1 .\"
2 .\" This file and its contents are supplied under the terms of the
3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
4 .\" You may only use this file in accordance with the terms of version
5 .\" 1.0 of the CDDL.
6 .\"
7 .\" A full copy of the text of the CDDL should have accompanied this
8 .\" source. A copy of the CDDL is also available via the Internet at
9 .\" http://www.illumos.org/license/CDDL.
10 .\"
11 .\"
12 .\" Copyright 2017 Nexenta Systems, Inc.
13 .\"
14 .Dd November 22, 2017
15 .Dt SHAREACL 5
16 .Os
17 .Sh NAME
18 .Nm shareacl
19 .Nd access list used by NFS and SMB services
20 .Sh DESCRIPTION
21 The
22 .Ar access_list
23 is a colon-separated list whose components may be any number of the following:
24 .Bl -tag -width Ds
25 .It Em hostname
26 The name of a host.
27 With a server configured for DNS or LDAP naming in the nsswitch
28 .Cm hosts
29 entry, any hostname must be represented as a fully qualified DNS or LDAP name.
30 .It Em netgroup
31 A netgroup contains a number of hostnames.
32 With a server configured for DNS or LDAP naming in the nsswitch
33 .Cm hosts
34 entry, any hostname in a netgroup must be represented as a fully qualified DNS
35 or LDAP name.
36 .It Em domain name suffix
37 To use domain membership the server must use DNS or LDAP to resolve hostnames to
38 IP addresses; that is, the
39 .Cm hosts
40 entry in the
41 .Pa /etc/nsswitch.conf
42 must specify
43 .Cm dns
44 or
45 .Cm ldap
46 ahead of
47 .Cm nis
48 since only DNS and LDAP return the full domain name of the host.
49 Other name services like NIS cannot be used to resolve hostnames on the server
50 because when mapping an IP address to a hostname they do not return domain
51 information.
52 For example,
53 .Pq NIS
54 .Ql 172.16.45.9 --> "myhost"
55 and
56 .Pq DNS or LDAP
57 .Ql 172.16.45.9 --> "myhost.mydomain.mycompany.com"
58 .Pp
59 The domain name suffix is distinguished from hostnames and netgroups by a
60 prefixed dot.
61 For example,
62 .Ql rw=.mydomain.mycompany.com
63 .Pp
64 A single dot can be used to match a hostname with no suffix.
65 For example,
66 .Ql rw=.
67 matches
68 .Em mydomain
69 but not
70 .Em mydomain.mycompany.com .
71 This feature can be used to match hosts resolved through NIS rather
72 than DNS and LDAP.
73 .It Em network
74 The network or subnet component is preceded by an at-sign
75 .Pq Qq @ .
76 It can be either a name or a dotted address.
77 If a name, it is converted to a dotted address by
78 .Xr getnetbyname 3SOCKET .
79 For example,
80 .Ql =@mynet
81 would be equivalent to
82 .Ql =@172.16
83 or
84 .Ql =@172.16.0.0
85 .Pp
86 The network prefix assumes an octet-aligned netmask determined from the zeroth
87 octet in the low-order part of the address up to and including the high-order
88 octet, if you want to specify a single IP address
89 .Pq see below .
90 In the case where network prefixes are not byte-aligned, the syntax allows a
91 mask length to be specified explicitly following a slash
92 .Pq Qq /
93 delimiter.
94 For example,
95 .Ql =@theothernet/17
96 or
97 .Ql =@172.16.132/22 ,
98 where the mask is the number of leftmost contiguous significant bits in the
99 corresponding IP address.
100 .Pp
101 When specifying individual IP addresses, use the same @ notation described
102 above, without a netmask specification.
103 For example,
104 .Ql =@172.16.132.14 .
105 Multiple, individual IP addresses would be specified, for example, as
106 .Ql root=@172.16.132.20:@172.16.134.20 .
107 .El
108 .Pp
109 A prefixed minus sign
110 .Pq Qq -
111 denies access to that component of
112 .Ar access_list .
113 The list is searched sequentially until a match is found that either grants or
114 denies access, or until the end of the list is reached.
115 For example, if host
116 .Em terra
117 is in the
118 .Em engineering
119 netgroup, then
120 .Ql rw=-terra:engineering
121 denies access to
122 .Em terra
123 but
124 .Ql rw=engineering:-terra
125 grants access to
126 .Em terra .
127 .Sh SEE ALSO
128 .Xr getnetbyname 3SOCKET ,
129 .Xr sharenfs 5 ,
130 .Xr sharesmb 5