Next: The Automounter
Up: The Network File System
Previous: The NFS Daemons
While the above options applied to the client's NFS configuration,
there is a different set of options on the server side that configure
its per-client behavior. These options must be set in the
/etc/exports file.
By default, mountd will not allow anyone to mount directories
from the local host, which is a rather sensible attitude. To permit
one or more hosts to NFS-mount a directory, it must exported, that
is, must be specified in the exports file. A sample file may
look like this:
# exports file for vlager
/home vale(rw) vstout(rw) vlight(rw)
/usr/X386 vale(ro) vstout(ro) vlight(ro)
/usr/TeX vale(ro) vstout(ro) vlight(ro)
/ vale(rw,no root squash)
/home/ftp (ro)
Each line defines a directory, and the hosts allowed to mount it. A
host name is usually a fully qualified domain name, but may additionally
contain the * and ? wildcard, which act the way they
do with the Bourne shell. For instance, lab*.foo.com matches
lab01.foo.com as well as laber.foo.com. If no host name
is given, as with the /home/ftp directory in the example above,
any host is allowed to mount this directory.
When checking a client host against the exports file,
mountd will look up the client's hostname using the
gethostbyaddr(2) call. With DNS, this call returns the client's
canonical hostname, so you must make sure not to use aliases in
exports. Without using DNS, the returned name is the first
hostname found in the hosts file that matches the client's
address.
The host name is followed by an optional, comma-separated list of flags,
enclosed in brackets. These flags may take the following values:
- insecure
- Permit non-authenticated access from this machine.
- unix-rpc
- Require UNIX-domain RPC authentication from this machine.
This simply requires that requests originate from a reserved
internet port (i.e. the port number has to be less than 1024).
This option is on by default.
- secure-rpc
- Require secure RPC authentication from this machine. This has
not been implemented yet. See Sun's documentation on Secure
RPC.
- kerberos
- Require Kerberos authentication on accesses from this machine.
This has not been implemented yet. See the MIT documentation
on the Kerberos authentication system.
- root squash
- This is a security feature that denies the super user on
the specified hosts any special access rights by mapping
requests from uid 0 on the client to uid 65534 (-2) on the
server. This uid should be associated with the user nobody.
- no root squash
- Don't map requests from uid 0. This option is on by
default.
- ro
- Mount file hierarchy read-only. This option is on by
default.
- rw
- Mount file hierarchy read-write.
- link relative
- Convert absolute symbolic links (where the link contents
start with a slash) into relative links by prepending the nec-
essary number of ../'s to get from the directory containing
the link to the root on the server. This option only makes
sense when a host's entire file system is mounted, else some
of the links might point to nowhere, or even worse, files they
were never meant to point to.
This option is on by default.
- link absolute
- Leave all symbolic link as they are (the normal behavior
for Sun-supplied NFS servers).
- map daemon
- This option tells the NFS server to assume that client and
server do not share the same uid/gid space. nfsd will then
build a list mapping id's between client and server by query-
ing the client's ugidd daemon.
An error parsing the exports file is reported to syslogd's
daemon facility at level notice whenever nfsd or
mountd is started up.
Note that host names are obtained from the client's IP-address by
reverse mapping, so you have to have the resolver configured properly.
If you use BIND and are very security-conscious, you should enable spoof
checking in your host.conf file.
Next: The Automounter
Up: The Network File System
Previous: The NFS Daemons
Andrew Anderson
Thu Mar 7 23:22:06 EST 1996