1. Managing Network File Systems in Oracle Solaris 11.4
  2. Commands for Managing Network File Systems
  3. NFS Commands
  4. share Command
  5. NFS-Specific share Options

NFS-Specific share Options

The options that you can use with NFS file systems include the following:

aclok

This option enables an NFS server that supports the NFS Version 2 protocol to be configured to do access control for NFS Version 2 clients. Without this option, all clients are given minimal access. With this option, the clients have maximal access. For instance, on file systems that are shared with the aclok option, if anyone has read permissions, everyone does. However, without this option, you can deny access to a client who should have access permissions. A decision to permit too much access or too little access depends on the security systems already in place. See Using Access Control Lists to Protect UFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4 for more information about access control lists (ACLs).

Note:

To use ACLs, ensure that clients and servers run software that supports the NFS Version 3 and NFS_ACL protocols. If the software only supports the NFS Version 3 protocol, clients obtain correct access but cannot manipulate the ACLs. If the software supports the NFS_ACL protocol, the clients obtain correct access and can manipulate the ACLs.
anon= uid

You use anon to select the user ID of unauthenticated users. If you set anon to -1, the server denies access to unauthenticated users. Because granting root access by setting anon=0 allows unauthenticated users to have root access, use the root option instead.

index= filename

When a user accesses an NFS URL, the index= filename option forces the HTML file to load instead of displaying a list of the directory. This option mimics the action of current browsers if an index.html file is found in the directory that the HTTP URL is accessing. This option is the equivalent of setting the DirectoryIndex option for httpd. For instance, suppose that share command reports the following: 

export_web /export/web   nfs sec=sys,public,index=index.html,ro

These URLs then display the same information:

nfs://server/dir
nfs://server/dir/index.html
nfs://server//export/web/dir
nfs://server//export/web/dir/index.html
http://server/dir
http://server/dir/index.html
labeled

This option enables clients to access labeled files.

The following example shows how to use the labeled option when sharing an NFS file system. 

# share -F nfs -o labeled /export/home
log= tag

This option specifies the tag in /etc/nfs/nfslog.conf that contains the NFS server logging configuration information for a file system. This option must be selected to enable NFS server logging.

nosuid

This option signals that all attempts to enable the setuid or setgid mode should be ignored. NFS clients cannot create files with the setuid or setgid bits on.

public

The public option has been added to the share command to enable WebNFS browsing. Only one file system on a server can be shared with this option.

resvport

This option enforces the use of reserved port for individual file systems.

The following example shows how to require the client to use reserved port for an NFS share that is shared with AUTH_SYS:

# share -F NFS -o resvport=on /usr/src
root= access-list

The server gives root access to the hosts in the list. By default, the server does not give root access to any remote hosts. If the selected security mode is anything other than sec=sys, you can only include client host names in the list. See Setting Access Lists With the share Command for more information.

Caution:

Granting root access to other hosts has wide security implications. Use the -root= option with extreme caution.
root= client-name

The client-name value is used with AUTH_SYS authentication to check the client's IP address against a list of addresses provided by the exportfs command. If a match is found, root access is given to the file systems being shared.

root= hostname

For secure NFS modes such as AUTH_SYS or RPCSEC_GSS, the server checks the clients' principal names against a list of host-based principal names that are derived from an access list. The generic syntax for the client's principal name is root@ hostname. For Kerberos V, the syntax is root/ hostname.fully.qualified @REALM. When you use the hostname value, the clients on the access list must have the credentials for a principal name. For Kerberos V, the client must have a valid keytab entry for its root/ hostname.fully.qualified @REALM principal name. For more information, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4.

sec= mode[:mode]

This option sets the security modes that are needed to obtain access to the file system. By default, the security mode is UNIX authentication. You can specify multiple modes, but use each security mode only once per command line. Each sec= option applies to any subsequent rw, ro, rw=, ro=, root=, and window= options until another sec= is encountered. The use of -sec=none maps all users to user nobody.

window= value

value selects the maximum lifetime in seconds of a credential on the NFS server. The default value is 30000 seconds or 8.3 hours.