HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
s
share_nfs(1M) share_nfs(1M)
A single dot can be used to match a hostname with no suffix. For example,
rw=.
will match "mydomain" but not "mydomain.mycompany.com". This feature can be used to match hosts
resolved through NIS rather than DNS and LDAP.
network
The network or subnet component is preceded by an at-sign (
@). It can be either a name or a dotted
address. If a name, it will be converted to a dotted address by
getnetbyname()
. For example,
=@mynet would be equivalent to:
=@129.144 or =@129.144.0.0
The network prefix assumes an octet aligned netmask determined from the zero octets in the low-
order part of the address. In the case where network prefixes are not byte-aligned, the syntax will
allow a mask length to be specified explicitly following a slash (
/) delimiter. For example,
=@mynet/17 or rw=@129.144.132/17
where the mask is the number of leftmost contiguous significant bits in the corresponding IP address.
A prefixed minus sign (-) denies access to that component of access_list. The list is searched sequen-
tially until a match is found that either grants or denies access, or until the end of the list is reached.
EXAMPLES
The following example shows the
/export file system shared with logging enabled:
example% share -o log /export
The default global logging parameters are used since no tag identifier is specified. The location of the log
file, as well as the necessary logging work files, is specified by the global entry in
/etc/nfs/nfslog.conf
.
APPLICATION USAGE
If the
async option is used, an unreported data loss may occur ONLY on a write and ONLY if the NFS
server experiences a failure after the write reply has been sent to the client. Specifically, blocks which have
been queued for the server’s disk, but have not yet been written to the disk may be lost.
You cannot export either a parent directory or a subdirectory of an exported directory that resides within
the same file system. It is not allowed, for instance, to export both
/usr and
/usr/local if both direc-
tories reside on the same disk partition.
If the
sec= option is presented at least once, all uses of the window=, rw
, ro, rw=, ro=, and root=
options must come after the first sec= option. If the sec= option is not presented, then
sec=sys is
implied.
If one or more explicit
sec= options are presented, sys must appear in one of the options mode lists for
accessing using the AUTH_SYS security mode to be allowed. For example:
share -F nfs /var
share -F nfs -o sec=sys /var
will grant read-write access to any host using AUTH_SYS, but
share -F nfs -o sec=dh /var
will grant no access to clients that use AUTH_SYS.
Access checking for the window=, rw, ro, rw=, and ro= options is done per NFS request, instead of per
mount request.
Combining multiple security modes can be a security hole in situations where the ro= and rw= options are
used to control access to weaker security modes. In this example,
share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var
an intruder can forge the IP address for hosta (albeit on each NFS request) to side-step the stronger con-
trols of AUTH_DES. Something like:
share -F nfs -o sec=dh,rw,sec=sys,ro /var
is safer, because any client (intruder or legitimate) that avoids AUTH_DES will only get read-only access.
In general, multiple security modes per share command should only be used in situations where the
HP-UX 11i Version 3: February 2007 − 3 − Hewlett-Packard Company 379