System Administration Commands sharenfs(1M)
NAME
sharenfs - make local NFS file systems available for mount-
ing by remote systems
SYNOPSIS
share [-d description] [-F nfs] [-o specificoptions] pathname
DESCRIPTION
The share utility makes local file systems available for
mounting by remote systems. It starts the nfsd(1M) and
mountd(1M) daemons if they are not already running.
If no argument is specified, then share displays all file
systems currently shared, including NFS file systems and
file systems shared through other distributed file system
packages.
OPTIONS
The following options are supported:
-d description
Provide a comment that describes the file system to be
shared.
-F nfs
Share NFS file system type.
-o specificoptions
Specify specificoptions in a comma-separated list of
keywords and attribute-value-assertions for interpreta-
tion by the file-system-type-specific command. If
specificoptions is not specified, then by default shar-
ing is read-write to all clients. specificoptions can
be any combination of the following:
aclok
Allows the NFS server to do access control for NFS
Version 2 clients (running SunOS 2.4 or earlier).
When aclok is set on the server, maximal access is
given to all clients. For example, with aclok set,
if anyone has read permissions, then everyone does.
If aclok is not set, minimal access is given to all
clients.
SunOS 5.11 Last change: 11 Nov 2008 1
System Administration Commands sharenfs(1M)
anon=uid
Set uid to be the effective user ID of unknown
users. By default, unknown users are given the
effective user ID UIDNOBODY. If uid is set to -1,
access is denied.
charset=accesslist
Where charset is one of: euc-cn, euc-jp, euc-jpms,
euc-kr, euc-tw, iso8859-1, iso8859-2, iso8859-5,
iso8859-6, iso8859-7, iso8859-8, iso8859-9,
iso8859-13, iso8859-15, koi8-r.
Clients that match the accesslist for one of these
properties will be assumed to be using that charac-
ter set and file and path names will be converted to
UTF-8 for the server.
index=file
Load file rather than a listing of the directory
containing this file when the directory is refer-
enced by an NFS URL.
log=tag
Enables NFS server logging for the specified file
system. The optional tag determines the location of
the related log files. The tag is defined in
etc/nfs/nfslog.conf. If no tag is specified, the
default values associated with the global tag in
etc/nfs/nfslog.conf is used. Support of NFS server
logging is only available for NFS Version 2 and Ver-
sion 3 requests.
none=accesslist
Access is not allowed to any client that matches the
access list. The exception is when the access list
is an asterisk (*), in which case ro or rw can over-
ride none.
nosub
Prevents clients from mounting subdirectories of
shared directories. For example, if /export is
SunOS 5.11 Last change: 11 Nov 2008 2
System Administration Commands sharenfs(1M)
shared with the nosub option on server fooey then a
NFS client cannot do:
mount -F nfs fooey:/export/home/mnt
NFS Version 4 does not use the MOUNT protocol. The
nosub option only applies to NFS Version 2 and Ver-
sion 3 requests.
nosuid
By default, clients are allowed to create files on
the shared file system with the setuid or setgid
mode enabled. Specifying nosuid causes the server
file system to silently ignore any attempt to enable
the setuid or setgid mode bits.
public
Moves the location of the public file handle from
root (/) to the exported directory for WebNFS-
enabled browsers and clients. This option does not
enable WebNFS service; WebNFS is always on. Only one
file system per server may use this option. Any
other option, including the -ro=list and -rw=list
options can be included with the public option.
ro
Sharing is read-only to all clients.
ro=accesslist
Sharing is read-only to the clients listed in
accesslist; overrides the rw suboption for the
clients specified. See accesslist below.
root=accesslist
Only root users from the hosts specified in
accesslist have root access. See accesslist below.
By default, no host has root access, so root users
are mapped to an anonymous user ID (see the anon=uid
option described above). Netgroups can be used if
the file system shared is using UNIX authentication
( AUTHSYS).
SunOS 5.11 Last change: 11 Nov 2008 3
System Administration Commands sharenfs(1M)
rootmapping=uid
For a client that is allowed root access, map the
root UID to the specified user id.
rw
Sharing is read-write to all clients.
rw=accesslist
Sharing is read-write to the clients listed in
accesslist; overrides the ro suboption for the
clients specified. See accesslist below.
sec=mode[:mode]...
Sharing uses one or more of the specified security
modes. The mode in the sec=mode option must be a
node name supported on the client. If the sec=
option is not specified, the default security mode
used is AUTHSYS. Multiple sec= options can be
specified on the command line, although each mode
can appear only once. The security modes are defined
in nfssec(5).
Each sec= option specifies modes that apply to any
subsequent window=, rw, ro, rw=, ro= and root=
options that are provided before another sec=option.
Each additional sec= resets the security mode con-
text, so that more window=, rw, ro, rw=, ro= and
root= options can be supplied for additional modes.
sec=none
If the option sec=none is specified when the client
uses AUTHNONE, or if the client uses a security
mode that is not one that the file system is shared
with, then the credential of each NFS request is
treated as unauthenticated. See the anon=uid option
for a description of how unauthenticated requests
are handled.
secure
This option has been deprecated in favor of the
sec=dh option.
SunOS 5.11 Last change: 11 Nov 2008 4
System Administration Commands sharenfs(1M)
window=value
When sharing with sec=dh, set the maximum life time
(in seconds) of the RPC request's credential (in the
authentication header) that the NFS server allows.
If a credential arrives with a life time larger than
what is allowed, the NFS server rejects the request.
The default value is 30000 seconds (8.3 hours).
accesslist
The accesslist argument is a colon-separated list whose
components may be any number of the following:
hostname
The name of a host. With a server configured for DNS or
LDAP naming in the nsswitch "hosts" entry, any hostname
must be represented as a fully qualified DNS or LDAP
name.
netgroup
A netgroup contains a number of hostnames. With a server
configured for DNS or LDAP naming in the nsswitch
"hosts" entry, any hostname in a netgroup must be
represented as a fully qualified DNS or LDAP name.
domain name suffix
To use domain membership the server must use DNS or LDAP
to resolve hostnames to IP addresses; that is, the
"hosts" entry in the /etc/nsswitch.conf must specify
"dns" or "ldap" ahead of "nis" or "nisplus", since only
DNS and LDAP return the full domain name of the host.
Other name services like NIS or NIS] cannot be used to
resolve hostnames on the server because when mapping an
IP address to a hostname they do not return domain
information. For example,
NIS or NIS] 172.16.45.9 --> "myhost"
and
DNS or LDAP 172.16.45.9 -->
"myhost.mydomain.mycompany.com"
SunOS 5.11 Last change: 11 Nov 2008 5
System Administration Commands sharenfs(1M)
The domain name suffix is distinguished from hostnames
and netgroups by a prefixed dot. For example,
rw=.mydomain.mycompany.com
A single dot can be used to match a hostname with no
suffix. For example,
rw=.
matches "mydomain" but not "mydomain.mycompany.com".
This feature can be used to match hosts resolved through
NIS and NIS] rather than DNS and LDAP.
network
The network or subnet component is preceded by an at-
sign (@). It can be either a name or a dotted address.
If a name, it is converted to a dotted address by
getnetbyname(3SOCKET). For example,
=@mynet
would be equivalent to:
=@172.16 or =@172.16.0.0
The network prefix assumes an octet-aligned netmask
determined from the zeroth octet in the low-order part
of the address up to and including the high-order octet,
if you want to specify a single IP address. In the case
where network prefixes are not byte-aligned, the syntax
allows a mask length to be specified explicitly follow-
ing a slash (/) delimiter. For example,
=@theothernet/17 or =@172.16.132/22
where the mask is the number of leftmost contiguous sig-
nificant bits in the corresponding IP address.
A prefixed minus sign (-) denies access to that component of
accesslist. The list is searched sequentially until a match
is found that either grants or denies access, or until the
end of the list is reached. For example, if host "terra" is
in the "engineering" netgroup, then
rw=-terra:engineering
SunOS 5.11 Last change: 11 Nov 2008 6
System Administration Commands sharenfs(1M)
denies access to terra but
rw=engineering:-terra
grants access to terra.
OPERANDS
The following operands are supported:
pathname
The pathname of the file system to be shared.
EXAMPLES
Example 1 Sharing A File System With Logging Enabled
The following example shows the /export file system shared
with logging enabled:
example% share -o log /export
The default global logging parameters are used since no tag
identifier is specified. The location of the log file, as
well as the necessary logging work files, is specified by
the global entry in /etc/nfs/nfslog.conf. The nfslogd(1M)
daemon runs only if at least one file system entry in
/etc/dfs/dfstab is shared with logging enabled upon starting
or rebooting the system. Simply sharing a file system with
logging enabled from the command line does not start the
nfslogd(1M).
EXIT STATUS
The following exit values are returned:
0
Successful completion.
>0
An error occurred.
SunOS 5.11 Last change: 11 Nov 2008 7
System Administration Commands sharenfs(1M)
FILES
/etc/dfs/fstypes
list of system types, NFS by default
/etc/dfs/sharetab
system record of shared file systems
/etc/nfs/nfslogtab
system record of logged file systems
/etc/nfs/nfslog.conf
logging configuration file
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWnfssu
SEE ALSO
mount(1M), mountd(1M), nfsd(1M), nfslogd(1M), share(1M),
unshare(1M), getnetbyname(3SOCKET), nfslog.conf(4), net-
group(4), attributes(5), nfssec(5)
NOTES
If the sec= option is presented at least once, all uses of
the window=, rw, ro, rw=, ro= and root= options must come
after the first sec= option. If the sec= option is not
presented, then sec=sys is implied.
If one or more explicit sec= options are presented, sys must
appear in one of the options mode lists for accessing using
the AUTHSYS security mode to be allowed. For example:
share -F nfs /var
share -F nfs -o sec=sys /var
SunOS 5.11 Last change: 11 Nov 2008 8
System Administration Commands sharenfs(1M)
grants read-write access to any host using AUTHSYS, but
share -F nfs -o sec=dh /var
grants no access to clients that use AUTHSYS.
Unlike previous implementations of sharenfs, access check-
ing for the window=, rw, ro, rw=, and ro= options is done
per NFS request, instead of per mount request.
Combining multiple security modes can be a security hole in
situations where the ro= and rw= options are used to control
access to weaker security modes. In this example,
share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
an intruder can forge the IP address for hosta (albeit on
each NFS request) to side-step the stronger controls of
AUTHDES. Something like:
share -F nfs -o sec=dh,rw,sec=sys,ro /var
is safer, because any client (intruder or legitimate) that
avoids AUTHDES only gets read-only access. In general, mul-
tiple security modes per share command should only be used
in situations where the clients using more secure modes get
stronger access than clients using less secure modes.
If rw=, and ro= options are specified in the same sec=
clause, and a client is in both lists, the order of the two
options determines the access the client gets. If client
hosta is in two netgroups - group1 and group2 - in this
example, the client would get read-only access:
share -F nfs -o ro=group1,rw=group2 /var
SunOS 5.11 Last change: 11 Nov 2008 9
System Administration Commands sharenfs(1M)
In this example hosta would get read-write access:
share -F nfs -o rw=group2,ro=group1 /var
If within a sec= clause, both the ro and rw= options are
specified, for compatibility, the order of the options rule
is not enforced. All hosts would get read-only access, with
the exception to those in the read-write list. Likewise, if
the ro= and rw options are specified, all hosts get read-
write access with the exceptions of those in the read-only
list.
The ro= and rw= options are guaranteed to work over UDP and
TCP but may not work over other transport providers.
The root= option with AUTHSYS is guaranteed to work over
UDP and TCP but may not work over other transport providers.
The root= option with AUTHDES is guaranteed to work over
any transport provider.
There are no interactions between the root= option and the
rw, ro, rw=, and ro= options. Putting a host in the root
list does not override the semantics of the other options.
The access the host gets is the same as when the root=
options is absent. For example, the following share command
denies access to hostb:
share -F nfs -o ro=hosta,root=hostb /var
The following gives read-only permissions to hostb:
share -F nfs -o ro=hostb,root=hostb /var
The following gives read-write permissions to hostb:
share -F nfs -o ro=hosta,rw=hostb,root=hostb /var
SunOS 5.11 Last change: 11 Nov 2008 10
System Administration Commands sharenfs(1M)
If the file system being shared is a symbolic link to a
valid pathname, the canonical path (the path which the sym-
bolic link follows) are shared. For example, if /export/foo
is a symbolic link to /export/bar (/export/foo ->
/export/bar), the following share command results in
/export/bar as the shared pathname (and not /export/foo).
example# share -F nfs /export/foo
An NFS mount of server:/export/foo results in
server:/export/bar really being mounted.
This line in the /etc/dfs/dfstab file shares the /disk file
system read-only at boot time:
share -F nfs -o ro /disk
The same command entered from the command line does not
share the /disk file system unless there is at least one
file system entry in the /etc/dfs/dfstab file. The
mountd(1M) and nfsd(1M) daemons only run if there is a file
system entry in /etc/dfs/dfstab when starting or rebooting
the system.
The mountd(1M) process allows the processing of a path name
the contains a symbolic link. This allows the processing of
paths that are not themselves explicitly shared with
sharenfs. For example, /export/foo might be a symbolic link
that refers to /export/bar which has been specifically
shared. When the client mounts /export/foo the mountd pro-
cessing follows the symbolic link and responds with the
/export/bar. The NFS Version 4 protocol does not use the
mountd processing and the client's use of /export/foo does
not work as it does with NFS Version 2 and Version 3 and the
client receives an error when attempting to mount
/export/foo.
SunOS 5.11 Last change: 11 Nov 2008 11
|
