1 SHARENFS(5) Standards, Environments, and Macros SHARENFS(5)
2
3 NAME
4 sharenfs - NFS share options
5
6 DESCRIPTION
7 The following options are supported:
8
9 aclok Allows the NFS server to do access control for NFS Version 2
10 clients (running SunOS 2.4 or earlier). When aclok is set on the
11 server, maximal access is given to all clients. For example,
12 with aclok set, if anyone has read permissions, then everyone
13 does. If aclok is not set, minimal access is given to all
14 clients.
15
16 anon=uid
17 Set uid to be the effective user ID of unknown users. By
18 default, unknown users are given the effective user ID
19 UID_NOBODY. If uid is set to -1, access is denied.
20
21 charset=access-list
22 Where charset is one of: euc-cn, euc-jp, euc-jpms, euc-kr,
23 euc-tw, iso8859-1, iso8859-2, iso8859-5, iso8859-6, iso8859-7,
24 iso8859-8, iso8859-9, iso8859-13, iso8859-15, koi8-r.
25
26 Clients that match the access-list for one of these properties
27 will be assumed to be using that character set and file and path
28 names will be converted to UTF-8 for the server.
29
30 gidmap=mapping[~mapping]...
31 Where mapping is: [clnt]:[srv]:access-list
32
33 Allows remapping the group ID (gid) in the incoming request to
34 some other gid. This effectively changes the identity of the
35 user in the request to that of some other local user.
36
37 For clients where the gid in the incoming request is clnt and the
38 client matches the access-list, change the group ID to srv. If
39 clnt is asterisk ("*"), all groups are mapped by this rule. If
40 clnt is omitted, all unknown groups are mapped by this rule. If
41 srv is set to -1, access is denied. If srv is omitted, the gid
42 is mapped to UID_NOBODY.
43
44 Multiple mappings in the gidmap= option are separated by tilde
45 ("~") and are evaluated in the specified order until a match is
46 found. Both root= and root_mapping= options (if specified) are
47 evaluated before the gidmap= option. The gidmap= option is
48 skipped in the case where the client matches the root= option.
49
50 The gidmap= option is evaluated before the anon= option.
51
52 This option is supported only for AUTH_SYS.
53
54 index=file
55 Load file rather than a listing of the directory containing this
56 file when the directory is referenced by an NFS URL.
57
58 log[=tag]
59 Enables NFS server logging for the specified file system. The
60 optional tag determines the location of the related log files.
61 The tag is defined in /etc/nfs/nfslog.conf. If no tag is
62 specified, the default values associated with the global tag in
63 /etc/nfs/nfslog.conf are used. Support of NFS server logging is
64 only available for NFS Version 2 and Version 3 requests.
65
66 nohide By default, if server exports two filesystems, one of which is
67 mounted as a child of the other, NFSv2 and NFSv3 clients must
68 mount both filesystems explicitly in order to access them. If a
69 client only mounts the parent, it will see an empty directory at
70 the location where the other filesystem is mounted.
71
72 Setting the nohide option on a filesystem causes it to no longer
73 be hidden in this manner, and the client will be able to move
74 from the parent filesystem to this one without noticing the
75 change. However, some NFS clients or applications may not
76 function correctly when this option is used. In particular,
77 files on different underlying filesystems may appear to have the
78 same inode numbers. The nohide option only applies to NFSv2 and
79 NFSv3 requests.
80
81 noaclfab
82 By default, the NFS server will fabricate POSIX-draft style ACLs
83 in response to ACL requests from NFSv2 or NFSv3 clients accessing
84 shared file systems that do not support POSIX-draft ACLs (such as
85 ZFS). Specifying noaclfab disables this behavior.
86
87 none=access-list
88 Access is not allowed to any client that matches the access list.
89 The exception is when the access list is an asterisk ("*"), in
90 which case ro or rw can override none.
91
92 nosub Prevents clients from mounting subdirectories of shared
93 directories. For example, if /export is shared with the nosub
94 option on server fooey then a NFS client cannot do `mount -F nfs
95 fooey:/export/home/mnt'
96
97 NFSv4 does not use the MOUNT protocol. The nosub option only
98 applies to NFSv2 and NFSv3 requests.
99
100 nosuid By default, clients are allowed to create files on the shared
101 file system with the setuid or setgid mode enabled. Specifying
102 nosuid causes the server file system to silently ignore any
103 attempt to enable the setuid or setgid mode bits.
104
105 public Moves the location of the public file handle from root ("/") to
106 the exported directory for WebNFS-enabled browsers and clients.
107 This option does not enable WebNFS service; WebNFS is always on.
108 Only one file system per server may use this option. Any other
109 option, including the ro=list and rw=list options can be included
110 with the public option.
111
112 ro Sharing is read-only to all clients.
113
114 ro=access-list
115 Sharing is read-only to the clients listed in access-list;
116 overrides the rw suboption for the clients specified. See
117 shareacl(5) for the description of access-list.
118
119 root=access-list
120 Only root users from the hosts specified in access-list have root
121 access. See shareacl(5) for the description of access-list. By
122 default, no host has root access, so root users are mapped to an
123 anonymous user ID (see the anon=uid option described above).
124 Netgroups can be used if the file system shared is using
125 AUTH_SYS.
126
127 root_mapping=uid
128 For a client that is allowed root access, map the root UID to the
129 specified user ID.
130
131 rw Sharing is read-write to all clients.
132
133 rw=access-list
134 Sharing is read-write to the clients listed in access-list;
135 overrides the ro suboption for the clients specified. See
136 shareacl(5) for the description of access-list.
137
138 sec=mode[:mode]...
139 Sharing uses one or more of the specified security modes. The
140 mode in the sec=mode option must be a mode name supported on the
141 client. If the sec= option is not specified, the default
142 security mode used is AUTH_SYS. Multiple sec= options can be
143 specified on the command line, although each mode can appear only
144 once. The security modes are defined in nfssec(5).
145
146 Each sec= option specifies modes that apply to any subsequent
147 window=, rw, ro, rw=, ro=, and root= options that are provided
148 before another sec= option. Each additional sec= resets the
149 security mode context, so that more window=, rw, ro, rw=, ro=,
150 and root= options can be supplied for additional modes.
151
152 sec=none
153 If the option sec=none is specified when the client uses
154 AUTH_NONE, or if the client uses a security mode that is not one
155 that the file system is shared with, then the credential of each
156 NFS request is treated as unauthenticated. See the anon=uid
157 option for a description of how unauthenticated requests are
158 handled.
159
160 secure This option has been deprecated in favor of the sec=dh option.
161
162 uidmap=mapping[~mapping]...
163 Where mapping is: [clnt]:[srv]:access-list
164
165 Allows remapping the user ID (uid) in the incoming request to
166 some other uid. This effectively changes the identity of the
167 user in the request to that of some other local user.
168
169 For clients where the uid in the incoming request is clnt and the
170 client matches the access-list, change the user ID to srv. If
171 clnt is asterisk ("*"), all users are mapped by this rule. If
172 clnt is omitted, all unknown users are mapped by this rule. If
173 srv is set to -1, access is denied. If srv is omitted, the uid
174 is mapped to UID_NOBODY.
175
176 Multiple mappings in the uidmap= option are separated by tilde
177 ("~") and are evaluated in the specified order until a match is
178 found. Both root= and root_mapping= options (if specified) are
179 evaluated before the uidmap= option. The uidmap= option is
180 skipped in the case where the client matches the root= option.
181
182 The uidmap= option is evaluated before the anon= option.
183
184 This option is supported only for AUTH_SYS.
185
186 window=value
187 When sharing with sec=dh, set the maximum life time (in seconds)
188 of the RPC request's credential (in the authentication header)
189 that the NFS server allows. If a credential arrives with a life
190 time larger than what is allowed, the NFS server rejects the
191 request. The default value is 30000 seconds (8.3 hours).
192
193 FILES
194 /etc/dfs/fstypes list of system types, NFS by default
195
196 /etc/dfs/sharetab system record of shared file systems
197
198 /etc/nfs/nfslogtab system record of logged file systems
199
200 /etc/nfs/nfslog.conf logging configuration file
201
202 SEE ALSO
203 mount(1M), mountd(1M), nfsd(1M), nfslogd(1M), share(1M), unshare(1M),
204 netgroup(4), nfslog.conf(4), acl(5), attributes(5), nfssec(5),
205 shareacl(5)
206
207 NOTES
208 If the sec= option is presented at least once, all uses of the window=,
209 rw, ro, rw=, ro=, and root= options must come after the first sec=
210 option. If the sec= option is not presented, then sec=sys is implied.
211
212 If one or more explicit sec= options are presented, sys must appear in
213 one of the options mode lists for accessing using the AUTH_SYS security
214 mode to be allowed.
215
216 Access checking for the window=, rw, ro, rw=, and ro= options is done per
217 NFS request, instead of per mount request.
218
219 The ro= and rw= options are guaranteed to work over UDP and TCP but may
220 not work over other transport providers.
221
222 The root= option with AUTH_SYS is guaranteed to work over UDP and TCP but
223 may not work over other transport providers.
224
225 The root= option with AUTH_DES is guaranteed to work over any transport
226 provider.
227
228 There are no interactions between the root= option and the ro, rw, ro=,
229 and rw= options. Putting a host in the root list does not override the
230 semantics of the other options. The access the host gets is the same as
231 when the root= option is absent.
232
233 The nohide option violates RFC 1094, Network File System Protocol
234 Specification and RFC 1813, NFS: Network File System Version 3 Protocol
235 Specification and is provided for compatibility with Linux NFS.
236
237 illumos November 22, 2017 illumos