4 .\" The contents of this file are subject to the terms of the
5 .\" Common Development and Distribution License (the "License").
6 .\" You may not use this file except in compliance with the License.
8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 .\" or http://www.opensolaris.org/os/licensing.
10 .\" See the License for the specific language governing permissions
11 .\" and limitations under the License.
13 .\" When distributing Covered Code, include this CDDL HEADER in each
14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 .\" If applicable, add the following below this CDDL HEADER, with the
16 .\" fields enclosed by brackets "[]" replaced with your own identifying
17 .\" information: Portions Copyright [yyyy] [name of copyright owner]
22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
30 .Nd make local NFS file systems available for mounting by remote systems
33 .Op Fl d Ar description
35 .Op Fl o Ar specific_options
40 utility makes local file systems available for mounting by remote systems. It
45 daemons if they are not already running.
47 If no argument is specified, then
49 displays all file systems currently shared, including NFS file systems and file
50 systems shared through other distributed file system packages.
52 The following options are supported:
53 .Bl -tag -width "indented"
54 .It Fl d Ar description
55 Provide a comment that describes the file system to be shared.
57 Share NFS file system type.
58 .It Fl o Ar specific_options
61 in a comma-separated list of keywords and attribute-value-assertions for
62 interpretation by the file-system-type-specific command. If
64 is not specified, then by default sharing is read-write to all clients.
66 can be any combination of the following:
67 .Bl -tag -width "indented"
69 Allows the NFS server to do access control for NFS Version 2 clients (running
70 SunOS 2.4 or earlier). When
72 is set on the server, maximal access is given to all clients. For example, with
74 set, if anyone has read permissions, then everyone does. If
76 is not set, minimal access is given to all clients.
77 .It Sy anon Ns = Ns Ar uid
80 to be the effective user ID of unknown users. By default, unknown users are
81 given the effective user ID UID_NOBODY. If uid is set to -1, access is denied.
82 .It Ar charset Ns = Ns Ar access_list
85 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2,
86 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15,
89 Clients that match the
91 for one of these properties will be assumed to be using that character set and
92 file and path names will be converted to UTF-8 for the server.
93 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
97 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
99 Allows remapping the group ID (gid) in the incoming request to some other gid.
100 This effectively changes the identity of the user in the request to that of
101 some other local user.
103 For clients where the gid in the incoming request is
105 and the client matches the
107 , change the group ID to
110 is asterisk (*), all groups are mapped by this rule. If
112 is omitted, all unknown groups are mapped by this rule. If
114 is set to -1, access is denied. If
116 is omitted, the gid is mapped to UID_NOBODY.
122 option by tilde (~) and are evaluated in the specified order until a match is
126 .Sy root_mapping Ns =
127 options (if specified) are evaluated before the
131 option is skipped in the case where the client matches the
137 option is evaluated before the
141 This option is supported only for AUTH_SYS.
142 .It Sy index Ns = Ns Ar file
145 rather than a listing of the directory containing this file when the
146 directory is referenced by an NFS URL.
147 .It Sy log Ns Oo = Ns Ar tag Oc
148 Enables NFS server logging for the specified file system. The optional
150 determines the location of the related log files. The
153 .Pa /etc/nfs/nfslog.conf .
156 is specified, the default values associated with the global tag in
157 .Pa /etc/nfs/nfslog.conf
158 are used. Support of NFS server logging is only available for NFS Version 2 and
160 .It Sy none Ns = Ns Ar access_list
161 Access is not allowed to any client that matches the access list. The exception
162 is when the access list is an asterisk (*), in which case
169 Prevents clients from mounting subdirectories of shared directories. For
176 then a NFS client cannot do:
177 .Bd -literal -offset indent
178 mount -F nfs fooey:/export/home/mnt
181 NFS Version 4 does not use the MOUNT protocol. The
183 option only applies to NFS Version 2 and Version 3 requests.
185 By default, clients are allowed to create files on the shared file system with
186 the setuid or setgid mode enabled. Specifying
188 causes the server file system to silently ignore any attempt to enable the
189 setuid or setgid mode bits.
191 Moves the location of the public file handle from root
193 to the exported directory for WebNFS-enabled browsers and clients. This option
194 does not enable WebNFS service; WebNFS is always on. Only one file system per
195 server may use this option. Any other option, including the
196 .Sy ro Ns = Ns Ar list
198 .Sy rw Ns = Ns Ar list
199 options can be included with the
203 Sharing is read-only to all clients.
204 .It Sy ro Ns = Ns Ar access_list
205 Sharing is read-only to the clients listed in
209 suboption for the clients specified. See
212 .It Sy root Ns = Ns Ar access_list
213 Only root users from the hosts specified in
215 have root access. See
217 below. By default, no host has root access, so root users are mapped to an
218 anonymous user ID (see the
219 .Sy anon Ns = Ns Ar uid
220 option described above). Netgroups can be used if the file system shared is
221 using UNIX authentication (AUTH_SYS).
222 .It Sy root_mapping Ns = Ns Ar uid
223 For a client that is allowed root access, map the root UID to the specified
226 Sharing is read-write to all clients.
227 .It Sy rw Ns = Ns Ar access_list
228 Sharing is read-write to the clients listed in
232 suboption for the clients specified. See
235 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ...
236 Sharing uses one or more of the specified security modes. The
239 .Sy sec Ns = Ns Ar mode
240 option must be a mode name supported on the client. If the
242 option is not specified, the default security mode used is AUTH_SYS. Multiple
244 options can be specified on the command line, although each mode can appear
245 only once. The security modes are defined in
250 option specifies modes that apply to any subsequent
258 options that are provided before another
263 resets the security mode context, so that more
271 options can be supplied for additional modes.
272 .It Sy sec Ns = Ns Sy none
274 .Sy sec Ns = Ns Sy none
275 is specified when the client uses AUTH_NONE, or if the client uses a security
276 mode that is not one that the file system is shared with, then the credential
277 of each NFS request is treated as unauthenticated. See the
278 .Sy anon Ns = Ns Ar uid
279 option for a description of how unauthenticated requests are handled.
281 This option has been deprecated in favor of the
282 .Sy sec Ns = Ns Sy dh
284 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ...
288 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list
290 Allows remapping the user ID (uid) in the incoming request to some other uid.
291 This effectively changes the identity of the user in the request to that of
292 some other local user.
294 For clients where the uid in the incoming request is
296 and the client matches the
298 , change the user ID to
301 is asterisk (*), all users are mapped by this rule. If
303 is omitted, all unknown users are mapped by this rule. If
305 is set to -1, access is denied. If
307 is omitted, the uid is mapped to UID_NOBODY.
313 option by tilde (~) and are evaluated in the specified order until a match is
317 .Sy root_mapping Ns =
318 options (if specified) are evaluated before the
322 option is skipped in the case where the client matches the
328 option is evaluated before the
332 This option is supported only for AUTH_SYS.
333 .It Sy window Ns = Ns Ar value
335 .Sy sec Ns = Ns Sy dh ,
336 set the maximum life time (in seconds) of the RPC request's credential (in the
337 authentication header) that the NFS server allows. If a credential arrives with
338 a life time larger than what is allowed, the NFS server rejects the request. The
339 default value is 30000 seconds (8.3 hours).
345 argument is a colon-separated list whose components may be any number of the
347 .Bl -tag -width "indented"
349 The name of a host. With a server configured for DNS or LDAP naming in the
352 entry, any hostname must be represented as a fully qualified DNS or LDAP name.
354 A netgroup contains a number of hostnames. With a server configured for DNS or
355 LDAP naming in the nsswitch
357 entry, any hostname in a netgroup must be represented as a fully qualified DNS
359 .It Sy domain name suffix
360 To use domain membership the server must use DNS or LDAP to resolve hostnames to
361 IP addresses; that is, the
364 .Pa /etc/nsswitch.conf
373 since only DNS and LDAP return the full domain name of the host. Other name
374 services like NIS or NIS+ cannot be used to resolve hostnames on the server
375 because when mapping an IP address to a hostname they do not return domain
376 information. For example,
377 .Bd -literal -offset indent
378 NIS or NIS+ 172.16.45.9 --> "myhost"
382 .Bd -literal -offset indent
383 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com"
386 The domain name suffix is distinguished from hostnames and netgroups by a
387 prefixed dot. For example,
388 .Bd -literal -offset indent
389 rw=.mydomain.mycompany.com
392 A single dot can be used to match a hostname with no suffix. For example,
393 .Bd -literal -offset indent
400 .Qq mydomain.mycompany.com .
401 This feature can be used to match hosts resolved through NIS and NIS+ rather
404 The network or subnet component is preceded by an at-sign (@). It can be either
405 a name or a dotted address. If a name, it is converted to a dotted address by
406 .Xr getnetbyname 3SOCKET .
408 .Bd -literal -offset indent
412 would be equivalent to:
413 .Bd -literal -offset indent
414 =@172.16 or =@172.16.0.0
417 The network prefix assumes an octet-aligned netmask determined from the zeroth
418 octet in the low-order part of the address up to and including the high-order
419 octet, if you want to specify a single IP address (see below). In the case
420 where network prefixes are not byte-aligned, the syntax allows a mask length to
421 be specified explicitly following a slash (/) delimiter. For example,
422 .Bd -literal -offset indent
423 =@theothernet/17 or =@172.16.132/22
426 where the mask is the number of leftmost contiguous significant bits in the
427 corresponding IP address.
429 When specifying individual IP addresses, use the same @ notation described
430 above, without a netmask specification. For example:
431 .Bd -literal -offset indent
435 Multiple, individual IP addresses would be specified, for example, as:
436 .Bd -literal -offset indent
437 root=@172.16.132.20:@172.16.134.20
441 A prefixed minus sign (-) denies access to that component of
443 The list is searched sequentially until a match is found that either grants or
444 denies access, or until the end of the list is reached. For example, if host
449 .Bd -literal -offset indent
450 rw=-terra:engineering
456 .Bd -literal -offset indent
457 rw=engineering:-terra
463 The following operands are supported:
464 .Bl -tag -width "pathname"
466 The pathname of the file system to be shared.
469 .Bl -tag -width "/etc/nfs/nfslog.conf"
470 .It Pa /etc/dfs/fstypes
471 list of system types, NFS by default
472 .It Pa /etc/dfs/sharetab
473 system record of shared file systems
474 .It Pa /etc/nfs/nfslogtab
475 system record of logged file systems
476 .It Pa /etc/nfs/nfslog.conf
477 logging configuration file
482 .Ss Example 1 Sharing A File System With Logging Enabled
483 The following example shows the
485 file system shared with logging enabled:
486 .Bd -literal -offset indent
490 The default global logging parameters are used since no tag identifier is
491 specified. The location of the log file, as well as the necessary logging work
492 files, is specified by the global entry in
493 .Pa /etc/nfs/nfslog.conf .
496 daemon runs only if at least one file system entry in
498 is shared with logging enabled upon starting or rebooting the system. Simply
499 sharing a file system with logging enabled from the command line does not start
502 .Ss Example 2 Remap A User Coming From The Particular NFS Client
503 The following example remaps the user with uid
509 .Bd -literal -offset indent
510 share -o uidmap=100:joe:@10.0.0.1 /export
519 .Xr getnetbyname 3SOCKET ,
527 option is presented at least once, all uses of the
535 options must come after the first
539 option is not presented, then
540 .Sy sec Ns = Ns Sy sys
543 If one or more explicit
545 options are presented,
547 must appear in one of the options mode lists for accessing using the AUTH_SYS
548 security mode to be allowed. For example:
549 .Bd -literal -offset indent
551 share -F nfs -o sec=sys /var
554 grants read-write access to any host using AUTH_SYS, but
555 .Bd -literal -offset indent
556 share -F nfs -o sec=dh /var
559 grants no access to clients that use AUTH_SYS.
561 Unlike previous implementations of
563 access checking for the
570 options is done per NFS request, instead of per mount request.
572 Combining multiple security modes can be a security hole in situations where
577 options are used to control access to weaker security modes. In this example,
578 .Bd -literal -offset indent
579 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
582 an intruder can forge the IP address for
584 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES.
586 .Bd -literal -offset indent
587 share -F nfs -o sec=dh,rw,sec=sys,ro /var
590 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only
591 gets read-only access. In general, multiple security modes per share command
592 should only be used in situations where the clients using more secure modes get
593 stronger access than clients using less secure modes.
599 options are specified in the same
601 clause, and a client is in both lists, the order of the two options determines
602 the access the client gets. If client
608 in this example, the client would get read-only access:
609 .Bd -literal -offset indent
610 share -F nfs -o ro=group1,rw=group2 /var
615 would get read-write access:
616 .Bd -literal -offset indent
617 share -F nfs -o rw=group2,ro=group1 /var
626 options are specified, for compatibility, the order of the options rule is not
627 enforced. All hosts would get read-only access, with the exception to those in
628 the read-write list. Likewise, if the
632 options are specified, all hosts get read-write access with the exceptions of
633 those in the read-only list.
639 options are guaranteed to work over UDP and TCP but may not work over other
644 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work
645 over other transport providers.
649 option with AUTH_DES is guaranteed to work over any transport provider.
651 There are no interactions between the
659 options. Putting a host in the root list does not override the semantics of the
660 other options. The access the host gets is the same as when the
662 option is absent. For example, the following share command denies access to
664 .Bd -literal -offset indent
665 share -F nfs -o ro=hosta,root=hostb /var
668 The following gives read-only permissions to
670 .Bd -literal -offset indent
671 share -F nfs -o ro=hostb,root=hostb /var
674 The following gives read-write permissions to
676 .Bd -literal -offset indent
677 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var
680 If the file system being shared is a symbolic link to a valid pathname, the
681 canonical path (the path which the symbolic link follows) is shared. For
684 is a symbolic link to
686 the following share command results in
688 as the shared pathname (and not
690 .Bd -literal -offset indent
691 share -F nfs /export/foo
695 .Lk server:/export/foo
697 .Lk server:/export/bar
698 really being mounted.
704 file system read-only at boot time:
705 .Bd -literal -offset indent
706 share -F nfs -o ro /disk
709 The same command entered from the command line does not share the
711 file system unless there is at least one file system entry in the
717 daemons only run if there is a file system entry in
719 when starting or rebooting the system.
723 process allows the processing of a path name the contains a symbolic link.
724 This allows the processing of paths that are not themselves explicitly shared
729 might be a symbolic link that refers to
731 which has been specifically shared. When the client mounts
733 the mountd processing follows the symbolic link and responds with the
735 The NFS Version 4 protocol does not use the mountd processing and the client's
738 does not work as it does with NFS Version 2 and Version 3 and the client
739 receives an error when attempting to mount