88d9f0f6a9
it the normal way, read/write to specific clients.
320 lines
11 KiB
Groff
320 lines
11 KiB
Groff
.\" $NetBSD: exports.5,v 1.13 1997/10/19 15:29:20 fvdl Exp $
|
|
.\"
|
|
.\" Copyright (c) 1989, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)exports.5 8.3 (Berkeley) 3/29/95
|
|
.\"
|
|
.Dd March 29, 1995
|
|
.Dt EXPORTS 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm exports
|
|
.Nd define remote mount points for
|
|
.Tn NFS
|
|
mount requests
|
|
.Sh SYNOPSIS
|
|
.Nm exports
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm exports
|
|
file specifies remote mount points for the
|
|
.Tn NFS
|
|
mount protocol per the
|
|
.Tn NFS
|
|
server specification; see
|
|
.%T "Network File System Protocol Specification \\*(tNRFC\\*(sP 1094, Appendix A"
|
|
and
|
|
.%T "NFS: Network File System Version 3 Specification, Appendix I" .
|
|
.Pp
|
|
Each line in the file
|
|
(other than comment lines that begin with a #)
|
|
specifies the mount point(s) and export flags within one local server
|
|
filesystem for one or more hosts.
|
|
A host may be specified only once for each local filesystem on the
|
|
server and there may be only one default entry for each server
|
|
filesystem that applies to all other hosts.
|
|
The latter exports the filesystem to the ``world'' and should
|
|
be used only when the filesystem contains public information.
|
|
.Pp
|
|
In a mount entry,
|
|
the first field(s) specify the directory path(s) within a server filesystem
|
|
that can be mounted on by the corresponding client(s).
|
|
There are two forms of this specification.
|
|
The first is to list all mount points as absolute
|
|
directory paths separated by whitespace.
|
|
The second is to specify the pathname of the root of the filesystem
|
|
followed by the
|
|
.Fl alldirs
|
|
flag;
|
|
this form allows the host(s) to mount at any point within the filesystem,
|
|
including regular files if the
|
|
.Fl r
|
|
option is used on mountd. Note that the
|
|
.Fl alldirs
|
|
option should not be used as a security measure to make clients mount
|
|
only those subdirectories that they should have access to. A client
|
|
can still access the whole filesystem via individual RPCs if it
|
|
wanted to, even if just one subdirectory has been mounted.
|
|
The pathnames must not have any symbolic links in them and should not have
|
|
any "." or ".." components.
|
|
Mount points for a filesystem may appear on multiple lines each with
|
|
different sets of hosts and export options.
|
|
.Pp
|
|
The second component of a line specifies how the filesystem is to be
|
|
exported to the host set.
|
|
The option flags specify whether the filesystem
|
|
is exported read-only or read-write and how the client uid is mapped to
|
|
user credentials on the server.
|
|
.Pp
|
|
Export options are specified as follows:
|
|
.Pp
|
|
.Sm off
|
|
.Fl maproot No = Sy user
|
|
.Sm on
|
|
The credential of the specified user is used for remote access by root.
|
|
The credential includes all the groups to which the user is a member
|
|
on the local machine (see
|
|
.Xr id 1 ).
|
|
The user may be specified by name or number.
|
|
.Pp
|
|
.Sm off
|
|
.Fl maproot No = Sy user:group1:group2:...
|
|
.Sm on
|
|
The colon separated list is used to specify the precise credential
|
|
to be used for remote access by root.
|
|
The elements of the list may be either names or numbers.
|
|
Note that user: should be used to distinguish a credential containing
|
|
no groups from a complete credential for that user.
|
|
.Pp
|
|
.Sm off
|
|
.Fl mapall No = Sy user
|
|
.Sm on
|
|
or
|
|
.Sm off
|
|
.Fl mapall No = Sy user:group1:group2:...
|
|
.Sm on
|
|
specifies a mapping for all client uids (including root)
|
|
using the same semantics as
|
|
.Fl maproot .
|
|
.Pp
|
|
The option
|
|
.Fl r
|
|
is a synonym for
|
|
.Fl maproot
|
|
in an effort to be backward compatible with older export file formats.
|
|
.Pp
|
|
In the absence of
|
|
.Fl maproot
|
|
and
|
|
.Fl mapall
|
|
options, remote accesses by root will result in using a credential of -2:-2.
|
|
All other users will be mapped to their remote credential.
|
|
If a
|
|
.Fl maproot
|
|
option is given,
|
|
remote access by root will be mapped to that credential instead of -2:-2.
|
|
If a
|
|
.Fl mapall
|
|
option is given,
|
|
all users (including root) will be mapped to that credential in
|
|
place of their own.
|
|
.Pp
|
|
The
|
|
.Fl kerb
|
|
option specifies that the Kerberos authentication server should be
|
|
used to authenticate and map client credentials.
|
|
This option requires that the kernel be built with the NFSKERB option.
|
|
.Pp
|
|
The
|
|
.Fl ro
|
|
option specifies that the filesystem should be exported read-only
|
|
(default read/write).
|
|
The option
|
|
.Fl o
|
|
is a synonym for
|
|
.Fl ro
|
|
in an effort to be backward compatible with older export file formats.
|
|
.Pp
|
|
The
|
|
.Fl noresvport
|
|
option specifies that NFS RPC calls for the filesystem do not have to come
|
|
from reserved ports. Normally, clients are required to use reserved
|
|
ports for operations. Using this option decreases the security of your
|
|
system.
|
|
.Pp
|
|
The
|
|
.Fl noresvmnt
|
|
option specifies that mount RPC requests for the filesystem do not have
|
|
to come from reserved ports. Normally, clients are required to use reserved
|
|
ports for mount requests. Using this option decreases the security of
|
|
your system.
|
|
.Pp
|
|
WebNFS exports strictly according to the spec (RFC 2054 and RFC 2055) can
|
|
be done with the
|
|
.Fl public
|
|
flag. However, this flag in itself allows r/w access to all files in
|
|
the filesystem, not requiring reserved ports and not remapping uids. It
|
|
is only provided to conform to the spec, and should normally not be used.
|
|
For a WebNFS export,
|
|
use the
|
|
.Fl webnfs
|
|
flag, which implies
|
|
.Fl public ,
|
|
.Sm off
|
|
.Fl mapall No = Sy nobody
|
|
.Sm on
|
|
and
|
|
.Fl ro .
|
|
.Pp
|
|
A
|
|
.Sm off
|
|
.Fl index No = Sy file
|
|
.Sm off
|
|
option can be used to specify a file whose handle will be returned if
|
|
a directory is looked up using the public filehandle (WebNFS). This
|
|
is to mimic the behavior of URLs. If no
|
|
.Fl index
|
|
option is specified, a directory filehandle will be returned as usual.
|
|
The
|
|
.Fl index
|
|
option only makes sense in combination with the
|
|
.Fl public
|
|
or
|
|
.Fl webnfs
|
|
flags.
|
|
.Pp
|
|
.Bf -symbolic
|
|
Warning: exporting a filesystem both using WebNFS and read/write in
|
|
the normal way to other hosts should be avoided in an environment
|
|
that is vulnerable to IP spoofing.
|
|
.Ef
|
|
WebNFS enables any client to get filehandles to the exported filesystem.
|
|
Using IP spoofing, a client could then pretend to be a host to which
|
|
the same filesystem was exported read/write, and use the handle to
|
|
gain access to that filesystem.
|
|
.Pp
|
|
The third component of a line specifies the host set to which the line applies.
|
|
The set may be specified in three ways.
|
|
The first way is to list the host name(s) separated by white space.
|
|
(Standard internet ``dot'' addresses may be used in place of names.)
|
|
The second way is to specify a ``netgroup'' as defined in the netgroup file (see
|
|
.Xr netgroup 5 ).
|
|
The third way is to specify an internet subnetwork using a network and
|
|
network mask that is defined as the set of all hosts with addresses within
|
|
the subnetwork.
|
|
This latter approach requires less overhead within the
|
|
kernel and is recommended for cases where the export line refers to a
|
|
large number of clients within an administrative subnet.
|
|
.Pp
|
|
The first two cases are specified by simply listing the name(s) separated
|
|
by whitespace.
|
|
All names are checked to see if they are ``netgroup'' names
|
|
first and are assumed to be hostnames otherwise.
|
|
Using the full domain specification for a hostname can normally
|
|
circumvent the problem of a host that has the same name as a netgroup.
|
|
The third case is specified by the flag
|
|
.Sm off
|
|
.Fl network No = Sy netname
|
|
.Sm on
|
|
and optionally
|
|
.Sm off
|
|
.Fl mask No = Sy netmask .
|
|
.Sm on
|
|
If the mask is not specified, it will default to the mask for that network
|
|
class (A, B or C; see
|
|
.Xr inet 5 ).
|
|
.Pp
|
|
For example:
|
|
.Bd -literal -offset indent
|
|
/usr /usr/local -maproot=0:10 friends
|
|
/usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16
|
|
/usr -ro -mapall=nobody
|
|
/u -maproot=bin: -network 131.104.48 -mask 255.255.255.0
|
|
/u2 -maproot=root friends
|
|
/u2 -alldirs -kerb -network cis-net -mask cis-mask
|
|
.Ed
|
|
.Pp
|
|
Given that
|
|
.Sy /usr ,
|
|
.Sy /u
|
|
and
|
|
.Sy /u2
|
|
are
|
|
local filesystem mount points, the above example specifies the following:
|
|
.Sy /usr
|
|
is exported to hosts
|
|
.Em friends
|
|
where friends is specified in the netgroup file
|
|
with users mapped to their remote credentials and
|
|
root mapped to uid 0 and group 10.
|
|
It is exported read-write and the hosts in ``friends'' can mount either /usr
|
|
or /usr/local.
|
|
It is exported to
|
|
.Em 131.104.48.16
|
|
and
|
|
.Em grumpy.cis.uoguelph.ca
|
|
with users mapped to their remote credentials and
|
|
root mapped to the user and groups associated with ``daemon'';
|
|
it is exported to the rest of the world as read-only with
|
|
all users mapped to the user and groups associated with ``nobody''.
|
|
.Pp
|
|
.Sy /u
|
|
is exported to all hosts on the subnetwork
|
|
.Em 131.104.48
|
|
with root mapped to the uid for ``bin'' and with no group access.
|
|
.Pp
|
|
.Sy /u2
|
|
is exported to the hosts in ``friends'' with root mapped to uid and groups
|
|
associated with ``root'';
|
|
it is exported to all hosts on network ``cis-net'' allowing mounts at any
|
|
directory within /u2 and mapping all uids to credentials for the principal
|
|
that is authenticated by a Kerberos ticket.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/exports -compact
|
|
.It Pa /etc/exports
|
|
The default remote mount-point file.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr netgroup 5 ,
|
|
.Xr mountd 8 ,
|
|
.Xr nfsd 8 ,
|
|
.Xr showmount 8
|
|
.Sh BUGS
|
|
The export options are tied to the local mount points in the kernel and
|
|
must be non-contradictory for any exported subdirectory of the local
|
|
server mount point.
|
|
It is recommended that all exported directories within the same server
|
|
filesystem be specified on adjacent lines going down the tree.
|
|
You cannot specify a hostname that is also the name of a netgroup.
|
|
Specifying the full domain specification for a hostname can normally
|
|
circumvent the problem.
|