Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > S

share_nfs(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

share_nfs: share — make local NFS file systems available for mounting by remote systems

SYNOPSIS

/sbin/fs/nfs/share [-d description] [-F nfs] [-o specific_options] pathname

DESCRIPTION

The share utility makes local file systems available for mounting by remote systems.

If no argument is specified, then share displays all file systems currently shared, including NFS file systems and file systems shared through other distributed file system packages.

Options

The following options are supported:

-d description

Provide a comment that describes the file system to be shared.

-F nfs

Share NFS file system type.

-o specific_options

Specify specific_options in a comma-separated list of keywords and attribute-value-assertions for interpretation by the file-system-type-specific command. If specific_options is not specified, then by default sharing will be read-write to all clients. specific_options can be any combination of the following:

async

All NFS Protocol Version 2 mounts will be asynchronous. This option is ignored for NFS PV3. Specifying async increases write performance on the NFS server by causing asynchronous writes on the NFS server. The async option can be specified anywhere on the command line after directory. Before using this option, refer to APPLICATION USAGE section below.

anon=uid

Set uid to be the effective user ID of unknown users. By default, unknown users are given the effective user ID UID_NOBODY. If uid is set to -1, access is denied.

index=file

Load file rather than a listing of the directory containing this file when the directory is referenced by an NFS URL.

log[=tag]

Enables NFS server logging for the specified file system. The optional tag determines the location of the related log files. The tag is defined in /etc/nfs/nfslog.conf. If no tag is specified, the default values associated with the "global" tag in /etc/nfs/nfslog.conf will be used.

nosub

Prevents clients from mounting subdirectories of shared directories. For example, if /export is shared with the nosub option on server fooey, then a NFS client will not be able to do:

mount -F nfs fooey:/export/home/mnt

nosuid

By default, clients are allowed to create files on the shared file system with the setuid or setgid mode enabled. Specifying nosuid causes the server file system to silently ignore any attempt to enable the setuid or setgid mode bits.

public

Moves the location of the public file handle from root (/) to the exported directory for Web NFS-enabled browsers and clients. This option does not enable Web NFS service; Web NFS is always on. Only one file system per server may use this option. Any other option, including the ro=list and rw=list options can be included with the public option.

ro

Sharing will be read-only to all clients.

ro=access_list

Sharing will be read-only to the clients listed in access_list; overrides the rw suboption for the clients specified. See access_list below.

root=access_list

Only root users from the hosts specified in access_list will have root access. See access_list below. By default, no host has root access, so root users are mapped to an anonymous user ID (see the anon=uid option described above). Netgroups can be used if the file system shared is using UNIX authentication (AUTH_SYS).

rw

Sharing will be read-write to all clients. This is the default behavior.

rw=access_list

Sharing will be read-mostly to clients in access_list. Read-mostly means read-write to those clients specified and read-only for all other systems. If sec= option is provided, sharing will be read-write to the clients listed in access_list; overrides the ro suboption for the clients specified. See access_list below.

sec=mode[:mode] ...

Sharing will use one or more of the specified security modes. The mode in the sec=mode option must be a mode name supported on the client. If the sec= option is not specified, the default security mode used is AUTH_SYS. Multiple sec= options can be specified on the command line, although each mode can appear only once. The security modes are defined in nfssec(5).

Each sec= option specifies modes that apply to any subsequent window=, rw, ro, rw=, ro=, and root= options that are provided before another sec=mode. Each additional sec= resets the security mode context, so that more window=, rw, ro, rw=, ro=, and root= options can be supplied for additional modes.

sec=none

If the option sec=none is specified when the client uses AUTH_NONE, or if the client uses a security mode that is not one that the file system is shared with, then the credential of each NFS request is treated as unauthenticated. See the anon=uid option for a description of how unauthenticated requests are handled.

window=value

When sharing with sec=dh, set the maximum life time (in seconds) of the RPC request's credential (in the authentication header) that the NFS server will allow. If a credential arrives with a life time larger than what is allowed, the NFS server will reject the request. The default value is 30000 seconds (8.3 hours).

Operands

The following operands are supported:

pathname

The pathname of the file system to be shared.

The access_list Argument

The access_list argument is used in many of the options described above. The access_list is a colon-separated list whose components may be any number of the following.

hostname

The name of a host. With a server configured for DNS or LDAP naming in the nsswitch "hosts" entry, any hostname must be represented as a fully qualified DNS or LDAP name.

netgroup

A netgroup contains a number of hostnames. With a server configured for DNS or LDAP naming in the nsswitch "hosts" entry, any hostname in a netgroup must be represented as a fully qualified DNS or LDAP name.

domain name suffix

To use domain membership, the server must use DNS or LDAP to resolve hostnames to IP addresses; that is, the "hosts" entry in the /etc/nsswitch.conf must specify dns or ldap ahead of nis, since only DNS and LDAP return the full domain name of the host. Other name services like NIS cannot be used to resolve hostnames on the server, because when mapping an IP address to a hostname they do not return domain information. For example,

NIS

129.144.45.9 --> "myhost"

DNS or LDAP

129.144.45.9 --> "myhost.mydomain.mycompany.com"

The domain name suffix is distinguished from hostnames and netgroups by a prefixed dot. For example,

rw=.mydomain.mycompany.com

A single dot can be used to match a hostname with no suffix. For example,

rw=.

will match "mydomain" but not "mydomain.mycompany.com". This feature can be used to match hosts resolved through NIS rather than DNS and LDAP.

network

The network or subnet component is preceded by an at-sign (@). It can be either a name or a dotted address. If a name, it will be converted to a dotted address by getnetbyname(). For example, =@mynet would be equivalent to:

=@129.144 or =@129.144.0.0

The network prefix assumes an octet aligned netmask determined from the zero octets in the low-order part of the address. In the case where network prefixes are not byte-aligned, the syntax will allow a mask length to be specified explicitly following a slash (/) delimiter. For example,

=@mynet/17 or rw=@129.144.132/17

where the mask is the number of leftmost contiguous significant bits in the corresponding IP address.

A prefixed minus sign (-) denies access to that component of access_list. The list is searched sequentially until a match is found that either grants or denies access, or until the end of the list is reached.

EXAMPLES

The following example shows the /export file system shared with logging enabled:

example% share -o log /export

The default global logging parameters are used since no tag identifier is specified. The location of the log file, as well as the necessary logging work files, is specified by the global entry in /etc/nfs/nfslog.conf.

APPLICATION USAGE

If the async option is used, an unreported data loss may occur ONLY on a write and ONLY if the NFS server experiences a failure after the write reply has been sent to the client. Specifically, blocks which have been queued for the server's disk, but have not yet been written to the disk may be lost.

You cannot export either a parent directory or a subdirectory of an exported directory that resides within the same file system. It is not allowed, for instance, to export both /usr and /usr/local if both directories reside on the same disk partition.

If the sec= option is presented at least once, all uses of the window=, rw, ro, rw=, ro=, and root= options must come after the first sec= option. If the sec= option is not presented, then sec=sys is implied.

If one or more explicit sec= options are presented, sys must appear in one of the options mode lists for accessing using the AUTH_SYS security mode to be allowed. For example:

share -F nfs /var share -F nfs -o sec=sys /var

will grant read-write access to any host using AUTH_SYS, but

share -F nfs -o sec=dh /var

will grant no access to clients that use AUTH_SYS.

Access checking for the window=, rw, ro, rw=, and ro= options is done per NFS request, instead of per mount request.

Combining multiple security modes can be a security hole in situations where the ro= and rw= options are used to control access to weaker security modes. In this example,

share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var

an intruder can forge the IP address for hosta (albeit on each NFS request) to side-step the stronger controls of AUTH_DES. Something like:

share -F nfs -o sec=dh,rw,sec=sys,ro /var

is safer, because any client (intruder or legitimate) that avoids AUTH_DES will only get read-only access. In general, multiple security modes per share command should only be used in situations where the clients using more secure modes get stronger access than clients using less secure modes.

If rw=, and ro= options are specified in the same sec= clause, and a client is in both lists, the order of the two options determines the access the client gets. If client hosta is in two netgroups - group1 and group2- in this example, the client would get read-only access:

share -F nfs -o ro=group1,rw=group2 /var

In this example hosta would get read-write access:

share -F nfs -o rw=group2,ro=group1 /var

If within a sec= clause, both the ro and rw= options are specified, for compatibility, the order of the options rule is not enforced. All hosts would get read-only access, with the exception to those in the read-write list. Likewise, if the ro= and rw options are specified, all hosts get read-write access with the exceptions of those in the read-only list.

The ro= and rw= options are guaranteed to work over UDP and TCP but may not work over other transport providers.

The root= option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work over other transport providers.

The root= option with AUTH_DES is guaranteed to work over any transport provider.

There are no interactions between the root= option and the rw, ro, rw=, and ro= options. Putting a host in the root list does not override the semantics of the other options. The access the host gets is the same as when the root= options is absent. For example, the following share command will deny access to hostb:

share -F nfs -o ro=hosta,root=hostb /var

The following will give read-only permissions to hostb:

share -F nfs -o ro=hostb,root=hostb /var

The following will give read-write permissions to hostb:

share -F nfs -o ro=hosta,rw=hostb,root=hostb /var

If the file system being shared is a symbolic link to a valid pathname, the canonical path (the path which the symbolic link follows) will be shared. For example, if /export/foo is a symbolic link to /export/bar (/export/foo -> /export/bar), the following share command will result in /export/bar as the shared pathname (and not /export/foo).

example# share -F nfs /export/foo

Note that an NFS mount of server:/export/foo will result in server:/export/bar really being mounted.

This line in the /etc/dfs/dfstab file will share the /disk file system read-only at boot time:

share -F nfs -o ro /disk

Note that the same command entered from the command line will not share the /disk file system unless there is at least one file system entry in the /etc/dfs/dfstab file.

EXIT STATUS

The following exit values are returned:

0

Successful completion.

>0

An error occurred.

FILES

/etc/dfs/fstypes

list of distributed file system types, NFS by default

/etc/dfs/sharetab

system record of shared file systems

/etc/nfs/nfslogtab

system record of logged file systems

/etc/nfs/nfslog.conf

logging configuration file

AUTHOR

share_nfs was developed by Sun Microsystems, Inc.

SEE ALSO

mount(1M), mountd(1M), nfsd(1M), nfslogd(1M), share(1M), unshare(1M), getnetbyname(3N), fstypes(4), netgroup(4), nfslog.conf(4), sharetab(4), nfssec(5).



share
  		 


shareall  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.