Print this page
2988 nfssrv: need ability to go to submounts for v3 and v2 protocols
Portions contributed by: Marcel Telka <marcel.telka@nexenta.com>
Portions contributed by: Jean McCormack <jean.mccormack@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: Alek Pinchuk <alek.pinchuk@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
Reviewed by: Dan McDonald <danmcd@joyent.com>
Change-Id: I6fdf110cc17e789353c4442b83a46cb80643456e
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/share_nfs.1m
+++ new/usr/src/man/man1m/share_nfs.1m
1 1 .\"
2 2 .\" CDDL HEADER START
3 3 .\"
4 4 .\" The contents of this file are subject to the terms of the
5 5 .\" Common Development and Distribution License (the "License").
6 6 .\" You may not use this file except in compliance with the License.
7 7 .\"
8 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 .\" or http://www.opensolaris.org/os/licensing.
10 10 .\" See the License for the specific language governing permissions
11 11 .\" and limitations under the License.
12 12 .\"
13 13 .\" When distributing Covered Code, include this CDDL HEADER in each
14 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 .\" If applicable, add the following below this CDDL HEADER, with the
16 16 .\" fields enclosed by brackets "[]" replaced with your own identifying
17 17 .\" information: Portions Copyright [yyyy] [name of copyright owner]
18 18 .\"
19 19 .\" CDDL HEADER END
20 20 .\"
21 21 .\"
22 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
23 23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
24 24 .\" Copyright 2016 Jason King.
25 25 .\"
26 26 .Dd March 23, 2017
27 27 .Dt SHARE_NFS 1M
28 28 .Os
29 29 .Sh NAME
30 30 .Nm share_nfs
31 31 .Nd make local NFS file systems available for mounting by remote systems
32 32 .Sh SYNOPSIS
33 33 .Nm share
34 34 .Op Fl d Ar description
35 35 .Op Fl F Sy nfs
36 36 .Op Fl o Ar specific_options
37 37 .Ar pathname
38 38 .Sh DESCRIPTION
39 39 The
40 40 .Nm share
41 41 utility makes local file systems available for mounting by remote systems.
42 42 It starts the
43 43 .Xr nfsd 1M
44 44 and
45 45 .Xr mountd 1M
46 46 daemons if they are not already running.
47 47 .Pp
48 48 If no argument is specified, then
49 49 .Nm share
50 50 displays all file systems currently shared, including NFS file systems and file
51 51 systems shared through other distributed file system packages.
52 52 .Sh OPTIONS
53 53 The following options are supported:
54 54 .Bl -tag -width "indented"
55 55 .It Fl d Ar description
56 56 Provide a comment that describes the file system to be shared.
57 57 .It Fl F Sy nfs
58 58 Share NFS file system type.
59 59 .It Fl o Ar specific_options
60 60 Specify
61 61 .Ar specific_options
62 62 in a comma-separated list of keywords and attribute-value-assertions for
63 63 interpretation by the file-system-type-specific command.
64 64 If
65 65 .Ar specific_options
66 66 is not specified, then by default sharing is read-write to all clients.
67 67 .Ar specific_options
68 68 can be any combination of the following:
69 69 .Bl -tag -width "indented"
70 70 .It Sy aclok
71 71 Allows the NFS server to do access control for NFS Version 2 clients (running
72 72 SunOS 2.4 or earlier).
73 73 When
74 74 .Sy aclok
75 75 is set on the server, maximal access is given to all clients.
76 76 For example, with
77 77 .Sy aclok
78 78 set, if anyone has read permissions, then everyone does.
79 79 If
80 80 .Sy aclok
81 81 is not set, minimal access is given to all clients.
82 82 .It Sy anon Ns = Ns Ar uid
83 83 Set
84 84 .Ar uid
85 85 to be the effective user ID of unknown users.
86 86 By default, unknown users are given the effective user ID UID_NOBODY.
87 87 If uid is set to -1, access is denied.
88 88 .It Ar charset Ns = Ns Ar access_list
89 89 Where
90 90 .Ar charset
91 91 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2,
92 92 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15,
93 93 koi8-r.
94 94 .Pp
95 95 Clients that match the
96 96 .Ar access_list
97 97 for one of these properties will be assumed to be using that character set and
98 98 file and path names will be converted to UTF-8 for the server.
99 99 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
100 100 Where
101 101 .Ar mapping
102 102 is:
103 103 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
104 104 .Pp
105 105 Allows remapping the group ID (gid) in the incoming request to some other gid.
106 106 This effectively changes the identity of the user in the request to that of
107 107 some other local user.
108 108 .Pp
109 109 For clients where the gid in the incoming request is
110 110 .Ar clnt
111 111 and the client matches the
112 112 .Ar access_list ,
113 113 change the group ID to
114 114 .Ar srv .
115 115 If
116 116 .Ar clnt
117 117 is asterisk (*), all groups are mapped by this rule.
118 118 If
119 119 .Ar clnt
120 120 is omitted, all unknown groups are mapped by this rule.
121 121 If
122 122 .Ar srv
123 123 is set to -1, access is denied.
124 124 If
125 125 .Ar srv
126 126 is omitted, the gid is mapped to UID_NOBODY.
127 127 .Pp
128 128 The particular
129 129 .Ar mapping Ns s
130 130 are separated in the
131 131 .Sy gidmap Ns =
132 132 option by tilde (~) and are evaluated in the specified order until a match is
133 133 found.
134 134 Both
135 135 .Sy root Ns =
136 136 and
137 137 .Sy root_mapping Ns =
138 138 options (if specified) are evaluated before the
139 139 .Sy gidmap Ns =
140 140 option.
141 141 The
142 142 .Sy gidmap Ns =
143 143 option is skipped in the case where the client matches the
144 144 .Sy root Ns =
145 145 option.
146 146 .Pp
147 147 The
148 148 .Sy gidmap Ns =
149 149 option is evaluated before the
150 150 .Sy anon Ns =
151 151 option.
152 152 .Pp
153 153 This option is supported only for AUTH_SYS.
154 154 .It Sy index Ns = Ns Ar file
155 155 Load
156 156 .Ar file
157 157 rather than a listing of the directory containing this file when the
158 158 directory is referenced by an NFS URL.
159 159 .It Sy log Ns Oo = Ns Ar tag Oc
160 160 Enables NFS server logging for the specified file system.
161 161 The optional
162 162 .Ar tag
163 163 determines the location of the related log files.
164 164 The
|
↓ open down ↓ |
164 lines elided |
↑ open up ↑ |
165 165 .Ar tag
166 166 is defined in
167 167 .Pa /etc/nfs/nfslog.conf .
168 168 If no
169 169 .Ar tag
170 170 is specified, the default values associated with the global tag in
171 171 .Pa /etc/nfs/nfslog.conf
172 172 are used.
173 173 Support of NFS server logging is only available for NFS Version 2 and
174 174 Version 3 requests.
175 +.It Sy nohide
176 +By default, if server exports two filesystems, one of which is mounted as a
177 +child of the other, NFS Version 2 and Version 3 clients must mount both
178 +filesystems explicitly in order to access them.
179 +If a client only mounts the parent, it will see an empty directory at the
180 +location where the other filesystem is mounted.
181 +.Pp
182 +Setting the
183 +.Sy nohide
184 +option on a filesystem causes it to no longer be hidden in this manner, and the
185 +client will be able to move from the parent filesystem to this one without
186 +noticing the change.
187 +However, some NFS clients or applications may not function correctly when
188 +this option is used.
189 +In particular, files on different underlying filesystems may appear to have
190 +the same inode numbers.
191 +The
192 +.Sy nohide
193 +option only applies to NFS Version 2 and Version 3 requests.
175 194 .It Sy noaclfab
176 195 By default, the NFS server will fabricate POSIX-draft style ACLs in response
177 196 to ACL requests from NFS Version 2 or Version 3 clients accessing shared
178 197 file systems that do not support POSIX-draft ACLs (such as ZFS).
179 198 Specifying
180 199 .Sy noaclfab
181 200 disables this behavior.
182 201 .It Sy none Ns = Ns Ar access_list
183 202 Access is not allowed to any client that matches the access list.
184 203 The exception is when the access list is an asterisk (*), in which case
185 204 .Sy ro
186 205 or
187 206 .Sy rw
188 207 can override
189 208 .Sy none .
190 209 .It Sy nosub
191 210 Prevents clients from mounting subdirectories of shared directories.
192 211 For example, if
193 212 .Pa /export
194 213 is shared with the
195 214 .Sy nosub
196 215 option on server
197 216 .Qq fooey
198 217 then a NFS client cannot do:
199 218 .Bd -literal -offset indent
200 219 mount -F nfs fooey:/export/home/mnt
201 220 .Ed
202 221 .Pp
203 222 NFS Version 4 does not use the MOUNT protocol.
204 223 The
205 224 .Sy nosub
206 225 option only applies to NFS Version 2 and Version 3 requests.
207 226 .It Sy nosuid
208 227 By default, clients are allowed to create files on the shared file system with
209 228 the setuid or setgid mode enabled.
210 229 Specifying
211 230 .Sy nosuid
212 231 causes the server file system to silently ignore any attempt to enable the
213 232 setuid or setgid mode bits.
214 233 .It Sy public
215 234 Moves the location of the public file handle from root
216 235 .Pa ( / )
217 236 to the exported directory for WebNFS-enabled browsers and clients.
218 237 This option does not enable WebNFS service; WebNFS is always on.
219 238 Only one file system per server may use this option.
220 239 Any other option, including the
221 240 .Sy ro Ns = Ns Ar list
222 241 and
223 242 .Sy rw Ns = Ns Ar list
224 243 options can be included with the
225 244 .Sy public
226 245 option.
227 246 .It Sy ro
228 247 Sharing is read-only to all clients.
229 248 .It Sy ro Ns = Ns Ar access_list
230 249 Sharing is read-only to the clients listed in
231 250 .Ar access_list ;
232 251 overrides the
233 252 .Sy rw
234 253 suboption for the clients specified.
235 254 See
236 255 .Sx access_list
237 256 below.
238 257 .It Sy root Ns = Ns Ar access_list
239 258 Only root users from the hosts specified in
240 259 .Ar access_list
241 260 have root access.
242 261 See
243 262 .Sx access_list
244 263 below.
245 264 By default, no host has root access, so root users are mapped to an anonymous
246 265 user ID (see the
247 266 .Sy anon Ns = Ns Ar uid
248 267 option described above).
249 268 Netgroups can be used if the file system shared is using UNIX authentication
250 269 (AUTH_SYS).
251 270 .It Sy root_mapping Ns = Ns Ar uid
252 271 For a client that is allowed root access, map the root UID to the specified
253 272 user id.
254 273 .It Sy rw
255 274 Sharing is read-write to all clients.
256 275 .It Sy rw Ns = Ns Ar access_list
257 276 Sharing is read-write to the clients listed in
258 277 .Ar access_list ;
259 278 overrides the
260 279 .Sy ro
261 280 suboption for the clients specified.
262 281 See
263 282 .Sx access_list
264 283 below.
265 284 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ...
266 285 Sharing uses one or more of the specified security modes.
267 286 The
268 287 .Ar mode
269 288 in the
270 289 .Sy sec Ns = Ns Ar mode
271 290 option must be a mode name supported on the client.
272 291 If the
273 292 .Sy sec Ns =
274 293 option is not specified, the default security mode used is AUTH_SYS.
275 294 Multiple
276 295 .Sy sec Ns =
277 296 options can be specified on the command line, although each mode can appear
278 297 only once.
279 298 The security modes are defined in
280 299 .Xr nfssec 5 .
281 300 .Pp
282 301 Each
283 302 .Sy sec Ns =
284 303 option specifies modes that apply to any subsequent
285 304 .Sy window Ns = ,
286 305 .Sy rw ,
287 306 .Sy ro ,
288 307 .Sy rw Ns = ,
289 308 .Sy ro Ns = ,
290 309 and
291 310 .Sy root Ns =
292 311 options that are provided before another
293 312 .Sy sec Ns =
294 313 option.
295 314 Each additional
296 315 .Sy sec Ns =
297 316 resets the security mode context, so that more
298 317 .Sy window Ns = ,
299 318 .Sy rw ,
300 319 .Sy ro ,
301 320 .Sy rw Ns = ,
302 321 .Sy ro Ns = ,
303 322 and
304 323 .Sy root Ns =
305 324 options can be supplied for additional modes.
306 325 .It Sy sec Ns = Ns Sy none
307 326 If the option
308 327 .Sy sec Ns = Ns Sy none
309 328 is specified when the client uses AUTH_NONE, or if the client uses a security
310 329 mode that is not one that the file system is shared with, then the credential
311 330 of each NFS request is treated as unauthenticated.
312 331 See the
313 332 .Sy anon Ns = Ns Ar uid
314 333 option for a description of how unauthenticated requests are handled.
315 334 .It Sy secure
316 335 This option has been deprecated in favor of the
317 336 .Sy sec Ns = Ns Sy dh
318 337 option.
319 338 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
320 339 Where
321 340 .Ar mapping
322 341 is:
323 342 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
324 343 .Pp
325 344 Allows remapping the user ID (uid) in the incoming request to some other uid.
326 345 This effectively changes the identity of the user in the request to that of
327 346 some other local user.
328 347 .Pp
329 348 For clients where the uid in the incoming request is
330 349 .Ar clnt
331 350 and the client matches the
332 351 .Ar access_list ,
333 352 change the user ID to
334 353 .Ar srv .
335 354 If
336 355 .Ar clnt
337 356 is asterisk (*), all users are mapped by this rule.
338 357 If
339 358 .Ar clnt
340 359 is omitted, all unknown users are mapped by this rule.
341 360 If
342 361 .Ar srv
343 362 is set to -1, access is denied.
344 363 If
345 364 .Ar srv
346 365 is omitted, the uid is mapped to UID_NOBODY.
347 366 .Pp
348 367 The particular
349 368 .Ar mapping Ns s
350 369 are separated in the
351 370 .Sy uidmap Ns =
352 371 option by tilde (~) and are evaluated in the specified order until a match is
353 372 found.
354 373 Both
355 374 .Sy root Ns =
356 375 and
357 376 .Sy root_mapping Ns =
358 377 options (if specified) are evaluated before the
359 378 .Sy uidmap Ns =
360 379 option.
361 380 The
362 381 .Sy uidmap Ns =
363 382 option is skipped in the case where the client matches the
364 383 .Sy root Ns =
365 384 option.
366 385 .Pp
367 386 The
368 387 .Sy uidmap Ns =
369 388 option is evaluated before the
370 389 .Sy anon Ns =
371 390 option.
372 391 .Pp
373 392 This option is supported only for AUTH_SYS.
374 393 .It Sy window Ns = Ns Ar value
375 394 When sharing with
376 395 .Sy sec Ns = Ns Sy dh ,
377 396 set the maximum life time (in seconds) of the RPC request's credential (in the
378 397 authentication header) that the NFS server allows.
379 398 If a credential arrives with a life time larger than what is allowed, the NFS
380 399 server rejects the request.
381 400 The default value is 30000 seconds (8.3 hours).
382 401 .El
383 402 .El
384 403 .Ss access_list
385 404 The
386 405 .Ar access_list
387 406 argument is a colon-separated list whose components may be any number of the
388 407 following:
389 408 .Bl -tag -width "indented"
390 409 .It Sy hostname
391 410 The name of a host.
392 411 With a server configured for DNS or LDAP naming in the nsswitch
393 412 .Sy hosts
394 413 entry, any hostname must be represented as a fully qualified DNS or LDAP name.
395 414 .It Sy netgroup
396 415 A netgroup contains a number of hostnames.
397 416 With a server configured for DNS or LDAP naming in the nsswitch
398 417 .Sy hosts
399 418 entry, any hostname in a netgroup must be represented as a fully qualified DNS
400 419 or LDAP name.
401 420 .It Sy domain name suffix
402 421 To use domain membership the server must use DNS or LDAP to resolve hostnames to
403 422 IP addresses; that is, the
404 423 .Sy hosts
405 424 entry in the
406 425 .Pa /etc/nsswitch.conf
407 426 must specify
408 427 .Sy dns
409 428 or
410 429 .Sy ldap
411 430 ahead of
412 431 .Sy nis
413 432 since only DNS and LDAP return the full domain name of the host.
414 433 Other name services like NIS cannot be used to resolve hostnames on the server
415 434 because when mapping an IP address to a hostname they do not return domain
416 435 information.
417 436 For example,
418 437 .Bd -literal -offset indent
419 438 NIS 172.16.45.9 --> "myhost"
420 439 .Ed
421 440 .Pp
422 441 and
423 442 .Bd -literal -offset indent
424 443 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com"
425 444 .Ed
426 445 .Pp
427 446 The domain name suffix is distinguished from hostnames and netgroups by a
428 447 prefixed dot.
429 448 For example,
430 449 .Bd -literal -offset indent
431 450 rw=.mydomain.mycompany.com
432 451 .Ed
433 452 .Pp
434 453 A single dot can be used to match a hostname with no suffix.
435 454 For example,
436 455 .Bd -literal -offset indent
437 456 rw=.
438 457 .Ed
439 458 .Pp
440 459 matches
441 460 .Qq mydomain
442 461 but not
443 462 .Qq mydomain.mycompany.com .
444 463 This feature can be used to match hosts resolved through NIS rather
445 464 than DNS and LDAP.
446 465 .It Sy network
447 466 The network or subnet component is preceded by an at-sign (@).
448 467 It can be either a name or a dotted address.
449 468 If a name, it is converted to a dotted address by
450 469 .Xr getnetbyname 3SOCKET .
451 470 For example,
452 471 .Bd -literal -offset indent
453 472 =@mynet
454 473 .Ed
455 474 .Pp
456 475 would be equivalent to:
457 476 .Bd -literal -offset indent
458 477 =@172.16 or =@172.16.0.0
459 478 .Ed
460 479 .Pp
461 480 The network prefix assumes an octet-aligned netmask determined from the zeroth
462 481 octet in the low-order part of the address up to and including the high-order
463 482 octet, if you want to specify a single IP address (see below).
464 483 In the case where network prefixes are not byte-aligned, the syntax allows a
465 484 mask length to be specified explicitly following a slash (/) delimiter.
466 485 For example,
467 486 .Bd -literal -offset indent
468 487 =@theothernet/17 or =@172.16.132/22
469 488 .Ed
470 489 .Pp
471 490 where the mask is the number of leftmost contiguous significant bits in the
472 491 corresponding IP address.
473 492 .Pp
474 493 When specifying individual IP addresses, use the same @ notation described
475 494 above, without a netmask specification.
476 495 For example:
477 496 .Bd -literal -offset indent
478 497 =@172.16.132.14
479 498 .Ed
480 499 .Pp
481 500 Multiple, individual IP addresses would be specified, for example, as:
482 501 .Bd -literal -offset indent
483 502 root=@172.16.132.20:@172.16.134.20
484 503 .Ed
485 504 .El
486 505 .Pp
487 506 A prefixed minus sign (-) denies access to that component of
488 507 .Ar access_list .
489 508 The list is searched sequentially until a match is found that either grants or
490 509 denies access, or until the end of the list is reached.
491 510 For example, if host
492 511 .Qq terra
493 512 is in the
494 513 .Qq engineering
495 514 netgroup, then
496 515 .Bd -literal -offset indent
497 516 rw=-terra:engineering
498 517 .Ed
499 518 .Pp
500 519 denies access to
501 520 .Qq terra
502 521 but
503 522 .Bd -literal -offset indent
504 523 rw=engineering:-terra
505 524 .Ed
506 525 .Pp
507 526 grants access to
508 527 .Qq terra .
509 528 .Sh OPERANDS
510 529 The following operands are supported:
511 530 .Bl -tag -width "pathname"
512 531 .It Sy pathname
513 532 The pathname of the file system to be shared.
514 533 .El
515 534 .Sh FILES
516 535 .Bl -tag -width "/etc/nfs/nfslog.conf"
517 536 .It Pa /etc/dfs/fstypes
518 537 list of system types, NFS by default
519 538 .It Pa /etc/dfs/sharetab
520 539 system record of shared file systems
521 540 .It Pa /etc/nfs/nfslogtab
522 541 system record of logged file systems
523 542 .It Pa /etc/nfs/nfslog.conf
524 543 logging configuration file
525 544 .El
526 545 .Sh EXIT STATUS
527 546 .Ex -std
528 547 .Sh EXAMPLES
529 548 .Ss Example 1 Sharing A File System With Logging Enabled
530 549 The following example shows the
531 550 .Pa /export
532 551 file system shared with logging enabled:
533 552 .Bd -literal -offset indent
534 553 share -o log /export
535 554 .Ed
536 555 .Pp
537 556 The default global logging parameters are used since no tag identifier is
538 557 specified.
539 558 The location of the log file, as well as the necessary logging work
540 559 files, is specified by the global entry in
541 560 .Pa /etc/nfs/nfslog.conf .
542 561 The
543 562 .Xr nfslogd 1M
544 563 daemon runs only if at least one file system entry in
545 564 .Pa /etc/dfs/dfstab
546 565 is shared with logging enabled upon starting or rebooting the system.
547 566 Simply sharing a file system with logging enabled from the command line does not
548 567 start the
549 568 .Xr nfslogd 1M .
550 569 .Ss Example 2 Remap A User Coming From The Particular NFS Client
551 570 The following example remaps the user with uid
552 571 .Sy 100
553 572 at client
554 573 .Sy 10.0.0.1
555 574 to user
556 575 .Sy joe :
557 576 .Bd -literal -offset indent
558 577 share -o uidmap=100:joe:@10.0.0.1 /export
559 578 .Ed
560 579 .Sh SEE ALSO
561 580 .Xr mount 1M ,
562 581 .Xr mountd 1M ,
563 582 .Xr nfsd 1M ,
564 583 .Xr nfslogd 1M ,
565 584 .Xr share 1M ,
566 585 .Xr unshare 1M ,
567 586 .Xr getnetbyname 3SOCKET ,
568 587 .Xr netgroup 4 ,
569 588 .Xr nfslog.conf 4 ,
570 589 .Xr acl 5 ,
571 590 .Xr attributes 5 ,
572 591 .Xr nfssec 5
573 592 .Sh NOTES
574 593 If the
575 594 .Sy sec Ns =
576 595 option is presented at least once, all uses of the
577 596 .Sy window Ns = ,
578 597 .Sy rw ,
579 598 .Sy ro ,
580 599 .Sy rw Ns = ,
581 600 .Sy ro Ns = ,
582 601 and
583 602 .Sy root Ns =
584 603 options must come after the first
585 604 .Sy sec Ns =
586 605 option.
587 606 If the
588 607 .Sy sec Ns =
589 608 option is not presented, then
590 609 .Sy sec Ns = Ns Sy sys
591 610 is implied.
592 611 .Pp
593 612 If one or more explicit
594 613 .Sy sec Ns =
595 614 options are presented,
596 615 .Sy sys
597 616 must appear in one of the options mode lists for accessing using the AUTH_SYS
598 617 security mode to be allowed.
599 618 For example:
600 619 .Bd -literal -offset indent
601 620 share -F nfs /var
602 621 share -F nfs -o sec=sys /var
603 622 .Ed
604 623 .Pp
605 624 grants read-write access to any host using AUTH_SYS, but
606 625 .Bd -literal -offset indent
607 626 share -F nfs -o sec=dh /var
608 627 .Ed
609 628 .Pp
610 629 grants no access to clients that use AUTH_SYS.
611 630 .Pp
612 631 Unlike previous implementations of
613 632 .Nm ,
614 633 access checking for the
615 634 .Sy window Ns = ,
616 635 .Sy rw ,
617 636 .Sy ro ,
618 637 .Sy rw Ns = ,
619 638 and
620 639 .Sy ro Ns =
621 640 options is done per NFS request, instead of per mount request.
622 641 .Pp
623 642 Combining multiple security modes can be a security hole in situations where
624 643 the
625 644 .Sy ro Ns =
626 645 and
627 646 .Sy rw Ns =
628 647 options are used to control access to weaker security modes.
629 648 In this example,
630 649 .Bd -literal -offset indent
631 650 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
632 651 .Ed
633 652 .Pp
634 653 an intruder can forge the IP address for
635 654 .Qq hosta
636 655 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES.
637 656 Something like:
638 657 .Bd -literal -offset indent
639 658 share -F nfs -o sec=dh,rw,sec=sys,ro /var
640 659 .Ed
641 660 .Pp
642 661 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only
643 662 gets read-only access.
644 663 In general, multiple security modes per share command should only be used in
645 664 situations where the clients using more secure modes get stronger access than
646 665 clients using less secure modes.
647 666 .Pp
648 667 If
649 668 .Sy rw Ns =
650 669 and
651 670 .Sy ro Ns =
652 671 options are specified in the same
653 672 .Sy sec Ns =
654 673 clause, and a client is in both lists, the order of the two options determines
655 674 the access the client gets.
656 675 If client
657 676 .Qq hosta
658 677 is in two netgroups,
659 678 .Qq group1
660 679 and
661 680 .Qq group2 ,
662 681 in this example, the client would get read-only access:
663 682 .Bd -literal -offset indent
664 683 share -F nfs -o ro=group1,rw=group2 /var
665 684 .Ed
666 685 .Pp
667 686 In this example
668 687 .Qq hosta
669 688 would get read-write access:
670 689 .Bd -literal -offset indent
671 690 share -F nfs -o rw=group2,ro=group1 /var
672 691 .Ed
673 692 .Pp
674 693 If within a
675 694 .Sy sec Ns =
676 695 clause, both the
677 696 .Sy ro
678 697 and
679 698 .Sy rw Ns =
680 699 options are specified, for compatibility, the order of the options rule is not
681 700 enforced.
682 701 All hosts would get read-only access, with the exception to those in the
683 702 read-write list.
684 703 Likewise, if the
685 704 .Sy ro Ns =
686 705 and
687 706 .Sy rw
688 707 options are specified, all hosts get read-write access with the exceptions of
689 708 those in the read-only list.
690 709 .Pp
691 710 The
692 711 .Sy ro Ns =
693 712 and
694 713 .Sy rw Ns =
695 714 options are guaranteed to work over UDP and TCP but may not work over other
696 715 transport providers.
697 716 .Pp
698 717 The
699 718 .Sy root Ns =
700 719 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work
701 720 over other transport providers.
702 721 .Pp
703 722 The
704 723 .Sy root Ns =
705 724 option with AUTH_DES is guaranteed to work over any transport provider.
706 725 .Pp
707 726 There are no interactions between the
708 727 .Sy root Ns =
709 728 option and the
710 729 .Sy rw ,
711 730 .Sy ro ,
712 731 .Sy rw Ns = ,
713 732 and
714 733 .Sy ro Ns =
715 734 options.
716 735 Putting a host in the root list does not override the semantics of the other
717 736 options.
718 737 The access the host gets is the same as when the
719 738 .Sy root Ns =
720 739 option is absent.
721 740 For example, the following share command denies access to
722 741 .Qq hostb :
723 742 .Bd -literal -offset indent
724 743 share -F nfs -o ro=hosta,root=hostb /var
725 744 .Ed
726 745 .Pp
727 746 The following gives read-only permissions to
728 747 .Qq hostb :
729 748 .Bd -literal -offset indent
730 749 share -F nfs -o ro=hostb,root=hostb /var
731 750 .Ed
732 751 .Pp
733 752 The following gives read-write permissions to
734 753 .Qq hostb :
735 754 .Bd -literal -offset indent
736 755 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var
737 756 .Ed
738 757 .Pp
739 758 If the file system being shared is a symbolic link to a valid pathname, the
740 759 canonical path (the path which the symbolic link follows) is shared.
741 760 For example, if
742 761 .Pa /export/foo
743 762 is a symbolic link to
744 763 .Pa /export/bar ,
745 764 the following share command results in
746 765 .Pa /export/bar
747 766 as the shared pathname (and not
748 767 .Pa /export/foo ) :
749 768 .Bd -literal -offset indent
750 769 share -F nfs /export/foo
751 770 .Ed
752 771 .Pp
753 772 An NFS mount of
754 773 .Lk server:/export/foo
755 774 results in
756 775 .Lk server:/export/bar
757 776 really being mounted.
758 777 .Pp
759 778 This line in the
760 779 .Pa /etc/dfs/dfstab
761 780 file shares the
762 781 .Pa /disk
763 782 file system read-only at boot time:
764 783 .Bd -literal -offset indent
765 784 share -F nfs -o ro /disk
766 785 .Ed
767 786 .Pp
768 787 The
769 788 .Xr mountd 1M
770 789 process allows the processing of a path name that contains a symbolic link.
771 790 This allows the processing of paths that are not themselves explicitly shared
772 791 with
773 792 .Nm .
774 793 For example,
775 794 .Pa /export/foo
776 795 might be a symbolic link that refers to
777 796 .Pa /export/bar
778 797 which has been specifically shared.
|
↓ open down ↓ |
594 lines elided |
↑ open up ↑ |
779 798 When the client mounts
780 799 .Pa /export/foo
781 800 the mountd processing follows the symbolic link and responds with the
782 801 .Pa /export/bar .
783 802 The NFS Version 4 protocol does not use the mountd processing and the client's
784 803 use of
785 804 .Pa /export/foo
786 805 does not work as it does with NFS Version 2 and Version 3 and the client
787 806 receives an error when attempting to mount
788 807 .Pa /export/foo .
808 +.Pp
809 +The
810 +.Sy nohide
811 +option violates RFC 1094,
812 +.%T "Network File System Protocol Specification"
813 +and RFC 1813,
814 +.%T "NFS: Network File System Version 3 Protocol Specification"
815 +.Pp
816 +The
817 +.Sy nohide
818 +option is provided for compatibility with Linux NFS.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX