share_nfs - make local NFS file systems available for mount-
     ing by remote systems


     share [-d description] [ -F nfs] [-o specific_options] path-


     The  share utility makes local file  systems  available  for
     mounting by remote systems.

     If no argument is specified, then  share displays  all  file
     systems  currently  shared,  including  NFS file systems and
     file systems shared through  other distributed  file  system


     The following options are supported:

          -d description
                Provide a comment that describes the file  system
                to be shared.

          -F nfs
                Share  NFS file system type.

          -o specific_options
                Specify  specific_options  in  a  comma-separated
                list  of  keywords and attribute-value-assertions
                for  interpretation  by   the   file-system-type-
                specific  command.  If   specific_options  is not
                specified,  then  by  default  sharing  will   be
                read-write  to  all clients. specific_options can
                be any combination of the following:

                aclok Allows the  NFS server to do access control
                      for   NFS  Version 2 clients (running SunOS
                      2.4 or earlier). When aclok is set  on  the
                      server,  maximal  access  is  given  to all
                      clients. For example, with  aclok  set,  if
                      anyone  has read permissions, then everyone
                      does. If aclok is not set,  minimal  access
                      is given to all clients.

                      Set  uid to be the  effective  user  ID  of
                      unknown  users.  By  default, unknown users
                      are given the effective user ID UID_NOBODY.
                      If  uid is set to -1, access is denied.

                      Load file rather  than  a  listing  of  the
                      directory  containing  this  file  when the
                      directory is referenced by an  NFS URL.

                      Enables NFS server logging for  the  speci-
                      fied  file  system. The optional tag deter-
                      mines  the  location  of  the  related  log
                      files.    The    tag    is    defined    in
                      etc/nfs/nfslog.conf. If no  tag  is  speci-
                      fied,  the  default  values associated with
                      the  "global"  tag  in  etc/nfs/nfslog.conf
                      will be used.

                nosub Prevents clients  from  mounting  subdirec-
                      tories  of shared directories. For example,
                      if   /export  is  shared  with  the   nosub
                      option  on server  fooey then a  NFS client
                      will not be able to do:

                      mount -F nfs fooey:/export/home/mnt

                      By default, clients are allowed  to  create
                      files   on  the shared file system with the
                      setuid or setgid mode  enabled.  Specifying
                      nosuid  causes  the  server  file system to
                      silently ignore any attempt to  enable  the
                      setuid or setgid mode bits.

                      Moves the location of the public file  han-
                      dle from root (/) to the exported directory
                      for WebNFS-enabled  browsers  and  clients.
                      This option does not enable WebNFS service;
                      WebNFS is always on. Only one  file  system
                      per  server  may use this option. Any other
                      option, including the -ro=list and -rw=list
                      options  can  be  included  with the public

                ro    Sharing will be read-only to all clients.

                      Sharing will be read-only  to  the  clients
                      listed  in  access_list;  overrides the  rw
                      suboption for the  clients  specified.  See
                      access_list below.

                      Only root users from the hosts specified in
                      access_list  will  have  root  access.  See
                      access_list below. By default, no host  has
                      root access, so root users are mapped to an
                      anonymous user ID (see the anon=uid  option
                      described  above). Netgroups can be used if
                      the  file  system  shared  is  using   UNIX
                      authentication ( AUTH_SYS).

                rw    Sharing will be read-write to all clients.

                      Sharing will be read-write to  the  clients
                      listed  in  access_list;  overrides  the ro
                      suboption for the  clients  specified.  See
                      access_list below.

                      Sharing will use one or more of the  speci-
                      fied   security  modes.  The  mode  in  the
                      sec=mode option must be a  node  name  sup-
                      ported  on  the client.  If the sec= option
                      is not specified, the default security mode
                      used is AUTH_SYS. Multiple sec= options can
                      be specified on the command line,  although
                      each  mode can appear only once.  The secu-
                      rity modes are defined in nfssec(5).

                      Each sec= option specifies modes that apply
                      to any subsequent window=, rw, ro, rw=, ro=
                      and root= options that are provided  before
                      another  sec=option.  Each  additional sec=
                      resets the security mode context,  so  that
                      more  window=,  rw,  ro, rw=, ro= and root=
                      options  can  be  supplied  for  additional

                      If the option sec=none  is  specified  when
                      the  client  uses   AUTH_NONE,  or  if  the
                      client uses a security mode that is not one
                      that  the  file system is shared with, then
                      the  credential  of  each  NFS  request  is
                      treated   as   unauthenticated.   See   the
                      anon=uid option for a  description  of  how
                      unauthenticated requests are handled.

                      This option has been deprecated in favor of
                      the sec=dh option.

                      When sharing with sec=dh, set  the  maximum
                      life time (in seconds) of the RPC request's
                      credential (in the  authentication  header)
                      that  the  NFS  server  will  allow.  If  a
                      credential arrives with a life time  larger
                      than  what  is allowed, the NFS server will
                      reject the request. The  default  value  is
                      30000 seconds (8.3 hours).

     The  access_list argument is a  colon-separated  list  whose
     components may be any number of the following:

                The name of a host. With a server configured  for
                DNS or LDAP naming in the nsswitch "hosts" entry,
                any hostname must be represented as a fully qual-
                ified DNS or LDAP name.

                A netgroup contains a number of hostnames. With a
                server  configured  for DNS or LDAP naming in the
                nsswitch "hosts" entry, any hostname  in  a  net-
                group  must  be  represented as a fully qualified
                DNS or LDAP name.

          domain name suffix
                To use domain membership the server must use  DNS
                or  LDAP  to  resolve  hostnames to IP addresses;
                that   is,   the    "hosts"    entry    in    the
                /etc/nsswitch.conf  must  specify "dns" or "ldap"
                ahead of "nis" or "nisplus", since only  DNS  and
                LDAP  return  the  full  domain name of the host.
                Other name services like NIS or  NIS+  cannot  be
                used  to  resolve hostnames on the server because
                when mapping an IP address to a hostname they  do
                not return domain information. For example,

                NIS or NIS+ --> "myhost

                DNS or LDAP -->

                The domain  name  suffix  is  distinguished  from
                hostnames  and  netgroups by a prefixed dot.  For


          A single dot can be used to match a  hostname  with  no
          suffix. For example,


                will      match      "mydomain"      but      not
                "".  This  feature  can  be
                used to match hosts resolved through NIS and NIS+
                rather than DNS and LDAP.

                The network or subnet component is preceded by an
                at-sign  (@). It can be either a name or a dotted
                address. If a name, it will  be  converted  to  a
                dotted   address  by  getnetbyname(3SOCKET).  For


          would be equivalent to:

                =@129.144 or =@

          The network prefix assumes  an  octet  aligned  netmask
          determined  from  the zero octets in the low-order part
          of the address. In the case where network prefixes  are
          not  byte-aligned,  the syntax will allow a mask length
          to be specified explicitly following a slash (/) delim-
           For example,

                =@theothernet/17 or =@129.144.132/22

          where the mask is the  number  of  leftmost  contiguous
          significant bits in the corresponding IP address.

     A prefixed minus sign  (-) denies access to  that  component
     of  access_list.  The  list is searched sequentially until a
     match is found that either grants or denies access, or until
     the  end  of  the  list  is  reached.   For example, if host
     "terra" is in the "engineering" netgroup, then


     will deny access to terra but


     will grant access to terra.


     The following operands are supported:

           The pathname of the file system to be shared.


     Example 1: Sharing A File System With Logging Enabled

     The following example shows the /export file  system  shared
     with logging enabled:

     example% share -o log /export
     The default global logging parameters are used since no  tag
     identifier  is  specified.  The location of the log file, as
     well as the necessary logging work files,  is  specified  by
     the  global  entry  in  /etc/nfs/nfslog.conf.  Note that the
     nfslogd(1M) daemon will run only if at least one file system
     entry in /etc/dfs/dfstab is shared with logging enabled upon
     starting or rebooting the system.   Simply  sharing  a  file
     system  with  logging enabled from the command line will not
     start the nfslogd(1M).


     The following exit values are returned:

     0     Successful completion.

     >0    An error occurred.


           list of system types,  NFS by default

           system record of shared file systems

           system record of logged file systems

           logging configuration file


     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWnfssu                   |


     mount(1M),  mountd(1M),  nfsd(1M),  nfslogd(1M),  share(1M),
     unshare(1M),   getnetbyname(3SOCKET),  nfslog.conf(4),  net-
     group(4), attributes(5), nfssec(5)


     If the sec= option is presented at least once, all  uses  of
     the  window=,  rw, ro, rw=, ro= and  root= options must come
     after the first sec= option.  If  the  sec=  option  is  not
     presented, then sec=sys is implied.

     If one or more explicit sec= options are presented, sys must
     appear  in one of the options mode lists for accessing using
     the AUTH_SYS security mode to be allowed. For example:

     share -F nfs /var
     share -F nfs -o sec=sys /var

     will grant read-write access to any host using AUTH_SYS, but

     share -F nfs -o sec=dh /var

     will grant no access to clients that use AUTH_SYS.

     Unlike previous  implementations  of  share_nfs(1M),  access
     checking  for  the  window=, rw, ro, rw=, and ro= options is
     done per NFS request, instead of per mount request.

     Combining multiple security modes can be a security hole  in
     situations where the ro= and rw= options are used to control
     access to weaker security modes. In this example,

     share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var

     an intruder can forge the IP address for  hosta  (albeit  on
     each  NFS  request)  to  side-step  the stronger controls of
     AUTH_DES. Something like:

     share -F nfs -o sec=dh,rw,sec=sys,ro /var

     is safer, because any client (intruder or  legitimate)  that
     avoids  AUTH_DES will only get read-only access. In general,
     multiple security modes per share  command  should  only  be
     used in situations where the clients using more secure modes
     get stronger access than clients using less secure modes.

     If rw=, and ro= options  are  specified  in  the  same  sec=
     clause,  and a client is in both lists, the order of the two
     options determines the access the  client  gets.  If  client
     hosta  is  in  two  netgroups  - group1 and group2 - in this
     example, the client would get read-only access:

     share -F nfs -o ro=group1,rw=group2 /var

     In this example hosta would get read-write access:

     share -F nfs -o rw=group2,ro=group1 /var

     If within a sec= clause, both the ro  and  rw=  options  are
     specified,  for compatibility, the order of the options rule
     is not enforced. All hosts would get read-only access,  with
     the  exception to those in the read-write list. Likewise, if
     the ro= and rw options are specified, all  hosts  get  read-
     write  access  with the exceptions of those in the read-only

     The ro= and rw= options are guaranteed to work over UDP  and
     TCP but may not work over other transport providers.

     The root= option with AUTH_SYS is guaranteed  to  work  over
     UDP and TCP but may not work over other transport providers.

     The root= option with AUTH_DES is guaranteed  to  work  over
     any transport provider.

     There are no interactions between the root= option  and  the
     rw,  ro,  rw=,  and  ro= options. Putting a host in the root
     list does not override the semantics of the  other  options.
     The  access  the  host  gets  is  the same as when the root=
     options is absent. For example, the following share  command
     will deny access to hostb:

     share -F nfs -o ro=hosta,root=hostb /var

     The following will give read-only permissions to hostb:

     share -F nfs -o ro=hostb,root=hostb /var

     The following will give read-write permissions to hostb:

     share -F nfs -o ro=hosta,rw=hostb,root=hostb /var

     If the file system being shared is  a  symbolic  link  to  a
     valid  pathname, the canonical path (the path which the sym-
     bolic  link  follows)  will  be  shared.  For  example,   if
     /export/foo  is  a symbolic link to /export/bar (/export/foo
     -> /export/bar), the following share command will result  in
     /export/bar as the shared pathname (and not /export/foo).

     example# share -F nfs /export/foo

     Note that an NFS mount of server:/export/foo will result  in
     server:/export/bar really being mounted.

     This line in the /etc/dfs/dfstab file will share  the  /disk
     file system read-only at boot time:

     share -F nfs -o ro /disk

     Note that the same command entered  from  the  command  line
     will  not  share  the  /disk  file system unless there is at
     least one file system entry in the /etc/dfs/dfstab file. The
     mountd(1M)  and nfsd(1M) daemons only run if there is a file
     system entry in /etc/dfs/dfstab when starting  or  rebooting
     the system.

Man(1) output converted with man2html