EXPORTS(5) NetBSD File Formats Manual EXPORTS(5)
NAME
exports -- exported filesystem mount points for NFS mount requests
DESCRIPTION
The exports file on an NFS server lists filesystems to be exported to NFS clients. It is read and applied by mountd(8) on start and on SIGHUP. Each entry in exports is a line with a list of directories followed by a list of hosts, netgroups, and options, separated by spaces or tabs: /dir ... [host | netgroup | -option] ... All directories in a single line must live in the same filesystem, which is exported to the hosts and netgroups listed, according to the options specified. Exported directories must not have pathname components that are symbolic links, `.', or `..'. Warning: Exporting a directory exposes the entire contents of the filesystem that the directory lives in to NFS clients. This happens even if an exported directory is not the root directory of a filesystem on the server. NFS clients are only prevented from access to files and directo- ries on filesystems that are not exported at all. Warning: Access control is only by network address. NFS servers with any non-public data should be exposed only to restricted or firewalled net- works with ingress filtering. There is no authentication or encryption to make it safe for restricting access on the open internet. Blank lines are ignored. Text beginning with `#' until the end of line is ignored as a comment. Each line ending with `\' has the next line appended, without the `\', as a continuation line. Characters can be escaped with `\'. All directories, which begin with `/', must come before any hosts, net- groups, or options on a line. Options begin with `-'. All other items on an export line are interpreted either as netgroups (see netgroup(5)) or as hosts, which can be either names, as in example.com, or numbers, as in 192.0.2.123 or 2001:db8:1234:abcd::42. Sets of hosts in a contiguous network range can be specified with the -network option. The same filesystem may be exported on multiple lines with different options to different sets of hosts, as long as it is exported at most once to each host, netgroup, or network. Export lines with no hosts, netgroups, or -network options are exported to any hosts on the network, with no access control. Supported export options: -alldirs Allow mount requests from clients at any point within the filesystem, including regular files. Only the root directory of the filesystem should be specified on the line. Note that omitting the -alldirs option should not be used as a security measure to make clients mount only those subdirec- tories that they should have access to. A client can still access the whole filesystem via individual RPCs if it wanted to, even if just one subdirectory has been mounted. -maproot=user The credential of the specified user is used for remote access by root. The credential includes all the groups to which the user is a member on the local machine (see id(1)). The user may be specified by name or number. -maproot=user:group1:group2:... The colon separated list is used to specify the precise cre- dential to be used for remote access by root. The elements of the list may be either names or numbers. Note that `user:' (with the trailing colon) should be used to distin- guish a credential containing no groups from a complete cre- dential for that user. -mapall=user -mapall=user:group1:group2:... Mapping for all client uids (including root) using the same semantics as -maproot. -r user -r user:group1:group2:... Synonym for -maproot, for compatibility with older export file formats. Note: Not a synonym for the read-only option -ro. In the absence of -maproot and -mapall options, remote accesses by root will result in using a credential of -2:-2. All other users will be mapped to their remote credential. If a -maproot option is given, remote access by root will be mapped to that credential instead of -2:-2. If a -mapall option is given, all users (including root) will be mapped to that credential in place of their own. -kerb Specifies that the Kerberos authentication server should be used to authenticate and map client credentials. This option is currently not implemented. -ro Export filesystem read-only. Clients will be forbidden to change or write to anything in the filesystem (except for named pipes, sockets, and device nodes, where write semantics is client-side anyway). -o Synonym for -ro for compatibility with older export file for- mats. -noresvport Allow NFS RPC calls for the filesystem to come from non- reserved ports. Normally, clients are required to use reserved ports for operations. Using this option decreases the security of your system. -noresvmnt Allow mount RPC requests for the filesystem to come from non- reserved ports. Normally, clients are required to use reserved ports for mount requests. Using this option decreases the security of your system. -webnfs (WebNFS) Enables WebNFS export, equivalent to combining -public, -mapall=nobody, and -ro. -public (WebNFS) Enables WebNFS export strictly according to the spec, RFC 2054 and RFC 2055. This implies: · read/write access to all files in the filesystem · not requiring reserved ports (-noresvport, -noresvmnt) · not remapping uids Warning: -public is only provided to conform to the spec, and should normally not be used. For a WebNFS export, use the -webnfs flag. -index=file (WebNFS) File whose handle will be returned if a directory is looked up using the public filehandle. This is to mimic the behavior of URLs. If no -index option is specified, a direc- tory filehandle will be returned as usual. The -index option only makes sense in combination with the -public or -webnfs flags. Warning: exporting a filesystem both using WebNFS and read/write in the normal way to other hosts should be avoided in an environment that is vulnerable to IP spoofing. WebNFS enables any client to get filehandles to the exported filesystem. Using IP spoofing, a client could then pre- tend to be a host to which the same filesystem was exported read/write, and use the handle to gain access to that filesystem. -network=netname[/prefixlength] Export the filesystem to all hosts in the specified network. This approach to identifying hosts requires less overhead within the kernel and is recommended for cases where the export line refers to a large number of clients within an administrative subnet. The netmask may be specified either by prefixlength, or (for IPv4 networks only) by using a separate -mask option. If the mask is not specified, it will default to the mask for that network class (A, B or C; see inet(4)). Scoped IPv6 address must carry a scope identifier as docu- mented in inet6(4). For example, `fe80::%ne2/10' is used to specify `fe80::/10' on `ne2' interface. -mask=netmask (IPv4-only) Netmask for -network options with no prefixlength.
FILES
/etc/exports The default remote mount-point file. If you have modified the /etc/exports file, send the mountd process a SIGHUP to make it re-read it: kill -HUP $(cat /var/run/mountd.pid)
EXAMPLES
/usr /usr/local -maproot=0:10 friends /usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16 /usr -ro -mapall=nobody /u -maproot=bin: -network 131.104.48 -mask 255.255.255.0 /a -network 192.168.0/24 /a -network 3ffe:1ce1:1:fe80::/64 /u2 -maproot=root friends /u2 -alldirs -kerb -network cis-net -mask cis-mask Given that /usr, /u, and /u2 are local filesystem mount points, the above example specifies the following: /usr is exported to hosts `friends' where `friends' is specified in the netgroup(5) file with users mapped to their remote credentials and root mapped to uid 0 and group 10. It is exported read-write and the hosts in `friends' can mount either /usr or /usr/local. It is also exported to `131.104.48.16' and `grumpy.cis.uoguelph.ca' with users mapped to their remote credentials and root mapped to the user and groups associated with `daemon'. It is also exported to the rest of the world as read-only with all users mapped to the user and groups associated with `nobody'. /u is exported to all hosts on the subnetwork `131.104.48' with root mapped to the uid for `bin' and with no group access. /u2 is exported to the hosts in `friends' with root mapped to uid and groups associated with `root'; it is exported to all hosts on net- work `cis-net' allowing mounts at any directory within /u2 and map- ping all uids to credentials for the principal that is authenti- cated by a Kerberos ticket. (Kerberos not implemented.) /a is exported to the network `192.168.0.0', with a netmask of `255.255.255.0'. However, the netmask in the entry for /a is not specified through a -mask option, but through the /prefixlen nota- tion. /a is also exported to the IPv6 network `3ffe:1ce1:1:fe80::' address, using the upper 64 bits as the prefix. Note that, unlike with IPv4 network addresses, the specified network address must be complete, and not just contain the upper bits. With IPv6 addresses, the -mask option must not be used.
SEE ALSO
netgroup(5), mountd(8), nfsd(8), showmount(8) NFS: Network File System Protocol Specification, IETF Network Working Group, RFC 1094, https://datatracker.ietf.org/doc/html/rfc1094#appendix- A.1, Appendix A. B. Callaghan, B. Pawlowski, and P. Staubach, NFS Version 3 Protocol Specification, IETF Network Working Group, RFC 1813, https://datatracker.ietf.org/doc/html/rfc1813#section-5.0, Appendix I.
CAVEATS
Don't re-export NFS-mounted filesystems unless you are sure of the impli- cations. NFS has some assumptions about the characteristics of the file systems being exported, e.g. when timestamps are updated. Re-exporting should work to some extent and can even be useful in some cases, but don't expect it works as well as with local file systems. Filesystems that provide a namespace for a subtree of another filesystem such as nullfs (mount_null(8)) and umapfs (mount_umap(8)) do not restrict NFS clients to that namespace, so they cannot be used to securely limit NFS clients to a subtree of a filesystem. If you want to export one sub- tree and prevent access to other subtrees, the exported subtree must be on its own filesystem on the server.
BUGS
The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local server mount point. It is recommended that all exported directories within the same server filesystem be specified on adjacent lines going down the tree. You cannot specify a hostname that is also the name of a netgroup. Specifying the full domain specification for a hostname can normally circumvent the problem. NetBSD 10.0_STABLE March 27, 2024 NetBSD 10.0_STABLE
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.