Setting Access Lists With the share
Command
The access list that you provide with the share
command can include a domain name, a subnet number, or an entry to deny access, as well as the standard -ro=
, -rw=
, or -root=
options. These extensions should simplify file access control on a single server without having to change the name space or maintain long lists of clients.
The following example provides read-only access for most systems but allows read-write access for rose
and lilac
:
# share -F nfs -o ro,rw=rose:lilac /usr/src
The following example assigns read-only access to any host in the eng
netgroup. The client rose
is specifically given read-write access.
# share -F nfs -o ro=eng,rw=rose /usr/src
Note:
You cannot specify bothrw
and ro
without arguments. If no read-write option is specified, the default is read-write for all clients.
To share one file system with multiple clients, you must type all options on the same line. If you issue multiple invocations of the share
command on the same object, only the last command that is run is applied. The following example enables read-write access to three client systems, but only rose
and tulip
are given access to the file system as root
.
# share -F nfs -o rw=rose:lilac:tulip,root=rose:tulip /usr/src
When sharing a file system that uses multiple authentication mechanisms, ensure that you include the -ro
, -ro=
, -rw
, -rw=
, -root
, and -window
options after the correct security modes. In this example, UNIX authentication is selected for all hosts in the netgroup that is named eng
. These hosts can mount the file system only in read-only mode. The hosts tulip
and lilac
can mount the file system read-write. With these options, tulip
and lilac
can mount the file system read-only even if these hosts are not using DH authentication. However, the host names must be listed in the eng
netgroup.
# share -F nfs -o rw=tulip:lilac,sec=sys,ro=eng /usr/src
Even though UNIX authentication is the default security mode, UNIX authentication is not included if the -sec
option is used. Therefore, you must include a -sec=sys
option if UNIX authentication is to be used with any other authentication mechanism.
You can use a DNS domain name in the access list by preceding the actual domain name with a dot. The string that follows the dot is a domain name, not a fully qualified host name. The following example allows mount access to all hosts in the eng.example.com
domain:
# share -F nfs -o ro=.:.eng.example.com /export/share/man
In this example, the single dot matches all hosts that are matched through the NIS name space. The results that are returned from these name services do not include the domain name. The .eng.example.com
entry matches all hosts that use DNS for name space resolution. Because DNS always returns a fully qualified host name, the longer entry is required if you use a combination of DNS and the other name spaces.
You can use a subnet number in an access list by preceding the actual network number or the network name with an at (@
) sign. This character differentiates the network name from a netgroup or a fully qualified host name. You can identify the subnet from either the /etc/networks
file or in an NIS name space. The following entries have the same effect if the 192.0.2
subnet has been identified as the eng
network:
# share -F nfs -o ro=@eng /export/share/man # share -F nfs -o ro=@192.0.2 /export/share/man # share -F nfs -o ro=@192.0.2.0 /export/share/man
The last two entries show that you do not need to include the full network address.
If the network prefix is not byte aligned, as with Classless Inter-Domain Routing (CIDR), the mask length can be explicitly specified on the command line. The mask length is defined by following either the network name or the network number with a slash and the number of significant bits in the prefix of the address. For example:
# share -f nfs -o ro=@eng/23 /export/share/man # share -F nfs -o ro=@192.0.2/23 /export/share/man
In these examples, the /23
indicates that the first 23 bits in the address are to be used as the mask. For additional information about CIDR, see RFC 1519.
You can also select negative access by placing a -
before the entry. Note that the entries are read from left to right. Therefore, you must place the negative access entries before the entry that the negative access entries apply to:
# share -F nfs -o ro=-rose:.eng.example.com /export/share/man
This example would allow access to any hosts in the eng.example.com
domain except the host that is named rose
.