1 SHAREACL(5) Standards, Environments, and Macros SHAREACL(5)
2
3 NAME
4 shareacl - access list used by NFS and SMB services
5
6 DESCRIPTION
7 The access_list is a colon-separated list whose components may be any
8 number of the following:
9
10 hostname
11 The name of a host. With a server configured for DNS or LDAP
12 naming in the nsswitch hosts entry, any hostname must be
13 represented as a fully qualified DNS or LDAP name.
14
15 netgroup
16 A netgroup contains a number of hostnames. With a server
17 configured for DNS or LDAP naming in the nsswitch hosts entry,
18 any hostname in a netgroup must be represented as a fully
19 qualified DNS or LDAP name.
20
21 domain name suffix
22 To use domain membership the server must use DNS or LDAP to
23 resolve hostnames to IP addresses; that is, the hosts entry in
24 the /etc/nsswitch.conf must specify dns or ldap ahead of nis
25 since only DNS and LDAP return the full domain name of the host.
26 Other name services like NIS cannot be used to resolve hostnames
27 on the server because when mapping an IP address to a hostname
28 they do not return domain information. For example, (NIS)
29 `172.16.45.9 --> myhost' and (DNS or LDAP) `172.16.45.9 -->
30 myhost.mydomain.mycompany.com'
31
32 The domain name suffix is distinguished from hostnames and
33 netgroups by a prefixed dot. For example,
34 `rw=.mydomain.mycompany.com'
35
36 A single dot can be used to match a hostname with no suffix. For
37 example, `rw=.' matches mydomain but not mydomain.mycompany.com.
38 This feature can be used to match hosts resolved through NIS
39 rather than DNS and LDAP.
40
41 network
42 The network or subnet component is preceded by an at-sign ("@").
43 It can be either a name or a dotted address. If a name, it is
44 converted to a dotted address by getnetbyname(3SOCKET). For
45 example, `=@mynet' would be equivalent to `=@172.16' or
46 `=@172.16.0.0'
47
48 The network prefix assumes an octet-aligned netmask determined
49 from the zeroth octet in the low-order part of the address up to
50 and including the high-order octet, if you want to specify a
51 single IP address (see below). In the case where network
52 prefixes are not byte-aligned, the syntax allows a mask length to
53 be specified explicitly following a slash ("/") delimiter. For
54 example, `=@theothernet/17' or `=@172.16.132/22', where the mask
55 is the number of leftmost contiguous significant bits in the
56 corresponding IP address.
57
58 When specifying individual IP addresses, use the same @ notation
59 described above, without a netmask specification. For example,
60 `=@172.16.132.14'. Multiple, individual IP addresses would be
61 specified, for example, as `root=@172.16.132.20:@172.16.134.20'.
62
63 A prefixed minus sign ("-") denies access to that component of
64 access_list. The list is searched sequentially until a match is found
65 that either grants or denies access, or until the end of the list is
66 reached. For example, if host terra is in the engineering netgroup, then
67 `rw=-terra:engineering' denies access to terra but
68 `rw=engineering:-terra' grants access to terra.
69
70 SEE ALSO
71 getnetbyname(3SOCKET), sharenfs(5), sharesmb(5)
72
73 illumos November 22, 2017 illumos