Next: The Automounter Up: The Network File System Previous: The NFS Daemons
While the above options applied to the client's NFS configuration, there is a different set of options on the server side that configure its per-client behavior. These options must be set in the /etc/exports file.
By default, mountd will not allow anyone to mount directories from the local host, which is a rather sensible attitude. To permit one or more hosts to NFS-mount a directory, it must exported, that is, must be specified in the exports file. A sample file may look like this:
# exports file for vlager
/home vale(rw) vstout(rw) vlight(rw)
/usr/X386 vale(ro) vstout(ro) vlight(ro)
/usr/TeX vale(ro) vstout(ro) vlight(ro)
/ vale(rw,no root squash)
/home/ftp (ro)
Each line defines a directory, and the hosts allowed to mount it. A host name is usually a fully qualified domain name, but may additionally contain the * and ? wildcard, which act the way they do with the Bourne shell. For instance, lab*.foo.com matches lab01.foo.com as well as laber.foo.com. If no host name is given, as with the /home/ftp directory in the example above, any host is allowed to mount this directory.
When checking a client host against the exports file, mountd will look up the client's hostname using the gethostbyaddr(2) call. With DNS, this call returns the client's canonical hostname, so you must make sure not to use aliases in exports. Without using DNS, the returned name is the first hostname found in the hosts file that matches the client's address.
The host name is followed by an optional, comma-separated list of flags, enclosed in brackets. These flags may take the following values:
- insecure
- Permit non-authenticated access from this machine.
- unix-rpc
- Require UNIX-domain RPC authentication from this machine. This simply requires that requests originate from a reserved internet port (i.e. the port number has to be less than 1024). This option is on by default.
- secure-rpc
- Require secure RPC authentication from this machine. This has not been implemented yet. See Sun's documentation on Secure RPC.
- kerberos
- Require Kerberos authentication on accesses from this machine. This has not been implemented yet. See the MIT documentation on the Kerberos authentication system.
- root squash
- This is a security feature that denies the super user on the specified hosts any special access rights by mapping requests from uid 0 on the client to uid 65534 (-2) on the server. This uid should be associated with the user nobody.
- no root squash
- Don't map requests from uid 0. This option is on by default.
- ro
- Mount file hierarchy read-only. This option is on by default.
- rw
- Mount file hierarchy read-write.
- link relative
-
Convert absolute symbolic links (where the link contents start with a slash) into relative links by prepending the nec- essary number of ../'s to get from the directory containing the link to the root on the server. This option only makes sense when a host's entire file system is mounted, else some of the links might point to nowhere, or even worse, files they were never meant to point to.
This option is on by default.
- link absolute
- Leave all symbolic link as they are (the normal behavior for Sun-supplied NFS servers).
- map daemon
- This option tells the NFS server to assume that client and server do not share the same uid/gid space. nfsd will then build a list mapping id's between client and server by query- ing the client's ugidd daemon.
An error parsing the exports file is reported to syslogd's daemon facility at level notice whenever nfsd or mountd is started up.
Note that host names are obtained from the client's IP-address by reverse mapping, so you have to have the resolver configured properly. If you use BIND and are very security-conscious, you should enable spoof checking in your host.conf file.
Next: The Automounter Up: The Network File System Previous: The NFS Daemons
Andrew Anderson
Thu Mar 7 23:22:06 EST 1996