.1m
+++ new/usr/src/man/man1m/share_nfs.1m
1 1 '\" te
2 2 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 6 .TH SHARE_NFS 1M "May 6, 2009"
7 7 .SH NAME
8 8 share_nfs \- make local NFS file systems available for mounting by remote
9 9 systems
10 10 .SH SYNOPSIS
11 11 .LP
12 12 .nf
13 13 \fBshare\fR [\fB-d\fR \fIdescription\fR] [\fB-F\fR nfs] [\fB-o\fR \fIspecific_options\fR] \fIpathname\fR
14 14 .fi
15 15
16 16 .SH DESCRIPTION
17 17 .sp
18 18 .LP
19 19 The \fBshare\fR utility makes local file systems available for mounting by
20 20 remote systems. It starts the \fBnfsd\fR(1M) and \fBmountd\fR(1M) daemons if
21 21 they are not already running.
22 22 .sp
23 23 .LP
24 24 If no argument is specified, then \fBshare\fR displays all file systems
25 25 currently shared, including \fBNFS\fR file systems and file systems shared
26 26 through other distributed file system packages.
27 27 .SH OPTIONS
28 28 .sp
29 29 .LP
30 30 The following options are supported:
31 31 .sp
32 32 .ne 2
33 33 .na
34 34 \fB\fB-d\fR \fIdescription\fR\fR
35 35 .ad
36 36 .sp .6
37 37 .RS 4n
38 38 Provide a comment that describes the file system to be shared.
39 39 .RE
40 40
41 41 .sp
42 42 .ne 2
43 43 .na
44 44 \fB\fB\fR\fB-F\fR \fBnfs\fR\fR
45 45 .ad
46 46 .sp .6
47 47 .RS 4n
48 48 Share \fBNFS\fR file system type.
49 49 .RE
50 50
51 51 .sp
52 52 .ne 2
53 53 .na
54 54 \fB\fB-o\fR \fIspecific_options\fR\fR
55 55 .ad
56 56 .sp .6
57 57 .RS 4n
58 58 Specify \fIspecific_options\fR in a comma-separated list of keywords and
59 59 attribute-value-assertions for interpretation by the file-system-type-specific
60 60 command. If \fIspecific_options\fR is not specified, then by default sharing is
61 61 read-write to all clients. \fIspecific_options\fR can be any combination of the
62 62 following:
63 63 .sp
64 64 .ne 2
65 65 .na
66 66 \fB\fBaclok\fR\fR
67 67 .ad
68 68 .sp .6
69 69 .RS 4n
70 70 Allows the \fBNFS\fR server to do access control for \fBNFS\fR Version 2
71 71 clients (running SunOS 2.4 or earlier). When \fBaclok\fR is set on the server,
72 72 maximal access is given to all clients. For example, with \fBaclok\fR set, if
73 73 anyone has read permissions, then everyone does. If \fBaclok\fR is not set,
74 74 minimal access is given to all clients.
75 75 .RE
76 76
77 77 .sp
78 78 .ne 2
79 79 .na
80 80 \fB\fBanon=\fR\fIuid\fR\fR
81 81 .ad
82 82 .sp .6
83 83 .RS 4n
84 84 Set \fIuid\fR to be the effective user \fBID\fR of unknown users. By default,
85 85 unknown users are given the effective user \fBID\fR \fBUID_NOBODY\fR. If
86 86 \fIuid\fR is set to \fB\(mi1\fR, access is denied.
87 87 .RE
88 88
89 89 .sp
90 90 .ne 2
91 91 .na
92 92 \fB\fIcharset\fR=\fIaccess_list\fR\fR
93 93 .ad
94 94 .sp .6
95 95 .RS 4n
96 96 Where \fIcharset\fR is one of: \fBeuc-cn\fR, \fBeuc-jp\fR, \fBeuc-jpms\fR,
97 97 \fBeuc-kr\fR, \fBeuc-tw\fR, \fBiso8859-1\fR, \fBiso8859-2\fR, \fBiso8859-5\fR,
98 98 \fBiso8859-6\fR, \fBiso8859-7\fR, \fBiso8859-8\fR, \fBiso8859-9\fR,
99 99 \fBiso8859-13\fR, \fBiso8859-15\fR, \fBkoi8-r\fR.
100 100 .sp
101 101 Clients that match the \fIaccess_list\fR for one of these properties will be
102 102 assumed to be using that character set and file and path names will be
103 103 converted to UTF-8 for the server.
104 104 .RE
105 105
106 106 .sp
107 107 .ne 2
108 108 .na
109 109 \fB\fBindex=\fR\fBfile\fR\fR
110 110 .ad
111 111 .sp .6
112 112 .RS 4n
113 113 Load \fBfile\fR rather than a listing of the directory containing this file
114 114 when the directory is referenced by an \fBNFS URL\fR.
115 115 .RE
116 116
117 117 .sp
118 118 .ne 2
119 119 .na
120 120 \fB\fBlog=tag\fR\fR
121 121 .ad
122 122 .sp .6
123 123 .RS 4n
124 124 Enables \fBNFS\fR server logging for the specified file system. The optional
|
↓ open down ↓ |
124 lines elided |
↑ open up ↑ |
125 125 tag determines the location of the related log files. The \fBtag\fR is defined
126 126 in \fBetc/nfs/nfslog.conf\fR. If no \fBtag\fR is specified, the default values
127 127 associated with the \fBglobal\fR \fBtag\fR in \fBetc/nfs/nfslog.conf\fR is
128 128 used. Support of NFS server logging is only available for NFS Version 2 and
129 129 Version 3 requests.
130 130 .RE
131 131
132 132 .sp
133 133 .ne 2
134 134 .na
135 +\fB\fBnohide\fR\fR
136 +.ad
137 +.sp .6
138 +.RS 4n
139 +
140 +By default, if a server exports two filesystems, one of which is mounted as a
141 +child of the other, NFS Version 2 and Version 3 clients must mount both
142 +filesystems explicitly in order to access them. If a client only mounts
143 +the parent, it will see an empty directory at the location where the other
144 +filesystem is mounted.
145 +
146 +Setting the \fBnohide\fR option on a filesystem causes it to no longer be
147 +hidden in this manner, and a client will be able to move from the parent
148 +filesystem to this one without noticing the change. However, some NFS clients
149 +or applications may not function correctly when this option is used. In
150 +particular, files on different underlying filesystems may appear to have the
151 +same inode numbers.
152 +
153 +This option is equivalent to the option of the same name provided in \fBLinux
154 +NFS\fR, and only applies to NFS Version 2 and Version 3 requests.
155 +.RE
156 +
157 +.sp
158 +.ne 2
159 +.na
135 160 \fB\fBnone=\fR\fIaccess_list\fR\fR
136 161 .ad
137 162 .sp .6
138 163 .RS 4n
139 164 Access is not allowed to any client that matches the access list. The exception
140 165 is when the access list is an asterisk (\fB*\fR), in which case \fBro\fR or
141 166 \fBrw\fR can override \fBnone\fR.
142 167 .RE
143 168
144 169 .sp
145 170 .ne 2
146 171 .na
147 172 \fB\fBnosub\fR\fR
148 173 .ad
149 174 .sp .6
150 175 .RS 4n
151 176 Prevents clients from mounting subdirectories of shared directories. For
152 177 example, if \fB/export\fR is shared with the \fBnosub\fR option on server
153 178 \fIfooey\fR then a \fBNFS\fR client cannot do:
154 179 .sp
155 180 .in +2
156 181 .nf
157 182 mount -F nfs fooey:/export/home/mnt
158 183 .fi
159 184 .in -2
160 185 .sp
161 186
162 187 NFS Version 4 does not use the \fBMOUNT\fR protocol. The \fBnosub\fR option
163 188 only applies to NFS Version 2 and Version 3 requests.
164 189 .RE
165 190
166 191 .sp
167 192 .ne 2
168 193 .na
169 194 \fB\fBnosuid\fR\fR
170 195 .ad
171 196 .sp .6
172 197 .RS 4n
173 198 By default, clients are allowed to create files on the shared file system with
174 199 the setuid or setgid mode enabled. Specifying \fBnosuid\fR causes the server
175 200 file system to silently ignore any attempt to enable the setuid or setgid mode
176 201 bits.
177 202 .RE
178 203
179 204 .sp
180 205 .ne 2
181 206 .na
182 207 \fB\fBpublic\fR\fR
183 208 .ad
184 209 .sp .6
185 210 .RS 4n
186 211 Moves the location of the public file handle from \fBroot\fR (\fB/\fR) to the
187 212 exported directory for Web\fBNFS\fR-enabled browsers and clients. This option
188 213 does not enable Web\fBNFS\fR service; Web\fBNFS\fR is always on. Only one file
189 214 system per server may use this option. Any other option, including the
190 215 \fB-ro=list\fR and \fB-rw=list\fR options can be included with the \fBpublic\fR
191 216 option.
192 217 .RE
193 218
194 219 .sp
195 220 .ne 2
196 221 .na
197 222 \fB\fBro\fR\fR
198 223 .ad
199 224 .sp .6
200 225 .RS 4n
201 226 Sharing is read-only to all clients.
202 227 .RE
203 228
204 229 .sp
205 230 .ne 2
206 231 .na
207 232 \fB\fBro=\fR\fIaccess_list\fR\fR
208 233 .ad
209 234 .sp .6
210 235 .RS 4n
211 236 Sharing is read-only to the clients listed in \fIaccess_list\fR; overrides the
212 237 \fBrw\fR suboption for the clients specified. See \fIaccess_list\fR below.
213 238 .RE
214 239
215 240 .sp
216 241 .ne 2
217 242 .na
218 243 \fB\fBroot=\fR\fIaccess_list\fR\fR
219 244 .ad
220 245 .sp .6
221 246 .RS 4n
222 247 Only root users from the hosts specified in \fIaccess_list\fR have root access.
223 248 See \fIaccess_list\fR below. By default, no host has root access, so root users
224 249 are mapped to an anonymous user \fBID\fR (see the \fBanon=\fR\fIuid\fR option
225 250 described above). Netgroups can be used if the file system shared is using UNIX
226 251 authentication ( \fBAUTH_SYS\fR).
227 252 .RE
228 253
229 254 .sp
230 255 .ne 2
231 256 .na
232 257 \fB\fBroot_mapping=\fIuid\fR\fR\fR
233 258 .ad
234 259 .sp .6
235 260 .RS 4n
236 261 For a client that is allowed root access, map the root UID to the specified
237 262 user id.
238 263 .RE
239 264
240 265 .sp
241 266 .ne 2
242 267 .na
243 268 \fB\fBrw\fR\fR
244 269 .ad
245 270 .sp .6
246 271 .RS 4n
247 272 Sharing is read-write to all clients.
248 273 .RE
249 274
250 275 .sp
251 276 .ne 2
252 277 .na
253 278 \fB\fBrw=\fR\fIaccess_list\fR\fR
254 279 .ad
255 280 .sp .6
256 281 .RS 4n
257 282 Sharing is read-write to the clients listed in \fIaccess_list\fR; overrides the
258 283 \fBro\fR suboption for the clients specified. See \fIaccess_list\fR below.
259 284 .RE
260 285
261 286 .sp
262 287 .ne 2
263 288 .na
264 289 \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR
265 290 .ad
266 291 .sp .6
267 292 .RS 4n
268 293 Sharing uses one or more of the specified security modes. The \fImode\fR in the
269 294 \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the
270 295 \fBsec=\fR option is not specified, the default security mode used is
271 296 \fBAUTH_SYS.\fR Multiple \fBsec=\fR options can be specified on the command
272 297 line, although each mode can appear only once. The security modes are defined
273 298 in \fBnfssec\fR(5).
274 299 .sp
275 300 Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=,
276 301 rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another
277 302 \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context,
278 303 so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and
279 304 \fBroot=\fR options can be supplied for additional modes.
280 305 .RE
281 306
282 307 .sp
283 308 .ne 2
284 309 .na
285 310 \fB\fBsec=\fR\fInone\fR\fR
286 311 .ad
287 312 .sp .6
288 313 .RS 4n
289 314 If the option \fBsec=\fR\fInone\fR is specified when the client uses
290 315 \fBAUTH_NONE,\fR or if the client uses a security mode that is not one that the
291 316 file system is shared with, then the credential of each \fBNFS\fR request is
292 317 treated as unauthenticated. See the \fBanon=\fR\fIuid\fR option for a
293 318 description of how unauthenticated requests are handled.
294 319 .RE
295 320
296 321 .sp
297 322 .ne 2
298 323 .na
299 324 \fB\fBsecure\fR\fR
300 325 .ad
301 326 .sp .6
302 327 .RS 4n
303 328 This option has been deprecated in favor of the \fBsec=\fR\fIdh\fR option.
304 329 .RE
305 330
306 331 .sp
307 332 .ne 2
308 333 .na
309 334 \fB\fBwindow=\fR\fIvalue\fR\fR
310 335 .ad
311 336 .sp .6
312 337 .RS 4n
313 338 When sharing with \fBsec=\fR\fIdh\fR, set the maximum life time (in seconds) of
314 339 the \fBRPC\fR request's credential (in the authentication header) that the
315 340 \fBNFS\fR server allows. If a credential arrives with a life time larger than
316 341 what is allowed, the \fBNFS\fR server rejects the request. The default value is
317 342 30000 seconds (8.3 hours).
318 343 .RE
319 344
320 345 .RE
321 346
322 347 .SS "\fIaccess_list\fR"
323 348 .sp
324 349 .LP
325 350 The \fIaccess_list\fR argument is a colon-separated list whose components may
326 351 be any number of the following:
327 352 .sp
328 353 .ne 2
329 354 .na
330 355 \fBhostname\fR
331 356 .ad
332 357 .sp .6
333 358 .RS 4n
334 359 The name of a host. With a server configured for \fBDNS\fR or \fBLDAP\fR naming
335 360 in the \fBnsswitch\fR "hosts" entry, any hostname must be represented as a
336 361 fully qualified \fBDNS\fR or \fBLDAP\fR name.
337 362 .RE
338 363
339 364 .sp
340 365 .ne 2
341 366 .na
342 367 \fBnetgroup\fR
343 368 .ad
344 369 .sp .6
345 370 .RS 4n
346 371 A netgroup contains a number of hostnames. With a server configured for
347 372 \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR "hosts" entry, any
348 373 hostname in a netgroup must be represented as a fully qualified \fBDNS\fR or
349 374 \fBLDAP\fR name.
350 375 .RE
351 376
352 377 .sp
353 378 .ne 2
354 379 .na
355 380 \fBdomain name suffix\fR
356 381 .ad
357 382 .sp .6
358 383 .RS 4n
359 384 To use domain membership the server must use \fBDNS\fR or \fBLDAP\fR to resolve
360 385 hostnames to \fBIP\fR addresses; that is, the "hosts" entry in the
361 386 \fB/etc/nsswitch.conf\fR must specify "dns" or "ldap" ahead of "nis" or
362 387 "nisplus", since only \fBDNS\fR and \fBLDAP\fR return the full domain name of
363 388 the host. Other name services like \fBNIS\fR or \fBNIS+\fR cannot be used to
364 389 resolve hostnames on the server because when mapping an \fBIP\fR address to a
365 390 hostname they do not return domain information. For example,
366 391 .sp
367 392 .in +2
368 393 .nf
369 394 NIS or NIS+ 172.16.45.9 --> "myhost"
370 395 .fi
371 396 .in -2
372 397 .sp
373 398
374 399 and
375 400 .sp
376 401 .in +2
377 402 .nf
378 403 DNS or LDAP 172.16.45.9 -->
379 404 "myhost.mydomain.mycompany.com"
380 405 .fi
381 406 .in -2
382 407 .sp
383 408
384 409 The domain name suffix is distinguished from hostnames and netgroups by a
385 410 prefixed dot. For example,
386 411 .sp
387 412 \fBrw=.mydomain.mycompany.com\fR
388 413 .sp
389 414 A single dot can be used to match a hostname with no suffix. For example,
390 415 .sp
391 416 \fBrw=.\fR
392 417 .sp
393 418 matches "mydomain" but not "mydomain.mycompany.com". This feature can be used
394 419 to match hosts resolved through \fBNIS\fR and \fBNIS+\fR rather than \fBDNS\fR
395 420 and \fBLDAP\fR.
396 421 .RE
397 422
398 423 .sp
399 424 .ne 2
400 425 .na
401 426 \fBnetwork\fR
402 427 .ad
403 428 .sp .6
404 429 .RS 4n
405 430 The network or subnet component is preceded by an at-sign (\fB@\fR). It can be
406 431 either a name or a dotted address. If a name, it is converted to a dotted
407 432 address by \fBgetnetbyname\fR(3SOCKET). For example,
408 433 .sp
409 434 \fB=@mynet\fR
410 435 .sp
411 436 would be equivalent to:
412 437 .sp
413 438 \fB=@172.16\fR or \fB=@172.16.0.0\fR
414 439 .sp
415 440 The network prefix assumes an octet-aligned netmask determined from the zeroth
416 441 octet in the low-order part of the address up to and including the high-order
417 442 octet, if you want to specify a single IP address (see below). In the case
418 443 where network prefixes are not byte-aligned, the syntax allows a mask length to
419 444 be specified explicitly following a slash (\fB/\fR) delimiter. For example,
420 445 .sp
421 446 \fB=@theothernet/17\fR or \fB=@172.16.132/22\fR
422 447 .sp
423 448 \&...where the mask is the number of leftmost contiguous significant bits in
424 449 the corresponding IP address.
425 450 .sp
426 451 When specifying individual IP addresses, use the same \fB@\fR notation
427 452 described above, without a netmask specification. For example:
428 453 .sp
429 454 .in +2
430 455 .nf
431 456 =@172.16.132.14
432 457 .fi
433 458 .in -2
434 459 .sp
435 460
436 461 Multiple, individual IP addresses would be specified, for example, as:
437 462 .sp
438 463 .in +2
439 464 .nf
440 465 root=@172.16.132.20:@172.16.134.20
441 466 .fi
442 467 .in -2
443 468 .sp
444 469
445 470 .RE
446 471
447 472 .sp
448 473 .LP
449 474 A prefixed minus sign (\fB\(mi\fR) denies access to that component of
450 475 \fIaccess_list\fR. The list is searched sequentially until a match is found
451 476 that either grants or denies access, or until the end of the list is reached.
452 477 For example, if host "terra" is in the "engineering" netgroup, then
453 478 .sp
454 479 .in +2
455 480 .nf
456 481 rw=-terra:engineering
457 482 .fi
458 483 .in -2
459 484 .sp
460 485
461 486 .sp
462 487 .LP
463 488 denies access to \fBterra\fR but
464 489 .sp
465 490 .in +2
466 491 .nf
467 492 rw=engineering:-terra
468 493 .fi
469 494 .in -2
470 495 .sp
471 496
472 497 .sp
473 498 .LP
474 499 grants access to \fBterra\fR.
475 500 .SH OPERANDS
476 501 .sp
477 502 .LP
478 503 The following operands are supported:
479 504 .sp
480 505 .ne 2
481 506 .na
482 507 \fB\fIpathname\fR\fR
483 508 .ad
484 509 .sp .6
485 510 .RS 4n
486 511 The pathname of the file system to be shared.
487 512 .RE
488 513
489 514 .SH EXAMPLES
490 515 .LP
491 516 \fBExample 1 \fRSharing A File System With Logging Enabled
492 517 .sp
493 518 .LP
494 519 The following example shows the \fB/export\fR file system shared with logging
495 520 enabled:
496 521
497 522 .sp
498 523 .in +2
499 524 .nf
500 525 example% \fBshare -o log /export\fR
501 526 .fi
502 527 .in -2
503 528 .sp
504 529
505 530 .sp
506 531 .LP
507 532 The default global logging parameters are used since no tag identifier is
508 533 specified. The location of the log file, as well as the necessary logging work
509 534 files, is specified by the global entry in \fB/etc/nfs/nfslog.conf\fR. The
510 535 \fBnfslogd\fR(1M) daemon runs only if at least one file system entry in
511 536 \fB/etc/dfs/dfstab\fR is shared with logging enabled upon starting or rebooting
512 537 the system. Simply sharing a file system with logging enabled from the command
513 538 line does not start the \fBnfslogd\fR(1M).
514 539
515 540 .SH EXIT STATUS
516 541 .sp
517 542 .LP
518 543 The following exit values are returned:
519 544 .sp
520 545 .ne 2
521 546 .na
522 547 \fB\fB0\fR\fR
523 548 .ad
524 549 .sp .6
525 550 .RS 4n
526 551 Successful completion.
527 552 .RE
528 553
529 554 .sp
530 555 .ne 2
531 556 .na
532 557 \fB\fB>0\fR\fR
533 558 .ad
534 559 .sp .6
535 560 .RS 4n
536 561 An error occurred.
537 562 .RE
538 563
539 564 .SH FILES
540 565 .sp
541 566 .ne 2
542 567 .na
543 568 \fB\fB/etc/dfs/fstypes\fR\fR
544 569 .ad
545 570 .sp .6
546 571 .RS 4n
547 572 list of system types, \fBNFS\fR by default
548 573 .RE
549 574
550 575 .sp
551 576 .ne 2
552 577 .na
553 578 \fB\fB/etc/dfs/sharetab\fR\fR
554 579 .ad
555 580 .sp .6
556 581 .RS 4n
557 582 system record of shared file systems
558 583 .RE
559 584
560 585 .sp
561 586 .ne 2
562 587 .na
563 588 \fB\fB/etc/nfs/nfslogtab\fR\fR
564 589 .ad
565 590 .sp .6
566 591 .RS 4n
567 592 system record of logged file systems
568 593 .RE
569 594
570 595 .sp
571 596 .ne 2
572 597 .na
573 598 \fB\fB/etc/nfs/nfslog.conf\fR\fR
574 599 .ad
575 600 .sp .6
576 601 .RS 4n
577 602 logging configuration file
578 603 .RE
579 604
580 605 .SH SEE ALSO
581 606 .sp
582 607 .LP
583 608 \fBmount\fR(1M), \fBmountd\fR(1M), \fBnfsd\fR(1M), \fBnfslogd\fR(1M),
584 609 \fBshare\fR(1M), \fBunshare\fR(1M), \fBgetnetbyname\fR(3SOCKET),
585 610 \fBnfslog.conf\fR(4), \fBnetgroup\fR(4), \fBattributes\fR(5), \fBnfssec\fR(5)
586 611 .SH NOTES
587 612 .sp
588 613 .LP
589 614 If the \fBsec=\fR option is presented at least once, all uses of the
590 615 \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options
591 616 must come \fBafter\fR the first \fBsec=\fR option. If the \fBsec=\fR option is
592 617 not presented, then \fBsec=\fR\fIsys\fR is implied.
593 618 .sp
594 619 .LP
595 620 If one or more explicit \fBsec=\fR options are presented, \fIsys\fR must appear
596 621 in one of the options mode lists for accessing using the \fBAUTH_SYS\fR
597 622 security mode to be allowed. For example:
598 623 .sp
599 624 .in +2
600 625 .nf
601 626 \fBshare\fR \fB-F\fR \fBnfs /var\fR
602 627 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=sys /var\fR
603 628 .fi
604 629 .in -2
605 630 .sp
606 631
607 632 .sp
608 633 .LP
609 634 grants read-write access to any host using \fBAUTH_SYS,\fR but
610 635 .sp
611 636 .in +2
612 637 .nf
613 638 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh /var\fR
614 639 .fi
615 640 .in -2
616 641 .sp
617 642
618 643 .sp
619 644 .LP
620 645 grants no access to clients that use \fBAUTH_SYS.\fR
621 646 .sp
622 647 .LP
623 648 Unlike previous implementations of \fBshare_nfs\fR, access checking for the
624 649 \fBwindow=, rw, ro, rw=,\fR and \fBro=\fR options is done per \fBNFS\fR
625 650 request, instead of per mount request.
626 651 .sp
627 652 .LP
628 653 Combining multiple security modes can be a security hole in situations where
629 654 the \fBro=\fR and \fBrw=\fR options are used to control access to weaker
630 655 security modes. In this example,
631 656 .sp
632 657 .in +2
633 658 .nf
634 659 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,rw=hosta /var\fR
635 660 .fi
636 661 .in -2
637 662 .sp
638 663
639 664 .sp
640 665 .LP
641 666 an intruder can forge the IP address for \fBhosta\fR (albeit on each \fBNFS\fR
642 667 request) to side-step the stronger controls of \fBAUTH_DES.\fR Something like:
643 668 .sp
644 669 .in +2
645 670 .nf
646 671 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,ro /var\fR
647 672 .fi
648 673 .in -2
649 674 .sp
650 675
651 676 .sp
652 677 .LP
653 678 is safer, because any client (intruder or legitimate) that avoids
654 679 \fBAUTH_DES\fR only gets read-only access. In general, multiple security modes
655 680 per \fBshare\fR command should only be used in situations where the clients
656 681 using more secure modes get stronger access than clients using less secure
657 682 modes.
658 683 .sp
659 684 .LP
660 685 If \fBrw=,\fR and \fBro=\fR options are specified in the same \fBsec=\fR
661 686 clause, and a client is in both lists, the order of the two options determines
662 687 the access the client gets. If client \fBhosta\fR is in two netgroups -
663 688 \fBgroup1\fR and \fBgroup2\fR - in this example, the client would get read-only
664 689 access:
665 690 .sp
666 691 .in +2
667 692 .nf
668 693 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=group1,rw=group2 /var\fR
669 694 .fi
670 695 .in -2
671 696 .sp
672 697
673 698 .sp
674 699 .LP
675 700 In this example \fBhosta\fR would get read-write access:
676 701 .sp
677 702 .in +2
678 703 .nf
679 704 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBrw=group2,ro=group1 /var\fR
680 705 .fi
681 706 .in -2
682 707 .sp
683 708
684 709 .sp
685 710 .LP
686 711 If within a \fBsec=\fR clause, both the \fBro\fR and \fBrw=\fR options are
687 712 specified, for compatibility, the order of the options rule is not enforced.
688 713 All hosts would get read-only access, with the exception to those in the
689 714 read-write list. Likewise, if the \fBro=\fR and \fBrw\fR options are specified,
690 715 all hosts get read-write access with the exceptions of those in the read-only
691 716 list.
692 717 .sp
693 718 .LP
694 719 The \fBro=\fR and \fBrw=\fR options are guaranteed to work over \fBUDP\fR and
695 720 \fBTCP\fR but may not work over other transport providers.
696 721 .sp
697 722 .LP
698 723 The \fBroot=\fR option with \fBAUTH_SYS\fR is guaranteed to work over \fBUDP\fR
699 724 and \fBTCP\fR but may not work over other transport providers.
700 725 .sp
701 726 .LP
702 727 The \fBroot=\fR option with \fBAUTH_DES\fR is guaranteed to work over any
703 728 transport provider.
704 729 .sp
705 730 .LP
706 731 There are no interactions between the \fBroot=\fR option and the \fBrw, ro,
707 732 rw=,\fR and \fBro=\fR options. Putting a host in the \fBroot\fR list does not
708 733 override the semantics of the other options. The access the host gets is the
709 734 same as when the \fBroot=\fR options is absent. For example, the following
710 735 \fBshare\fR command denies access to \fBhostb:\fR
711 736 .sp
712 737 .in +2
713 738 .nf
714 739 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,root=hostb /var\fR
715 740 .fi
716 741 .in -2
717 742 .sp
718 743
719 744 .sp
720 745 .LP
721 746 The following gives read-only permissions to \fBhostb:\fR
722 747 .sp
723 748 .in +2
724 749 .nf
725 750 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hostb,root=hostb /var\fR
726 751 .fi
727 752 .in -2
728 753 .sp
729 754
730 755 .sp
731 756 .LP
732 757 The following gives read-write permissions to \fBhostb:\fR
733 758 .sp
734 759 .in +2
735 760 .nf
736 761 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,rw=hostb,root=hostb /var\fR
737 762 .fi
738 763 .in -2
739 764 .sp
740 765
741 766 .sp
742 767 .LP
743 768 If the file system being shared is a symbolic link to a valid pathname, the
744 769 canonical path (the path which the symbolic link follows) are shared. For
745 770 example, if \fB/export/foo\fR is a symbolic link to \fB/export/bar\fR
746 771 (\fB/export/foo -> /export/bar\fR), the following \fBshare\fR command results
747 772 in \fB/export/bar\fR as the shared pathname (and not \fB/export/foo\fR).
748 773 .sp
749 774 .in +2
750 775 .nf
751 776 \fBexample# share\fR \fB-F\fR \fBnfs /export/foo\fR
752 777 .fi
753 778 .in -2
754 779 .sp
755 780
756 781 .sp
757 782 .LP
758 783 An \fBNFS\fR mount of \fBserver:/export/foo\fR results in
759 784 \fBserver:/export/bar\fR really being mounted.
760 785 .sp
761 786 .LP
762 787 This line in the \fB/etc/dfs/dfstab\fR file shares the \fB/disk\fR file system
763 788 read-only at boot time:
764 789 .sp
765 790 .in +2
766 791 .nf
767 792 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro /disk\fR
768 793 .fi
769 794 .in -2
770 795 .sp
771 796
772 797 .sp
773 798 .LP
774 799 The same command entered from the command line does not share the \fB/disk\fR
775 800 file system unless there is at least one file system entry in the
776 801 \fB/etc/dfs/dfstab\fR file. The \fBmountd\fR(1M) and \fBnfsd\fR(1M) daemons
777 802 only run if there is a file system entry in \fB/etc/dfs/dfstab\fR when starting
778 803 or rebooting the system.
779 804 .sp
780 805 .LP
781 806 The \fBmountd\fR(1M) process allows the processing of a path name the contains
782 807 a symbolic link. This allows the processing of paths that are not themselves
783 808 explicitly shared with \fBshare_nfs\fR. For example, \fB/export/foo\fR might be
784 809 a symbolic link that refers to \fB/export/bar\fR which has been specifically
785 810 shared. When the client mounts \fB/export/foo\fR the \fBmountd\fR processing
786 811 follows the symbolic link and responds with the \fB/export/bar\fR. The NFS
787 812 Version 4 protocol does not use the \fBmountd\fR processing and the client's
788 813 use of \fB/export/foo\fR does not work as it does with NFS Version 2 and
789 814 Version 3 and the client receives an error when attempting to mount
790 815 \fB/export/foo\fR.
|
↓ open down ↓ |
646 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX