1 .\" 2 .\" CDDL HEADER START 3 .\" 4 .\" The contents of this file are subject to the terms of the 5 .\" Common Development and Distribution License (the "License"). 6 .\" You may not use this file except in compliance with the License. 7 .\" 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 .\" or http://www.opensolaris.org/os/licensing. 10 .\" See the License for the specific language governing permissions 11 .\" and limitations under the License. 12 .\" 13 .\" When distributing Covered Code, include this CDDL HEADER in each 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 .\" If applicable, add the following below this CDDL HEADER, with the 16 .\" fields enclosed by brackets "[]" replaced with your own identifying 17 .\" information: Portions Copyright [yyyy] [name of copyright owner] 18 .\" 19 .\" CDDL HEADER END 20 .\" 21 .\" 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved 23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24 .\" Copyright 2016 Jason King. 25 .\" 26 .Dd March 23, 2017 27 .Dt SHARE_NFS 1M 28 .Os 29 .Sh NAME 30 .Nm share_nfs 31 .Nd make local NFS file systems available for mounting by remote systems 32 .Sh SYNOPSIS 33 .Nm share 34 .Op Fl d Ar description 35 .Op Fl F Sy nfs 36 .Op Fl o Ar specific_options 37 .Ar pathname 38 .Sh DESCRIPTION 39 The 40 .Nm share 41 utility makes local file systems available for mounting by remote systems. 42 It starts the 43 .Xr nfsd 1M 44 and 45 .Xr mountd 1M 46 daemons if they are not already running. 47 .Pp 48 If no argument is specified, then 49 .Nm share 50 displays all file systems currently shared, including NFS file systems and file 51 systems shared through other distributed file system packages. 52 .Sh OPTIONS 53 The following options are supported: 54 .Bl -tag -width "indented" 55 .It Fl d Ar description 56 Provide a comment that describes the file system to be shared. 57 .It Fl F Sy nfs 58 Share NFS file system type. 59 .It Fl o Ar specific_options 60 Specify 61 .Ar specific_options 62 in a comma-separated list of keywords and attribute-value-assertions for 63 interpretation by the file-system-type-specific command. 64 If 65 .Ar specific_options 66 is not specified, then by default sharing is read-write to all clients. 67 .Ar specific_options 68 can be any combination of the following: 69 .Bl -tag -width "indented" 70 .It Sy aclok 71 Allows the NFS server to do access control for NFS Version 2 clients (running 72 SunOS 2.4 or earlier). 73 When 74 .Sy aclok 75 is set on the server, maximal access is given to all clients. 76 For example, with 77 .Sy aclok 78 set, if anyone has read permissions, then everyone does. 79 If 80 .Sy aclok 81 is not set, minimal access is given to all clients. 82 .It Sy anon Ns = Ns Ar uid 83 Set 84 .Ar uid 85 to be the effective user ID of unknown users. 86 By default, unknown users are given the effective user ID UID_NOBODY. 87 If uid is set to -1, access is denied. 88 .It Ar charset Ns = Ns Ar access_list 89 Where 90 .Ar charset 91 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2, 92 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15, 93 koi8-r. 94 .Pp 95 Clients that match the 96 .Ar access_list 97 for one of these properties will be assumed to be using that character set and 98 file and path names will be converted to UTF-8 for the server. 99 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 100 Where 101 .Ar mapping 102 is: 103 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 104 .Pp 105 Allows remapping the group ID (gid) in the incoming request to some other gid. 106 This effectively changes the identity of the user in the request to that of 107 some other local user. 108 .Pp 109 For clients where the gid in the incoming request is 110 .Ar clnt 111 and the client matches the 112 .Ar access_list , 113 change the group ID to 114 .Ar srv . 115 If 116 .Ar clnt 117 is asterisk (*), all groups are mapped by this rule. 118 If 119 .Ar clnt 120 is omitted, all unknown groups are mapped by this rule. 121 If 122 .Ar srv 123 is set to -1, access is denied. 124 If 125 .Ar srv 126 is omitted, the gid is mapped to UID_NOBODY. 127 .Pp 128 The particular 129 .Ar mapping Ns s 130 are separated in the 131 .Sy gidmap Ns = 132 option by tilde (~) and are evaluated in the specified order until a match is 133 found. 134 Both 135 .Sy root Ns = 136 and 137 .Sy root_mapping Ns = 138 options (if specified) are evaluated before the 139 .Sy gidmap Ns = 140 option. 141 The 142 .Sy gidmap Ns = 143 option is skipped in the case where the client matches the 144 .Sy root Ns = 145 option. 146 .Pp 147 The 148 .Sy gidmap Ns = 149 option is evaluated before the 150 .Sy anon Ns = 151 option. 152 .Pp 153 This option is supported only for AUTH_SYS. 154 .It Sy index Ns = Ns Ar file 155 Load 156 .Ar file 157 rather than a listing of the directory containing this file when the 158 directory is referenced by an NFS URL. 159 .It Sy log Ns Oo = Ns Ar tag Oc 160 Enables NFS server logging for the specified file system. 161 The optional 162 .Ar tag 163 determines the location of the related log files. 164 The 165 .Ar tag 166 is defined in 167 .Pa /etc/nfs/nfslog.conf . 168 If no 169 .Ar tag 170 is specified, the default values associated with the global tag in 171 .Pa /etc/nfs/nfslog.conf 172 are used. 173 Support of NFS server logging is only available for NFS Version 2 and 174 Version 3 requests. 175 .It Sy nohide 176 By default, if server exports two filesystems, one of which is mounted as a 177 child of the other, NFS Version 2 and Version 3 clients must mount both 178 filesystems explicitly in order to access them. 179 If a client only mounts the parent, it will see an empty directory at the 180 location where the other filesystem is mounted. 181 .Pp 182 Setting the 183 .Sy nohide 184 option on a filesystem causes it to no longer be hidden in this manner, and the 185 client will be able to move from the parent filesystem to this one without 186 noticing the change. 187 However, some NFS clients or applications may not function correctly when 188 this option is used. 189 In particular, files on different underlying filesystems may appear to have 190 the same inode numbers. 191 The 192 .Sy nohide 193 option only applies to NFS Version 2 and Version 3 requests. 194 .It Sy noaclfab 195 By default, the NFS server will fabricate POSIX-draft style ACLs in response 196 to ACL requests from NFS Version 2 or Version 3 clients accessing shared 197 file systems that do not support POSIX-draft ACLs (such as ZFS). 198 Specifying 199 .Sy noaclfab 200 disables this behavior. 201 .It Sy none Ns = Ns Ar access_list 202 Access is not allowed to any client that matches the access list. 203 The exception is when the access list is an asterisk (*), in which case 204 .Sy ro 205 or 206 .Sy rw 207 can override 208 .Sy none . 209 .It Sy nosub 210 Prevents clients from mounting subdirectories of shared directories. 211 For example, if 212 .Pa /export 213 is shared with the 214 .Sy nosub 215 option on server 216 .Qq fooey 217 then a NFS client cannot do: 218 .Bd -literal -offset indent 219 mount -F nfs fooey:/export/home/mnt 220 .Ed 221 .Pp 222 NFS Version 4 does not use the MOUNT protocol. 223 The 224 .Sy nosub 225 option only applies to NFS Version 2 and Version 3 requests. 226 .It Sy nosuid 227 By default, clients are allowed to create files on the shared file system with 228 the setuid or setgid mode enabled. 229 Specifying 230 .Sy nosuid 231 causes the server file system to silently ignore any attempt to enable the 232 setuid or setgid mode bits. 233 .It Sy public 234 Moves the location of the public file handle from root 235 .Pa ( / ) 236 to the exported directory for WebNFS-enabled browsers and clients. 237 This option does not enable WebNFS service; WebNFS is always on. 238 Only one file system per server may use this option. 239 Any other option, including the 240 .Sy ro Ns = Ns Ar list 241 and 242 .Sy rw Ns = Ns Ar list 243 options can be included with the 244 .Sy public 245 option. 246 .It Sy ro 247 Sharing is read-only to all clients. 248 .It Sy ro Ns = Ns Ar access_list 249 Sharing is read-only to the clients listed in 250 .Ar access_list ; 251 overrides the 252 .Sy rw 253 suboption for the clients specified. 254 See 255 .Sx access_list 256 below. 257 .It Sy root Ns = Ns Ar access_list 258 Only root users from the hosts specified in 259 .Ar access_list 260 have root access. 261 See 262 .Sx access_list 263 below. 264 By default, no host has root access, so root users are mapped to an anonymous 265 user ID (see the 266 .Sy anon Ns = Ns Ar uid 267 option described above). 268 Netgroups can be used if the file system shared is using UNIX authentication 269 (AUTH_SYS). 270 .It Sy root_mapping Ns = Ns Ar uid 271 For a client that is allowed root access, map the root UID to the specified 272 user id. 273 .It Sy rw 274 Sharing is read-write to all clients. 275 .It Sy rw Ns = Ns Ar access_list 276 Sharing is read-write to the clients listed in 277 .Ar access_list ; 278 overrides the 279 .Sy ro 280 suboption for the clients specified. 281 See 282 .Sx access_list 283 below. 284 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ... 285 Sharing uses one or more of the specified security modes. 286 The 287 .Ar mode 288 in the 289 .Sy sec Ns = Ns Ar mode 290 option must be a mode name supported on the client. 291 If the 292 .Sy sec Ns = 293 option is not specified, the default security mode used is AUTH_SYS. 294 Multiple 295 .Sy sec Ns = 296 options can be specified on the command line, although each mode can appear 297 only once. 298 The security modes are defined in 299 .Xr nfssec 5 . 300 .Pp 301 Each 302 .Sy sec Ns = 303 option specifies modes that apply to any subsequent 304 .Sy window Ns = , 305 .Sy rw , 306 .Sy ro , 307 .Sy rw Ns = , 308 .Sy ro Ns = , 309 and 310 .Sy root Ns = 311 options that are provided before another 312 .Sy sec Ns = 313 option. 314 Each additional 315 .Sy sec Ns = 316 resets the security mode context, so that more 317 .Sy window Ns = , 318 .Sy rw , 319 .Sy ro , 320 .Sy rw Ns = , 321 .Sy ro Ns = , 322 and 323 .Sy root Ns = 324 options can be supplied for additional modes. 325 .It Sy sec Ns = Ns Sy none 326 If the option 327 .Sy sec Ns = Ns Sy none 328 is specified when the client uses AUTH_NONE, or if the client uses a security 329 mode that is not one that the file system is shared with, then the credential 330 of each NFS request is treated as unauthenticated. 331 See the 332 .Sy anon Ns = Ns Ar uid 333 option for a description of how unauthenticated requests are handled. 334 .It Sy secure 335 This option has been deprecated in favor of the 336 .Sy sec Ns = Ns Sy dh 337 option. 338 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 339 Where 340 .Ar mapping 341 is: 342 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 343 .Pp 344 Allows remapping the user ID (uid) in the incoming request to some other uid. 345 This effectively changes the identity of the user in the request to that of 346 some other local user. 347 .Pp 348 For clients where the uid in the incoming request is 349 .Ar clnt 350 and the client matches the 351 .Ar access_list , 352 change the user ID to 353 .Ar srv . 354 If 355 .Ar clnt 356 is asterisk (*), all users are mapped by this rule. 357 If 358 .Ar clnt 359 is omitted, all unknown users are mapped by this rule. 360 If 361 .Ar srv 362 is set to -1, access is denied. 363 If 364 .Ar srv 365 is omitted, the uid is mapped to UID_NOBODY. 366 .Pp 367 The particular 368 .Ar mapping Ns s 369 are separated in the 370 .Sy uidmap Ns = 371 option by tilde (~) and are evaluated in the specified order until a match is 372 found. 373 Both 374 .Sy root Ns = 375 and 376 .Sy root_mapping Ns = 377 options (if specified) are evaluated before the 378 .Sy uidmap Ns = 379 option. 380 The 381 .Sy uidmap Ns = 382 option is skipped in the case where the client matches the 383 .Sy root Ns = 384 option. 385 .Pp 386 The 387 .Sy uidmap Ns = 388 option is evaluated before the 389 .Sy anon Ns = 390 option. 391 .Pp 392 This option is supported only for AUTH_SYS. 393 .It Sy window Ns = Ns Ar value 394 When sharing with 395 .Sy sec Ns = Ns Sy dh , 396 set the maximum life time (in seconds) of the RPC request's credential (in the 397 authentication header) that the NFS server allows. 398 If a credential arrives with a life time larger than what is allowed, the NFS 399 server rejects the request. 400 The default value is 30000 seconds (8.3 hours). 401 .El 402 .El 403 .Ss access_list 404 The 405 .Ar access_list 406 argument is a colon-separated list whose components may be any number of the 407 following: 408 .Bl -tag -width "indented" 409 .It Sy hostname 410 The name of a host. 411 With a server configured for DNS or LDAP naming in the nsswitch 412 .Sy hosts 413 entry, any hostname must be represented as a fully qualified DNS or LDAP name. 414 .It Sy netgroup 415 A netgroup contains a number of hostnames. 416 With a server configured for DNS or LDAP naming in the nsswitch 417 .Sy hosts 418 entry, any hostname in a netgroup must be represented as a fully qualified DNS 419 or LDAP name. 420 .It Sy domain name suffix 421 To use domain membership the server must use DNS or LDAP to resolve hostnames to 422 IP addresses; that is, the 423 .Sy hosts 424 entry in the 425 .Pa /etc/nsswitch.conf 426 must specify 427 .Sy dns 428 or 429 .Sy ldap 430 ahead of 431 .Sy nis 432 since only DNS and LDAP return the full domain name of the host. 433 Other name services like NIS cannot be used to resolve hostnames on the server 434 because when mapping an IP address to a hostname they do not return domain 435 information. 436 For example, 437 .Bd -literal -offset indent 438 NIS 172.16.45.9 --> "myhost" 439 .Ed 440 .Pp 441 and 442 .Bd -literal -offset indent 443 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com" 444 .Ed 445 .Pp 446 The domain name suffix is distinguished from hostnames and netgroups by a 447 prefixed dot. 448 For example, 449 .Bd -literal -offset indent 450 rw=.mydomain.mycompany.com 451 .Ed 452 .Pp 453 A single dot can be used to match a hostname with no suffix. 454 For example, 455 .Bd -literal -offset indent 456 rw=. 457 .Ed 458 .Pp 459 matches 460 .Qq mydomain 461 but not 462 .Qq mydomain.mycompany.com . 463 This feature can be used to match hosts resolved through NIS rather 464 than DNS and LDAP. 465 .It Sy network 466 The network or subnet component is preceded by an at-sign (@). 467 It can be either a name or a dotted address. 468 If a name, it is converted to a dotted address by 469 .Xr getnetbyname 3SOCKET . 470 For example, 471 .Bd -literal -offset indent 472 =@mynet 473 .Ed 474 .Pp 475 would be equivalent to: 476 .Bd -literal -offset indent 477 =@172.16 or =@172.16.0.0 478 .Ed 479 .Pp 480 The network prefix assumes an octet-aligned netmask determined from the zeroth 481 octet in the low-order part of the address up to and including the high-order 482 octet, if you want to specify a single IP address (see below). 483 In the case where network prefixes are not byte-aligned, the syntax allows a 484 mask length to be specified explicitly following a slash (/) delimiter. 485 For example, 486 .Bd -literal -offset indent 487 =@theothernet/17 or =@172.16.132/22 488 .Ed 489 .Pp 490 where the mask is the number of leftmost contiguous significant bits in the 491 corresponding IP address. 492 .Pp 493 When specifying individual IP addresses, use the same @ notation described 494 above, without a netmask specification. 495 For example: 496 .Bd -literal -offset indent 497 =@172.16.132.14 498 .Ed 499 .Pp 500 Multiple, individual IP addresses would be specified, for example, as: 501 .Bd -literal -offset indent 502 root=@172.16.132.20:@172.16.134.20 503 .Ed 504 .El 505 .Pp 506 A prefixed minus sign (-) denies access to that component of 507 .Ar access_list . 508 The list is searched sequentially until a match is found that either grants or 509 denies access, or until the end of the list is reached. 510 For example, if host 511 .Qq terra 512 is in the 513 .Qq engineering 514 netgroup, then 515 .Bd -literal -offset indent 516 rw=-terra:engineering 517 .Ed 518 .Pp 519 denies access to 520 .Qq terra 521 but 522 .Bd -literal -offset indent 523 rw=engineering:-terra 524 .Ed 525 .Pp 526 grants access to 527 .Qq terra . 528 .Sh OPERANDS 529 The following operands are supported: 530 .Bl -tag -width "pathname" 531 .It Sy pathname 532 The pathname of the file system to be shared. 533 .El 534 .Sh FILES 535 .Bl -tag -width "/etc/nfs/nfslog.conf" 536 .It Pa /etc/dfs/fstypes 537 list of system types, NFS by default 538 .It Pa /etc/dfs/sharetab 539 system record of shared file systems 540 .It Pa /etc/nfs/nfslogtab 541 system record of logged file systems 542 .It Pa /etc/nfs/nfslog.conf 543 logging configuration file 544 .El 545 .Sh EXIT STATUS 546 .Ex -std 547 .Sh EXAMPLES 548 .Ss Example 1 Sharing A File System With Logging Enabled 549 The following example shows the 550 .Pa /export 551 file system shared with logging enabled: 552 .Bd -literal -offset indent 553 share -o log /export 554 .Ed 555 .Pp 556 The default global logging parameters are used since no tag identifier is 557 specified. 558 The location of the log file, as well as the necessary logging work 559 files, is specified by the global entry in 560 .Pa /etc/nfs/nfslog.conf . 561 The 562 .Xr nfslogd 1M 563 daemon runs only if at least one file system entry in 564 .Pa /etc/dfs/dfstab 565 is shared with logging enabled upon starting or rebooting the system. 566 Simply sharing a file system with logging enabled from the command line does not 567 start the 568 .Xr nfslogd 1M . 569 .Ss Example 2 Remap A User Coming From The Particular NFS Client 570 The following example remaps the user with uid 571 .Sy 100 572 at client 573 .Sy 10.0.0.1 574 to user 575 .Sy joe : 576 .Bd -literal -offset indent 577 share -o uidmap=100:joe:@10.0.0.1 /export 578 .Ed 579 .Sh SEE ALSO 580 .Xr mount 1M , 581 .Xr mountd 1M , 582 .Xr nfsd 1M , 583 .Xr nfslogd 1M , 584 .Xr share 1M , 585 .Xr unshare 1M , 586 .Xr getnetbyname 3SOCKET , 587 .Xr netgroup 4 , 588 .Xr nfslog.conf 4 , 589 .Xr acl 5 , 590 .Xr attributes 5 , 591 .Xr nfssec 5 592 .Sh NOTES 593 If the 594 .Sy sec Ns = 595 option is presented at least once, all uses of the 596 .Sy window Ns = , 597 .Sy rw , 598 .Sy ro , 599 .Sy rw Ns = , 600 .Sy ro Ns = , 601 and 602 .Sy root Ns = 603 options must come after the first 604 .Sy sec Ns = 605 option. 606 If the 607 .Sy sec Ns = 608 option is not presented, then 609 .Sy sec Ns = Ns Sy sys 610 is implied. 611 .Pp 612 If one or more explicit 613 .Sy sec Ns = 614 options are presented, 615 .Sy sys 616 must appear in one of the options mode lists for accessing using the AUTH_SYS 617 security mode to be allowed. 618 For example: 619 .Bd -literal -offset indent 620 share -F nfs /var 621 share -F nfs -o sec=sys /var 622 .Ed 623 .Pp 624 grants read-write access to any host using AUTH_SYS, but 625 .Bd -literal -offset indent 626 share -F nfs -o sec=dh /var 627 .Ed 628 .Pp 629 grants no access to clients that use AUTH_SYS. 630 .Pp 631 Unlike previous implementations of 632 .Nm , 633 access checking for the 634 .Sy window Ns = , 635 .Sy rw , 636 .Sy ro , 637 .Sy rw Ns = , 638 and 639 .Sy ro Ns = 640 options is done per NFS request, instead of per mount request. 641 .Pp 642 Combining multiple security modes can be a security hole in situations where 643 the 644 .Sy ro Ns = 645 and 646 .Sy rw Ns = 647 options are used to control access to weaker security modes. 648 In this example, 649 .Bd -literal -offset indent 650 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var 651 .Ed 652 .Pp 653 an intruder can forge the IP address for 654 .Qq hosta 655 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES. 656 Something like: 657 .Bd -literal -offset indent 658 share -F nfs -o sec=dh,rw,sec=sys,ro /var 659 .Ed 660 .Pp 661 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only 662 gets read-only access. 663 In general, multiple security modes per share command should only be used in 664 situations where the clients using more secure modes get stronger access than 665 clients using less secure modes. 666 .Pp 667 If 668 .Sy rw Ns = 669 and 670 .Sy ro Ns = 671 options are specified in the same 672 .Sy sec Ns = 673 clause, and a client is in both lists, the order of the two options determines 674 the access the client gets. 675 If client 676 .Qq hosta 677 is in two netgroups, 678 .Qq group1 679 and 680 .Qq group2 , 681 in this example, the client would get read-only access: 682 .Bd -literal -offset indent 683 share -F nfs -o ro=group1,rw=group2 /var 684 .Ed 685 .Pp 686 In this example 687 .Qq hosta 688 would get read-write access: 689 .Bd -literal -offset indent 690 share -F nfs -o rw=group2,ro=group1 /var 691 .Ed 692 .Pp 693 If within a 694 .Sy sec Ns = 695 clause, both the 696 .Sy ro 697 and 698 .Sy rw Ns = 699 options are specified, for compatibility, the order of the options rule is not 700 enforced. 701 All hosts would get read-only access, with the exception to those in the 702 read-write list. 703 Likewise, if the 704 .Sy ro Ns = 705 and 706 .Sy rw 707 options are specified, all hosts get read-write access with the exceptions of 708 those in the read-only list. 709 .Pp 710 The 711 .Sy ro Ns = 712 and 713 .Sy rw Ns = 714 options are guaranteed to work over UDP and TCP but may not work over other 715 transport providers. 716 .Pp 717 The 718 .Sy root Ns = 719 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work 720 over other transport providers. 721 .Pp 722 The 723 .Sy root Ns = 724 option with AUTH_DES is guaranteed to work over any transport provider. 725 .Pp 726 There are no interactions between the 727 .Sy root Ns = 728 option and the 729 .Sy rw , 730 .Sy ro , 731 .Sy rw Ns = , 732 and 733 .Sy ro Ns = 734 options. 735 Putting a host in the root list does not override the semantics of the other 736 options. 737 The access the host gets is the same as when the 738 .Sy root Ns = 739 option is absent. 740 For example, the following share command denies access to 741 .Qq hostb : 742 .Bd -literal -offset indent 743 share -F nfs -o ro=hosta,root=hostb /var 744 .Ed 745 .Pp 746 The following gives read-only permissions to 747 .Qq hostb : 748 .Bd -literal -offset indent 749 share -F nfs -o ro=hostb,root=hostb /var 750 .Ed 751 .Pp 752 The following gives read-write permissions to 753 .Qq hostb : 754 .Bd -literal -offset indent 755 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var 756 .Ed 757 .Pp 758 If the file system being shared is a symbolic link to a valid pathname, the 759 canonical path (the path which the symbolic link follows) is shared. 760 For example, if 761 .Pa /export/foo 762 is a symbolic link to 763 .Pa /export/bar , 764 the following share command results in 765 .Pa /export/bar 766 as the shared pathname (and not 767 .Pa /export/foo ) : 768 .Bd -literal -offset indent 769 share -F nfs /export/foo 770 .Ed 771 .Pp 772 An NFS mount of 773 .Lk server:/export/foo 774 results in 775 .Lk server:/export/bar 776 really being mounted. 777 .Pp 778 This line in the 779 .Pa /etc/dfs/dfstab 780 file shares the 781 .Pa /disk 782 file system read-only at boot time: 783 .Bd -literal -offset indent 784 share -F nfs -o ro /disk 785 .Ed 786 .Pp 787 The 788 .Xr mountd 1M 789 process allows the processing of a path name that contains a symbolic link. 790 This allows the processing of paths that are not themselves explicitly shared 791 with 792 .Nm . 793 For example, 794 .Pa /export/foo 795 might be a symbolic link that refers to 796 .Pa /export/bar 797 which has been specifically shared. 798 When the client mounts 799 .Pa /export/foo 800 the mountd processing follows the symbolic link and responds with the 801 .Pa /export/bar . 802 The NFS Version 4 protocol does not use the mountd processing and the client's 803 use of 804 .Pa /export/foo 805 does not work as it does with NFS Version 2 and Version 3 and the client 806 receives an error when attempting to mount 807 .Pa /export/foo . 808 .Pp 809 The 810 .Sy nohide 811 option violates RFC 1094, 812 .%T "Network File System Protocol Specification" 813 and RFC 1813, 814 .%T "NFS: Network File System Version 3 Protocol Specification" 815 .Pp 816 The 817 .Sy nohide 818 option is provided for compatibility with Linux NFS.