NFS-Specific share
Options
The options that you can use with NFS file systems include the following:
-
aclok
-
This option enables an NFS server that supports the NFS Version 2 protocol to be configured to do access control for NFS Version 2 clients. Without this option, all clients are given minimal access. With this option, the clients have maximal access. For instance, on file systems that are shared with the
aclok
option, if anyone has read permissions, everyone does. However, without this option, you can deny access to a client who should have access permissions. A decision to permit too much access or too little access depends on the security systems already in place. See Using Access Control Lists to Protect UFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4 for more information about access control lists (ACLs).Note:
To use ACLs, ensure that clients and servers run software that supports the NFS Version 3 and NFS_ACL protocols. If the software only supports the NFS Version 3 protocol, clients obtain correct access but cannot manipulate the ACLs. If the software supports the NFS_ACL protocol, the clients obtain correct access and can manipulate the ACLs. -
anon=
uid -
You use
anon
to select the user ID of unauthenticated users. If you setanon
to-1
, the server denies access to unauthenticated users. Because granting root access by settinganon=0
allows unauthenticated users to have root access, use theroot
option instead. -
index=
filename -
When a user accesses an NFS URL, the
index=
filename option forces the HTML file to load instead of displaying a list of the directory. This option mimics the action of current browsers if anindex.html
file is found in the directory that the HTTP URL is accessing. This option is the equivalent of setting theDirectoryIndex
option forhttpd
. For instance, suppose thatshare
command reports the following:export_web /export/web nfs sec=sys,public,index=index.html,ro
These URLs then display the same information:
nfs://server/dir nfs://server/dir/index.html nfs://server//export/web/dir nfs://server//export/web/dir/index.html http://server/dir http://server/dir/index.html
-
labeled
-
This option enables clients to access labeled files.
The following example shows how to use the
labeled
option when sharing an NFS file system.# share -F nfs -o labeled /export/home
-
log=
tag -
This option specifies the tag in
/etc/nfs/nfslog.conf
that contains the NFS server logging configuration information for a file system. This option must be selected to enable NFS server logging. noresvport
-
The
noresvport
NFS mount option enables an Oracle Solaris NFS client to choose a random TCP source port numbered higher than port 1024. By default, an NFS client uses the first free reserved port, a port numbered lower than 1024, as the TCP source port for new connections. Using thenoresvport
mount option might speed up reconnects. Note that using thenoresvport
NFS option might require that an NFS server permit the use of non-privileged ports. For Oracle Solaris systems, you must use thesharectl
command to set the server-sideresvport
option tofalse
. -
nosuid
-
This option signals that all attempts to enable the
setuid
orsetgid
mode should be ignored. NFS clients cannot create files with thesetuid
orsetgid
bits on. -
public
-
The
public
option has been added to theshare
command to enable WebNFS browsing. Only one file system on a server can be shared with this option. -
resvport
-
This option enforces the use of reserved port for individual file systems.
The following example shows how to require the client to use reserved port for an NFS share that is shared with AUTH_SYS:
# share -F NFS -o resvport=on /usr/src
-
root=
access-list -
The server gives root access to the hosts in the list. By default, the server does not give root access to any remote hosts. If the selected security mode is anything other than
sec=sys
, you can only include client host names in the list. See Setting Access Lists With the share Command for more information.Caution:
Granting root access to other hosts has wide security implications. Use the-root=
option with extreme caution. -
root=
client-name -
The client-name value is used with
AUTH_SYS
authentication to check the client's IP address against a list of addresses provided by the exportfs command. If a match is found,root
access is given to the file systems being shared. -
root=
hostname -
For secure NFS modes such as
AUTH_SYS
orRPCSEC_GSS
, the server checks the clients' principal names against a list of host-based principal names that are derived from an access list. The generic syntax for the client's principal name isroot@
hostname. For Kerberos V, the syntax isroot/
hostname.fully.qualified@REALM
. When you use the hostname value, the clients on the access list must have the credentials for a principal name. For Kerberos V, the client must have a valid keytab entry for itsroot/
hostname.fully.qualified@REALM
principal name. For more information, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4 . -
sec=
mode[:mode] -
This option sets the security modes that are needed to obtain access to the file system. By default, the security mode is UNIX authentication. You can specify multiple modes, but use each security mode only once per command line. Each
sec=
option applies to any subsequentrw
,ro
,rw=
,ro=
,root=
, andwindow=
options until anothersec=
is encountered. The use of-sec=none
maps all users to usernobody
. -
window=
value -
value selects the maximum lifetime in seconds of a credential on the NFS server. The default value is 30000 seconds or 8.3 hours.