EXPORTS(5) | File Formats Manual | EXPORTS(5) |
exports
—
exports
file on an NFS server lists filesystems to
be exported to NFS clients. It is read and applied by
mountd(8) on start and on
SIGHUP
.
Each entry in exports
is a line with a
list of directories followed by a list of hosts, netgroups, and options,
separated by spaces or tabs:
/
dir
...
[host |
netgroup |
-
option]
...
All directories in a single line must live in the same filesystem,
which is exported to the hosts and netgroups listed, according to the
options specified. Exported directories must not have pathname components
that are symbolic links, ‘.
’, or
‘..
’.
Blank lines are ignored. Text beginning with
‘#
’ until the end of line is ignored
as a comment. Each line ending with
‘\
’ has the next line appended,
without the ‘\
’, as a continuation
line. Characters can be escaped with
‘\
’.
All directories, which begin with
‘/
’, must come before any hosts,
netgroups, or options on a line. Options begin with
‘-
’. All other items on an export line
are interpreted either as netgroups (see
netgroup(5)) or as hosts,
which can be either names, as in example.com, or numbers, as in 192.0.2.123
or 2001:db8:1234:abcd::42. Sets of hosts in a contiguous network range can
be specified with the -network
option.
The same filesystem may be exported on multiple lines with different options to different sets of hosts, as long as it is exported at most once to each host, netgroup, or network.
Export lines with no hosts, netgroups, or
-network
options are exported to
any hosts on the network, with no access control.
Supported export options:
-alldirs
Note that omitting the -alldirs
option
should not be used as a security measure to make clients mount only
those subdirectories that they should have access to. A client can still
access the whole filesystem via individual RPCs if it wanted to, even if
just one subdirectory has been mounted.
-maproot
=
user-maproot
=
user:
group1:group2
:
...:
’ (with
the trailing colon) should be used to distinguish a credential containing
no groups from a complete credential for that user.-mapall
=
user-mapall
=
user:
group1:
group2:
...-maproot
.-r
user-r
user:
group1:
group2:
...-maproot
, for compatibility with older
export file formats.
Note: Not a synonym for the read-only option
-ro
.
In the absence of -maproot
and
-mapall
options, remote accesses by root will result
in using a credential of -2:-2. All other users will be mapped to their
remote credential. If a -maproot
option is given,
remote access by root will be mapped to that credential instead of -2:-2. If
a -mapall
option is given, all users (including
root) will be mapped to that credential in place of their own.
-kerb
-ro
-o
-ro
for compatibility with older
export file formats.-noresvport
-noresvmnt
-webnfs
-public
, -mapall=nobody
,
and -ro
.-public
-noresvport
,
-noresvmnt
)-public
is only provided
to conform to the spec, and should normally not be used.-webnfs
flag.-index
=
file-index
option is specified, a directory filehandle
will be returned as usual.
The -index
option only makes sense in
combination with the -public
or
-webnfs
flags.
-network
=
netname[/
prefixlength]This approach to identifying hosts requires less overhead within the kernel and is recommended for cases where the export line refers to a large number of clients within an administrative subnet.
The netmask may be specified either by
prefixlength, or (for IPv4 networks only) by using
a separate -mask
option. If the mask is not
specified, it will default to the mask for that network class (A, B or
C; see inet(4)).
Scoped IPv6 address must carry a scope identifier as
documented in inet6(4). For
example, ‘fe80::%ne2/10
’ is used
to specify ‘fe80::/10
’ on
‘ne2
’ interface.
-mask
=netmask-network
options with no
prefixlength.If you have modified the /etc/exports
file, send the mountd process a SIGHUP
to make it
re-read it:
kill -HUP $(cat
/var/run/mountd.pid)
/usr /usr/local -maproot=0:10 friends /usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16 /usr -ro -mapall=nobody /u -maproot=bin: -network 131.104.48 -mask 255.255.255.0 /a -network 192.168.0/24 /a -network 3ffe:1ce1:1:fe80::/64 /u2 -maproot=root friends /u2 -alldirs -kerb -network cis-net -mask cis-mask
Given that /usr, /u, and /u2 are local filesystem mount points, the above example specifies the following:
friends
’ where
‘friends
’ is specified in the
netgroup(5) file with
users mapped to their remote credentials and root mapped to uid 0 and
group 10. It is exported read-write and the hosts in
‘friends
’ can mount either
/usr or /usr/local.
It is also exported to
‘131.104.48.16
’ and
‘grumpy.cis.uoguelph.ca
’ with
users mapped to their remote credentials and root mapped to the user and
groups associated with
‘daemon
’.
It is also exported to the rest of the world as read-only with
all users mapped to the user and groups associated with
‘nobody
’.
131.104.48
’ with root mapped to the
uid for ‘bin
’ and with no group
access.friends
’ with root mapped to uid
and groups associated with ‘root
’;
it is exported to all hosts on network
‘cis-net
’ allowing mounts at any
directory within /u2 and mapping all uids to
credentials for the principal that is authenticated by a Kerberos ticket.
(Kerberos not implemented.)192.168.0.0
’, with a netmask of
‘255.255.255.0
’. However, the
netmask in the entry for /a is not specified
through a -mask
option, but through the
/
prefixlen notation.3ffe:1ce1:1:fe80::
’ address, using
the upper 64 bits as the prefix. Note that, unlike with IPv4 network
addresses, the specified network address must be complete, and not just
contain the upper bits. With IPv6 addresses, the
-mask
option must not be used.NFS: Network File System Protocol Specification, IETF Network Working Group, RFC 1094, https://datatracker.ietf.org/doc/html/rfc1094#appendix-A.1, Appendix A.
B. Callaghan, B. Pawlowski, and P. Staubach, NFS Version 3 Protocol Specification, IETF Network Working Group, RFC 1813, https://datatracker.ietf.org/doc/html/rfc1813#section-5.0, Appendix I.
Filesystems that provide a namespace for a subtree of another filesystem such as nullfs (mount_null(8)) and umapfs (mount_umap(8)) do not restrict NFS clients to that namespace, so they cannot be used to securely limit NFS clients to a subtree of a filesystem. If you want to export one subtree and prevent access to other subtrees, the exported subtree must be on its own filesystem on the server.
March 27, 2024 | NetBSD 9.4 |