1 .\" 2 .\" CDDL HEADER START 3 .\" 4 .\" The contents of this file are subject to the terms of the 5 .\" Common Development and Distribution License (the "License"). 6 .\" You may not use this file except in compliance with the License. 7 .\" 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 .\" or http://www.opensolaris.org/os/licensing. 10 .\" See the License for the specific language governing permissions 11 .\" and limitations under the License. 12 .\" 13 .\" When distributing Covered Code, include this CDDL HEADER in each 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 .\" If applicable, add the following below this CDDL HEADER, with the 16 .\" fields enclosed by brackets "[]" replaced with your own identifying 17 .\" information: Portions Copyright [yyyy] [name of copyright owner] 18 .\" 19 .\" CDDL HEADER END 20 .\" 21 .\" 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved 23 .\" Copyright 2017 Nexenta Systems, Inc. 24 .\" Copyright 2016 Jason King. 25 .\" 26 .Dd November 22, 2017 27 .Dt SHARENFS 5 28 .Os 29 .Sh NAME 30 .Nm sharenfs 31 .Nd NFS share options 32 .Sh DESCRIPTION 33 The following options are supported: 34 .Bl -tag -width Ds 35 .It Cm aclok 36 Allows the NFS server to do access control for NFS Version 2 clients (running 37 SunOS 2.4 or earlier). 38 When 39 .Cm aclok 40 is set on the server, maximal access is given to all clients. 41 For example, with 42 .Cm aclok 43 set, if anyone has read permissions, then everyone does. 44 If 45 .Cm aclok 46 is not set, minimal access is given to all clients. 47 .It Cm anon Ns = Ns Ar uid 48 Set 49 .Ar uid 50 to be the effective user ID of unknown users. 51 By default, unknown users are given the effective user ID 52 .Dv UID_NOBODY . 53 If uid is set to -1, access is denied. 54 .It Ar charset Ns = Ns Ar access-list 55 Where 56 .Ar charset 57 is one of: 58 .Cm euc-cn , euc-jp , euc-jpms , euc-kr , euc-tw , iso8859-1 , iso8859-2 , 59 .Cm iso8859-5 , iso8859-6 , iso8859-7 , iso8859-8 , iso8859-9 , iso8859-13 , 60 .Cm iso8859-15 , koi8-r . 61 .Pp 62 Clients that match the 63 .Ar access-list 64 for one of these properties will be assumed to be using that character set and 65 file and path names will be converted to UTF-8 for the server. 66 .It Cm gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 67 Where 68 .Ar mapping 69 is: 70 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access-list 71 .Pp 72 Allows remapping the group ID 73 .Pq gid 74 in the incoming request to some other gid. 75 This effectively changes the identity of the user in the request to that of 76 some other local user. 77 .Pp 78 For clients where the gid in the incoming request is 79 .Ar clnt 80 and the client matches the 81 .Ar access-list , 82 change the group ID to 83 .Ar srv . 84 If 85 .Ar clnt 86 is asterisk 87 .Pq Qq * , 88 all groups are mapped by this rule. 89 If 90 .Ar clnt 91 is omitted, all unknown groups are mapped by this rule. 92 If 93 .Ar srv 94 is set to -1, access is denied. 95 If 96 .Ar srv 97 is omitted, the gid is mapped to 98 .Dv UID_NOBODY . 99 .Pp 100 Multiple 101 .Ar mapping Ns s 102 in the 103 .Cm gidmap Ns = 104 option are separated by tilde 105 .Pq Qq ~ 106 and are evaluated in the specified order until a match is found. 107 Both 108 .Cm root Ns = 109 and 110 .Cm root_mapping Ns = 111 options 112 .Pq if specified 113 are evaluated before the 114 .Cm gidmap Ns = 115 option. 116 The 117 .Cm gidmap Ns = 118 option is skipped in the case where the client matches the 119 .Cm root Ns = 120 option. 121 .Pp 122 The 123 .Cm gidmap Ns = 124 option is evaluated before the 125 .Cm anon Ns = 126 option. 127 .Pp 128 This option is supported only for AUTH_SYS. 129 .It Cm index Ns = Ns Ar file 130 Load 131 .Ar file 132 rather than a listing of the directory containing this file when the 133 directory is referenced by an NFS URL. 134 .It Cm log Ns Oo = Ns Ar tag Oc 135 Enables NFS server logging for the specified file system. 136 The optional 137 .Ar tag 138 determines the location of the related log files. 139 The 140 .Ar tag 141 is defined in 142 .Pa /etc/nfs/nfslog.conf . 143 If no 144 .Ar tag 145 is specified, the default values associated with the global tag in 146 .Pa /etc/nfs/nfslog.conf 147 are used. 148 Support of NFS server logging is only available for NFS Version 2 and 149 Version 3 requests. 150 .It Cm nohide 151 By default, if server exports two filesystems, one of which is mounted as a 152 child of the other, NFSv2 and NFSv3 clients must mount both filesystems 153 explicitly in order to access them. 154 If a client only mounts the parent, it will see an empty directory at the 155 location where the other filesystem is mounted. 156 .Pp 157 Setting the 158 .Cm nohide 159 option on a filesystem causes it to no longer be hidden in this manner, and the 160 client will be able to move from the parent filesystem to this one without 161 noticing the change. 162 However, some NFS clients or applications may not function correctly when this 163 option is used. 164 In particular, files on different underlying filesystems may appear to have the 165 same inode numbers. 166 The 167 .Cm nohide 168 option only applies to NFSv2 and NFSv3 requests. 169 .It Cm noaclfab 170 By default, the NFS server will fabricate POSIX-draft style ACLs in response 171 to ACL requests from NFSv2 or NFSv3 clients accessing shared file systems that 172 do not support POSIX-draft ACLs 173 .Pq such as ZFS . 174 Specifying 175 .Cm noaclfab 176 disables this behavior. 177 .It Cm none Ns = Ns Ar access-list 178 Access is not allowed to any client that matches the access list. 179 The exception is when the access list is an asterisk 180 .Pq Qq * , 181 in which case 182 .Cm ro 183 or 184 .Cm rw 185 can override 186 .Cm none . 187 .It Cm nosub 188 Prevents clients from mounting subdirectories of shared directories. 189 For example, if 190 .Pa /export 191 is shared with the 192 .Cm nosub 193 option on server 194 .Em fooey 195 then a NFS client cannot do 196 .Ql mount -F nfs fooey:/export/home/mnt 197 .Pp 198 NFSv4 does not use the MOUNT protocol. 199 The 200 .Cm nosub 201 option only applies to NFSv2 and NFSv3 requests. 202 .It Cm nosuid 203 By default, clients are allowed to create files on the shared file system with 204 the setuid or setgid mode enabled. 205 Specifying 206 .Cm nosuid 207 causes the server file system to silently ignore any attempt to enable the 208 setuid or setgid mode bits. 209 .It Cm public 210 Moves the location of the public file handle from root 211 .Pq Qq Pa / 212 to the exported directory for WebNFS-enabled browsers and clients. 213 This option does not enable WebNFS service; WebNFS is always on. 214 Only one file system per server may use this option. 215 Any other option, including the 216 .Cm ro Ns = Ns Ar list 217 and 218 .Cm rw Ns = Ns Ar list 219 options can be included with the 220 .Cm public 221 option. 222 .It Cm ro 223 Sharing is read-only to all clients. 224 .It Cm ro Ns = Ns Ar access-list 225 Sharing is read-only to the clients listed in 226 .Ar access-list ; 227 overrides the 228 .Cm rw 229 suboption for the clients specified. 230 See 231 .Xr shareacl 5 232 for the description of 233 .Ar access-list . 234 .It Cm root Ns = Ns Ar access-list 235 Only root users from the hosts specified in 236 .Ar access-list 237 have root access. 238 See 239 .Xr shareacl 5 240 for the description of 241 .Ar access-list . 242 By default, no host has root access, so root users are mapped to an anonymous 243 user ID 244 .Po see the 245 .Cm anon Ns = Ns Ar uid 246 option described above 247 .Pc . 248 Netgroups can be used if the file system shared is using AUTH_SYS. 249 .It Cm root_mapping Ns = Ns Ar uid 250 For a client that is allowed root access, map the root UID to the specified 251 user ID. 252 .It Cm rw 253 Sharing is read-write to all clients. 254 .It Cm rw Ns = Ns Ar access-list 255 Sharing is read-write to the clients listed in 256 .Ar access-list ; 257 overrides the 258 .Cm ro 259 suboption for the clients specified. 260 See 261 .Xr shareacl 5 262 for the description of 263 .Ar access-list . 264 .It Cm sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ... 265 Sharing uses one or more of the specified security modes. 266 The 267 .Ar mode 268 in the 269 .Cm sec Ns = Ns Ar mode 270 option must be a mode name supported on the client. 271 If the 272 .Cm sec Ns = 273 option is not specified, the default security mode used is AUTH_SYS. 274 Multiple 275 .Cm sec Ns = 276 options can be specified on the command line, although each mode can appear 277 only once. 278 The security modes are defined in 279 .Xr nfssec 5 . 280 .Pp 281 Each 282 .Cm sec Ns = 283 option specifies modes that apply to any subsequent 284 .Cm window Ns = , 285 .Cm rw , 286 .Cm ro , 287 .Cm rw Ns = , 288 .Cm ro Ns = , 289 and 290 .Cm root Ns = 291 options that are provided before another 292 .Cm sec Ns = 293 option. 294 Each additional 295 .Cm sec Ns = 296 resets the security mode context, so that more 297 .Cm window Ns = , 298 .Cm rw , 299 .Cm ro , 300 .Cm rw Ns = , 301 .Cm ro Ns = , 302 and 303 .Cm root Ns = 304 options can be supplied for additional modes. 305 .It Cm sec Ns = Ns Cm none 306 If the option 307 .Cm sec Ns = Ns Cm none 308 is specified when the client uses AUTH_NONE, or if the client uses a security 309 mode that is not one that the file system is shared with, then the credential 310 of each NFS request is treated as unauthenticated. 311 See the 312 .Cm anon Ns = Ns Ar uid 313 option for a description of how unauthenticated requests are handled. 314 .It Cm secure 315 This option has been deprecated in favor of the 316 .Cm sec Ns = Ns Cm dh 317 option. 318 .It Cm uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 319 Where 320 .Ar mapping 321 is: 322 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access-list 323 .Pp 324 Allows remapping the user ID 325 .Pq uid 326 in the incoming request to some other uid. 327 This effectively changes the identity of the user in the request to that of 328 some other local user. 329 .Pp 330 For clients where the uid in the incoming request is 331 .Ar clnt 332 and the client matches the 333 .Ar access-list , 334 change the user ID to 335 .Ar srv . 336 If 337 .Ar clnt 338 is asterisk 339 .Pq Qq * , 340 all users are mapped by this rule. 341 If 342 .Ar clnt 343 is omitted, all unknown users are mapped by this rule. 344 If 345 .Ar srv 346 is set to -1, access is denied. 347 If 348 .Ar srv 349 is omitted, the uid is mapped to 350 .Dv UID_NOBODY . 351 .Pp 352 Multiple 353 .Ar mapping Ns s 354 in the 355 .Cm uidmap Ns = 356 option are separated by tilde 357 .Pq Qq ~ 358 and are evaluated in the specified order until a match is found. 359 Both 360 .Cm root Ns = 361 and 362 .Cm root_mapping Ns = 363 options 364 .Pq if specified 365 are evaluated before the 366 .Cm uidmap Ns = 367 option. 368 The 369 .Cm uidmap Ns = 370 option is skipped in the case where the client matches the 371 .Cm root Ns = 372 option. 373 .Pp 374 The 375 .Cm uidmap Ns = 376 option is evaluated before the 377 .Cm anon Ns = 378 option. 379 .Pp 380 This option is supported only for AUTH_SYS. 381 .It Cm window Ns = Ns Ar value 382 When sharing with 383 .Cm sec Ns = Ns Cm dh , 384 set the maximum life time 385 .Pq in seconds 386 of the RPC request's credential 387 .Pq in the authentication header 388 that the NFS server allows. 389 If a credential arrives with a life time larger than what is allowed, the NFS 390 server rejects the request. 391 The default value is 30000 seconds 392 .Pq 8.3 hours . 393 .El 394 .Sh FILES 395 .Bl -tag -width "/etc/nfs/nfslog.conf" 396 .It Pa /etc/dfs/fstypes 397 list of system types, NFS by default 398 .It Pa /etc/dfs/sharetab 399 system record of shared file systems 400 .It Pa /etc/nfs/nfslogtab 401 system record of logged file systems 402 .It Pa /etc/nfs/nfslog.conf 403 logging configuration file 404 .El 405 .Sh SEE ALSO 406 .Xr mount 1M , 407 .Xr mountd 1M , 408 .Xr nfsd 1M , 409 .Xr nfslogd 1M , 410 .Xr share 1M , 411 .Xr unshare 1M , 412 .Xr netgroup 4 , 413 .Xr nfslog.conf 4 , 414 .Xr acl 5 , 415 .Xr attributes 5 , 416 .Xr nfssec 5 , 417 .Xr shareacl 5 418 .Sh NOTES 419 If the 420 .Cm sec Ns = 421 option is presented at least once, all uses of the 422 .Cm window Ns = , 423 .Cm rw , 424 .Cm ro , 425 .Cm rw Ns = , 426 .Cm ro Ns = , 427 and 428 .Cm root Ns = 429 options must come after the first 430 .Cm sec Ns = 431 option. 432 If the 433 .Cm sec Ns = 434 option is not presented, then 435 .Cm sec Ns = Ns Cm sys 436 is implied. 437 .Pp 438 If one or more explicit 439 .Cm sec Ns = 440 options are presented, 441 .Cm sys 442 must appear in one of the options mode lists for accessing using the AUTH_SYS 443 security mode to be allowed. 444 .Pp 445 Access checking for the 446 .Cm window Ns = , 447 .Cm rw , 448 .Cm ro , 449 .Cm rw Ns = , 450 and 451 .Cm ro Ns = 452 options is done per NFS request, instead of per mount request. 453 .Pp 454 The 455 .Cm ro Ns = 456 and 457 .Cm rw Ns = 458 options are guaranteed to work over UDP and TCP but may not work over other 459 transport providers. 460 .Pp 461 The 462 .Cm root Ns = 463 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work 464 over other transport providers. 465 .Pp 466 The 467 .Cm root Ns = 468 option with AUTH_DES is guaranteed to work over any transport provider. 469 .Pp 470 There are no interactions between the 471 .Cm root Ns = 472 option and the 473 .Cm ro , 474 .Cm rw , 475 .Cm ro Ns = , 476 and 477 .Cm rw Ns = 478 options. 479 Putting a host in the root list does not override the semantics of the other 480 options. 481 The access the host gets is the same as when the 482 .Cm root Ns = 483 option is absent. 484 .Pp 485 The 486 .Cm nohide 487 option violates RFC 1094, 488 .%T "Network File System Protocol Specification" 489 and RFC 1813, 490 .%T "NFS: Network File System Version 3 Protocol Specification" 491 and is provided for compatibility with Linux NFS.