NAME

sharenfs —

DESCRIPTION

The following options are supported:

 

 

aclok

Allows the NFS server to do access control for NFS Version 2 clients (running SunOS 2.4 or earlier). When aclok is set on the server, maximal access is given to all clients. For example, with aclok set, if anyone has read permissions, then everyone does. If aclok is not set, minimal access is given to all clients.

 

 

anon=uid

Set uid to be the effective user ID of unknown users. By default, unknown users are given the effective user ID UID_NOBODY. If uid is set to -1, access is denied.

 

 

charset=access-list

Where charset is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2, iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15, koi8-r.

Clients that match the access-list for one of these properties will be assumed to be using that character set and file and path names will be converted to UTF-8 for the server.

 

 

gidmap=mapping[

~mapping

]...

Where mapping is: [

clnt

]:[

srv

]:access-list

Allows remapping the group ID (gid) in the incoming request to some other gid. This effectively changes the identity of the user in the request to that of some other local user.

For clients where the gid in the incoming request is clnt and the client matches the access-list, change the group ID to srv. If clnt is asterisk (“*”), all groups are mapped by this rule. If clnt is omitted, all unknown groups are mapped by this rule. If srv is set to -1, access is denied. If srv is omitted, the gid is mapped to UID_NOBODY.

Multiple mappings in the gidmap= option are separated by tilde (“~”) and are evaluated in the specified order until a match is found. Both root= and root_mapping= options (if specified) are evaluated before the gidmap= option. The gidmap= option is skipped in the case where the client matches the root= option.

The gidmap= option is evaluated before the anon= option.

This option is supported only for AUTH_SYS.

 

 

index=file

Load file rather than a listing of the directory containing this file when the directory is referenced by an NFS URL.

 

 

log[

=tag

]

Enables NFS server logging for the specified file system. The optional tag determines the location of the related log files. The tag is defined in /etc/nfs/nfslog.conf. If no tag is specified, the default values associated with the global tag in /etc/nfs/nfslog.conf are used. Support of NFS server logging is only available for NFS Version 2 and Version 3 requests.

 

 

nohide

By default, if server exports two filesystems, one of which is mounted as a child of the other, NFSv2 and NFSv3 clients must mount both filesystems explicitly in order to access them. If a client only mounts the parent, it will see an empty directory at the location where the other filesystem is mounted.

Setting the nohide option on a filesystem causes it to no longer be hidden in this manner, and the client will be able to move from the parent filesystem to this one without noticing the change. However, some NFS clients or applications may not function correctly when this option is used. In particular, files on different underlying filesystems may appear to have the same inode numbers. The nohide option only applies to NFSv2 and NFSv3 requests.

 

 

noaclfab

By default, the NFS server will fabricate POSIX-draft style ACLs in response to ACL requests from NFSv2 or NFSv3 clients accessing shared file systems that do not support POSIX-draft ACLs (such as ZFS). Specifying noaclfab disables this behavior.

 

 

none=access-list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (“*”), in which case ro or rw can override none.

 

 

nosub

Prevents clients from mounting subdirectories of shared directories. For example, if /export is shared with the nosub option on server fooey then a NFS client cannot do ‘mount -F nfs fooey:/export/home/mnt’

NFSv4 does not use the MOUNT protocol. The nosub option only applies to NFSv2 and NFSv3 requests.

 

 

nosuid

By default, clients are allowed to create files on the shared file system with the setuid or setgid mode enabled. Specifying nosuid causes the server file system to silently ignore any attempt to enable the setuid or setgid mode bits.

 

 

public

Moves the location of the public file handle from root (“/”) to the exported directory for WebNFS-enabled browsers and clients. This option does not enable WebNFS service; WebNFS is always on. Only one file system per server may use this option. Any other option, including the ro=list and rw=list options can be included with the public option.

 

 

ro

Sharing is read-only to all clients.

 

 

ro=access-list

Sharing is read-only to the clients listed in access-list; overrides the rw suboption for the clients specified. See shareacl(5) for the description of access-list.

 

 

root=access-list

Only root users from the hosts specified in access-list have root access. See shareacl(5) for the description of access-list. By default, no host has root access, so root users are mapped to an anonymous user ID (see the anon=uid option described above). Netgroups can be used if the file system shared is using AUTH_SYS.

 

 

root_mapping=uid

For a client that is allowed root access, map the root UID to the specified user ID.

 

 

rw

Sharing is read-write to all clients.

 

 

rw=access-list

Sharing is read-write to the clients listed in access-list; overrides the ro suboption for the clients specified. See shareacl(5) for the description of access-list.

 

 

sec=mode[

:mode

]...

Sharing uses one or more of the specified security modes. The mode in the sec=mode option must be a mode name supported on the client. If the sec= option is not specified, the default security mode used is AUTH_SYS. Multiple sec= options can be specified on the command line, although each mode can appear only once. The security modes are defined in nfssec(5).

Each sec= option specifies modes that apply to any subsequent window=, rw, ro, rw=, ro=, and root= options that are provided before another sec= option. Each additional sec= resets the security mode context, so that more window=, rw, ro, rw=, ro=, and root= options can be supplied for additional modes.

 

 

sec=none

If the option sec=none is specified when the client uses AUTH_NONE, or if the client uses a security mode that is not one that the file system is shared with, then the credential of each NFS request is treated as unauthenticated. See the anon=uid option for a description of how unauthenticated requests are handled.

 

 

secure

This option has been deprecated in favor of the sec=dh option.

 

 

uidmap=mapping[

~mapping

]...

Where mapping is: [

clnt

]:[

srv

]:access-list

Allows remapping the user ID (uid) in the incoming request to some other uid. This effectively changes the identity of the user in the request to that of some other local user.

For clients where the uid in the incoming request is clnt and the client matches the access-list, change the user ID to srv. If clnt is asterisk (“*”), all users are mapped by this rule. If clnt is omitted, all unknown users are mapped by this rule. If srv is set to -1, access is denied. If srv is omitted, the uid is mapped to UID_NOBODY.

Multiple mappings in the uidmap= option are separated by tilde (“~”) and are evaluated in the specified order until a match is found. Both root= and root_mapping= options (if specified) are evaluated before the uidmap= option. The uidmap= option is skipped in the case where the client matches the root= option.

The uidmap= option is evaluated before the anon= option.

This option is supported only for AUTH_SYS.

 

 

window=value

When sharing with sec=dh, set the maximum life time (in seconds) of the RPC request's credential (in the authentication header) that the NFS server allows. If a credential arrives with a life time larger than what is allowed, the NFS server rejects the request. The default value is 30000 seconds (8.3 hours).

FILES

 

 

/etc/dfs/fstypes

list of system types, NFS by default

 

 

/etc/dfs/sharetab

system record of shared file systems

 

 

/etc/nfs/nfslogtab

system record of logged file systems

 

 

/etc/nfs/nfslog.conf

logging configuration file

SEE ALSO

mount(1M), mountd(1M), nfsd(1M), nfslogd(1M), share(1M), unshare(1M), netgroup(4), nfslog.conf(4), acl(5), attributes(5), nfssec(5), shareacl(5)

NOTES

If the sec= option is presented at least once, all uses of the window=, rw, ro, rw=, ro=, and root= options must come after the first sec= option. If the sec= option is not presented, then sec=sys is implied. If one or more explicit sec= options are presented, sys must appear in one of the options mode lists for accessing using the AUTH_SYS security mode to be allowed. Access checking for the window=, rw, ro, rw=, and ro= options is done per NFS request, instead of per mount request. The ro= and rw= options are guaranteed to work over UDP and TCP but may not work over other transport providers. The root= option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work over other transport providers. The root= option with AUTH_DES is guaranteed to work over any transport provider. There are no interactions between the root= option and the ro, rw, ro=, and rw= options. Putting a host in the root list does not override the semantics of the other options. The access the host gets is the same as when the root= option is absent. The nohide option violates RFC 1094, Network File System Protocol Specification and RFC 1813, NFS: Network File System Version 3 Protocol Specification and is provided for compatibility with Linux NFS.