Managing Network File Systems in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

share Command

Use the share command to make a local file system on an NFS server available for mounting. You can also use the share command to display a list of the file systems on your system that are currently shared. The NFS server must be running for the share command to work.

The objects that can be shared include any directory tree. However, each file system hierarchy is limited by the disk slice or partition that the file system is located on.

A file system cannot be shared if that file system is part of a larger file system that is already being shared. For example, if /usr and /usr/local are on one disk slice, /usr can be shared or /usr/local can be shared. However, if both directories need to be shared with different share options, /usr/local must be moved to a separate disk slice.

You can gain access to a file system that is read-only shared through the file handle of a file system that is read-write shared. However, the two file systems have to be on the same disk slice. To create a more secure situation, place those file systems that need to be read-write on a separate partition or separate disk slice from the file systems that you need to share as read-only.

Note -  For information about how NFS Version 4 functions when a file system is unshared and then reshared, refer to Unsharing and Resharing a File System in NFS Version 4.

share Options

Some of the options that you can include with the –o flag are as follows:


The pathname file system is shared read-write or read-only for all clients.


The file system is shared read-write for the clients that are listed only. All other requests are denied. See Setting Access Lists With the share Command for more information. You can use this option to override an –ro option.

NFS-Specific share Options

The options that you can use with NFS file systems include the following:


This option enables an NFS server that supports the NFS Version 2 protocol to be configured to do access control for NFS Version 2 clients. Without this option, all clients are given minimal access. With this option, the clients have maximal access. For instance, on file systems that are shared with the –aclok option, if anyone has read permissions, everyone does. However, without this option, you can deny access to a client who should have access permissions. A decision to permit too much access or too little access depends on the security systems already in place. See Using Access Control Lists to Protect UFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.2 for more information about access control lists (ACLs).

Note -  To use ACLs, ensure that clients and servers run software that supports the NFS Version 3 and NFS_ACL protocols. If the software only supports the NFS Version 3 protocol, clients obtain correct access but cannot manipulate the ACLs. If the software supports the NFS_ACL protocol, the clients obtain correct access and can manipulate the ACLs.

You use anon to select the user ID of unauthenticated users. If you set anon to -1, the server denies access to unauthenticated users. Because granting root access by setting anon=0 allows unauthenticated users to have root access, use the root option instead.


When a user accesses an NFS URL, the –index=filename option forces the HTML file to load instead of displaying a list of the directory. This option mimics the action of current browsers if an index.html file is found in the directory that the HTTP URL is accessing. This option is the equivalent of setting the DirectoryIndex option for httpd. For instance, suppose that share command reports the following:

export_web /export/web   nfs sec=sys,public,index=index.html,ro

These URLs then display the same information:


This option specifies the tag in /etc/nfs/nfslog.conf that contains the NFS server logging configuration information for a file system. This option must be selected to enable NFS server logging.


This option signals that all attempts to enable the setuid or setgid mode should be ignored. NFS clients cannot create files with the setuid or setgid bits on.


The –public option has been added to the share command to enable WebNFS browsing. Only one file system on a server can be shared with this option.


The server gives root access to the hosts in the list. By default, the server does not give root access to any remote hosts. If the selected security mode is anything other than –sec=sys, you can only include client host names in the list. See Setting Access Lists With the share Command for more information.


Caution  -  Granting root access to other hosts has wide security implications. Use the –root= option with extreme caution.


The client-name value is used with AUTH_SYS authentication to check the client's IP address against a list of addresses provided by exportfs (1B) . If a match is found, root access is given to the file systems being shared.


For secure NFS modes such as AUTH_SYS or RPCSEC_GSS, the server checks the clients' principal names against a list of host-based principal names that are derived from an access list. The generic syntax for the client's principal name is root@hostname. For Kerberos V, the syntax is root/hostname.fully.qualified@REALM. When you use the hostname value, the clients on the access list must have the credentials for a principal name. For Kerberos V, the client must have a valid keytab entry for its root/hostname.fully.qualified@REALM principal name. For more information, see Configuring Kerberos Clients in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .


This option sets the security modes that are needed to obtain access to the file system. By default, the security mode is UNIX authentication. You can specify multiple modes, but use each security mode only once per command line. Each –sec= option applies to any subsequent –rw, –ro, –rw=, –ro=, –root=, and –window= options until another –sec= is encountered. The use of –sec=none maps all users to user nobody.


value selects the maximum lifetime in seconds of a credential on the NFS server. The default value is 30000 seconds or 8.3 hours.

Setting Access Lists With the share Command

The access list that you provide with the share command can include a domain name, a subnet number, or an entry to deny access, as well as the standard –ro=, –rw=, or –root= options. These extensions should simplify file access control on a single server without having to change the namespace or maintain long lists of clients.

The following example provides read-only access for most systems but allows read-write access for rose and lilac:

# share -F nfs -o ro,rw=rose:lilac /usr/src

The following example assigns read-only access to any host in the eng netgroup. The client rose is specifically given read-write access.

# share -F nfs -o ro=eng,rw=rose /usr/src

Note -  You cannot specify both rw and ro without arguments. If no read-write option is specified, the default is read-write for all clients.

To share one file system with multiple clients, you must type all options on the same line. If you issue multiple invocations of the share command on the same object, only the last command that is run is applied. The following example enables read-write access to three client systems, but only rose and tulip are given access to the file system as root.

# share -F nfs -o rw=rose:lilac:tulip,root=rose:tulip /usr/src

When sharing a file system that uses multiple authentication mechanisms, ensure that you include the –ro, –ro=, –rw, –rw=, –root, and –window options after the correct security modes. In this example, UNIX authentication is selected for all hosts in the netgroup that is named eng. These hosts can mount the file system only in read-only mode. The hosts tulip and lilac can mount the file system read-write if these hosts use Diffie-Hellman authentication. With these options, tulip and lilac can mount the file system read-only even if these hosts are not using DH authentication. However, the host names must be listed in the eng netgroup.

# share -F nfs -o sec=dh,rw=tulip:lilac,sec=sys,ro=eng /usr/src

Even though UNIX authentication is the default security mode, UNIX authentication is not included if the –sec option is used. Therefore, you must include a –sec=sys option if UNIX authentication is to be used with any other authentication mechanism.

You can use a DNS domain name in the access list by preceding the actual domain name with a dot. The string that follows the dot is a domain name, not a fully qualified host name. The following example allows mount access to all hosts in the domain:

# share -F nfs -o /export/share/man

In this example, the single dot matches all hosts that are matched through the NIS namespace. The results that are returned from these name services do not include the domain name. The entry matches all hosts that use DNS for namespace resolution. Because DNS always returns a fully qualified host name, the longer entry is required if you use a combination of DNS and the other namespaces.

You can use a subnet number in an access list by preceding the actual network number or the network name with an at (@) sign. This character differentiates the network name from a netgroup or a fully qualified host name. You must identify the subnet in either /etc/networks or in an NIS namespace. The following entries have the same effect if the 192.168 subnet has been identified as the eng network:

# share -F nfs -o ro=@eng /export/share/man
# share -F nfs -o ro=@192.168 /export/share/man
# share -F nfs -o ro=@ /export/share/man

The last two entries show that you do not need to include the full network address.

If the network prefix is not byte aligned, as with Classless Inter-Domain Routing (CIDR), the mask length can be explicitly specified on the command line. The mask length is defined by following either the network name or the network number with a slash and the number of significant bits in the prefix of the address. For example:

# share -f nfs -o ro=@eng/17 /export/share/man
# share -F nfs -o ro=@192.168.0/17 /export/share/man

In these examples, the “/17” indicates that the first 17 bits in the address are to be used as the mask. For additional information about CIDR, see RFC 1519.

You can also select negative access by placing a “-” before the entry. Note that the entries are read from left to right. Therefore, you must place the negative access entries before the entry that the negative access entries apply to:

# share -F nfs -o /export/share/man

This example would allow access to any hosts in the domain except the host that is named rose.