SHAREACL(5) Standards, Environments, and Macros SHAREACL(5)

shareacl
access list used by NFS and SMB services

The access_list is a colon-separated list whose components may be any number of the following:
 
 
hostname
The name of a host. With a server configured for DNS or LDAP naming in the nsswitch hosts entry, any hostname must be represented as a fully qualified DNS or LDAP name.
 
 
netgroup
A netgroup contains a number of hostnames. With a server configured for DNS or LDAP naming in the nsswitch hosts entry, any hostname in a netgroup must be represented as a fully qualified DNS or LDAP name.
 
 
domain name suffix
To use domain membership the server must use DNS or LDAP to resolve hostnames to IP addresses; that is, the hosts entry in the /etc/nsswitch.conf must specify dns or ldap ahead of nis since only DNS and LDAP return the full domain name of the host. Other name services like NIS cannot be used to resolve hostnames on the server because when mapping an IP address to a hostname they do not return domain information. For example, (NIS) ‘172.16.45.9 --> myhost’ and (DNS or LDAP) ‘172.16.45.9 --> myhost.mydomain.mycompany.com
The domain name suffix is distinguished from hostnames and netgroups by a prefixed dot. For example, ‘rw=.mydomain.mycompany.com
A single dot can be used to match a hostname with no suffix. For example, ‘rw=.’ matches mydomain but not mydomain.mycompany.com. This feature can be used to match hosts resolved through NIS rather than DNS and LDAP.
 
 
network
The network or subnet component is preceded by an at-sign (“@”). It can be either a name or a dotted address. If a name, it is converted to a dotted address by getnetbyname(3SOCKET). For example, ‘=@mynet’ would be equivalent to ‘=@172.16’ or ‘=@172.16.0.0
The network prefix assumes an octet-aligned netmask determined from the zeroth octet in the low-order part of the address up to and including the high-order octet, if you want to specify a single IP address (see below). In the case where network prefixes are not byte-aligned, the syntax allows a mask length to be specified explicitly following a slash (“/”) delimiter. For example, ‘=@theothernet/17’ or ‘=@172.16.132/22’, where the mask is the number of leftmost contiguous significant bits in the corresponding IP address.
When specifying individual IP addresses, use the same @ notation described above, without a netmask specification. For example, ‘=@172.16.132.14’. Multiple, individual IP addresses would be specified, for example, as ‘root=@172.16.132.20:@172.16.134.20’.
A prefixed minus sign (“-”) denies access to that component of access_list. The list is searched sequentially until a match is found that either grants or denies access, or until the end of the list is reached. For example, if host terra is in the engineering netgroup, then ‘rw=-terra:engineering’ denies access to terra but ‘rw=engineering:-terra’ grants access to terra.

getnetbyname(3SOCKET), sharenfs(5), sharesmb(5)
November 22, 2017 illumos