| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: exports.5,v 1.33 2024/03/26 23:32:43 riastradh Exp $ | | 1 | .\" $NetBSD: exports.5,v 1.34 2024/03/27 00:46:17 riastradh Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 1989, 1991, 1993 | | 3 | .\" Copyright (c) 1989, 1991, 1993 |
4 | .\" The Regents of the University of California. All rights reserved. | | 4 | .\" The Regents of the University of California. All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" Redistribution and use in source and binary forms, with or without | | 6 | .\" Redistribution and use in source and binary forms, with or without |
7 | .\" modification, are permitted provided that the following conditions | | 7 | .\" modification, are permitted provided that the following conditions |
8 | .\" are met: | | 8 | .\" are met: |
9 | .\" 1. Redistributions of source code must retain the above copyright | | 9 | .\" 1. Redistributions of source code must retain the above copyright |
10 | .\" notice, this list of conditions and the following disclaimer. | | 10 | .\" notice, this list of conditions and the following disclaimer. |
11 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 11 | .\" 2. Redistributions in binary form must reproduce the above copyright |
12 | .\" notice, this list of conditions and the following disclaimer in the | | 12 | .\" notice, this list of conditions and the following disclaimer in the |
13 | .\" documentation and/or other materials provided with the distribution. | | 13 | .\" documentation and/or other materials provided with the distribution. |
14 | .\" 3. Neither the name of the University nor the names of its contributors | | 14 | .\" 3. Neither the name of the University nor the names of its contributors |
| @@ -164,53 +164,34 @@ If a | | | @@ -164,53 +164,34 @@ If a |
164 | .Fl mapall | | 164 | .Fl mapall |
165 | option is given, | | 165 | option is given, |
166 | all users (including root) will be mapped to that credential in | | 166 | all users (including root) will be mapped to that credential in |
167 | place of their own. | | 167 | place of their own. |
168 | .Pp | | 168 | .Pp |
169 | The | | 169 | The |
170 | .Fl kerb | | 170 | .Fl kerb |
171 | option specifies that the Kerberos authentication server should be | | 171 | option specifies that the Kerberos authentication server should be |
172 | used to authenticate and map client credentials. | | 172 | used to authenticate and map client credentials. |
173 | This option is currently not implemented. | | 173 | This option is currently not implemented. |
174 | .Pp | | 174 | .Pp |
175 | The | | 175 | The |
176 | .Fl ro | | 176 | .Fl ro |
177 | option should be specified for filesystems that are read-only (default | | 177 | option specifies that the filesystem should be exported read-only |
178 | is to assume read/write). | | 178 | (default read/write). |
179 | The option | | 179 | The option |
180 | .Fl o | | 180 | .Fl o |
181 | is a synonym for | | 181 | is a synonym for |
182 | .Fl ro | | 182 | .Fl ro |
183 | in an effort to be backward compatible with older export file formats. | | 183 | in an effort to be backward compatible with older export file formats. |
184 | .Pp | | 184 | .Pp |
185 | .Bf -symbolic | | | |
186 | Warning: | | | |
187 | Exporting a read/write filesystem with | | | |
188 | .Fl ro | | | |
189 | .Em does not | | | |
190 | prevent clients from writing to it. | | | |
191 | .Ef | | | |
192 | To prevent clients from writing to a filesystem, it must be mounted | | | |
193 | read-only | | | |
194 | .Em on the server | | | |
195 | in the first place. | | | |
196 | To export a read/write filesystem so clients can only read from it, not | | | |
197 | write to it, you can mount a read-only nullfs from the filesystem with | | | |
198 | .Xr mount_null 8 | | | |
199 | using the | | | |
200 | .Fl o Cm ro | | | |
201 | option, and then export the read-only nullfs instead. | | | |
202 | See also caveats about nullfs namespace below. | | | |
203 | .Pp | | | |
204 | The | | 185 | The |
205 | .Fl noresvport | | 186 | .Fl noresvport |
206 | option specifies that NFS RPC calls for the filesystem do not have to come | | 187 | option specifies that NFS RPC calls for the filesystem do not have to come |
207 | from reserved ports. | | 188 | from reserved ports. |
208 | Normally, clients are required to use reserved ports for operations. | | 189 | Normally, clients are required to use reserved ports for operations. |
209 | Using this option decreases the security of your system. | | 190 | Using this option decreases the security of your system. |
210 | .Pp | | 191 | .Pp |
211 | The | | 192 | The |
212 | .Fl noresvmnt | | 193 | .Fl noresvmnt |
213 | option specifies that mount RPC requests for the filesystem do not have | | 194 | option specifies that mount RPC requests for the filesystem do not have |
214 | to come from reserved ports. | | 195 | to come from reserved ports. |
215 | Normally, clients are required to use reserved ports for mount requests. | | 196 | Normally, clients are required to use reserved ports for mount requests. |
216 | Using this option decreases the security of your system. | | 197 | Using this option decreases the security of your system. |
| @@ -414,27 +395,27 @@ The default remote mount-point file. | | | @@ -414,27 +395,27 @@ The default remote mount-point file. |
414 | .%U https://datatracker.ietf.org/doc/html/rfc1813#section-5.0 | | 395 | .%U https://datatracker.ietf.org/doc/html/rfc1813#section-5.0 |
415 | .Re | | 396 | .Re |
416 | .Sh CAVEATS | | 397 | .Sh CAVEATS |
417 | Don't re-export NFS-mounted filesystems unless you are sure of the | | 398 | Don't re-export NFS-mounted filesystems unless you are sure of the |
418 | implications. | | 399 | implications. |
419 | NFS has some assumptions about the characteristics of the file | | 400 | NFS has some assumptions about the characteristics of the file |
420 | systems being exported, e.g. when timestamps are updated. | | 401 | systems being exported, e.g. when timestamps are updated. |
421 | Re-exporting should work to some extent and can even be useful in | | 402 | Re-exporting should work to some extent and can even be useful in |
422 | some cases, but don't expect it works as well as with local file | | 403 | some cases, but don't expect it works as well as with local file |
423 | systems. | | 404 | systems. |
424 | .Pp | | 405 | .Pp |
425 | .Pp | | 406 | .Pp |
426 | Filesystems that provide a namespace for a subtree of another | | 407 | Filesystems that provide a namespace for a subtree of another |
427 | filesystem such as nullfs | | 408 | filesystem such as nullfs |
428 | .No ( Xr mount_null 8 ) | | 409 | .No ( Xr mount_null 8 ) |
429 | and umapfs | | 410 | and umapfs |
430 | .No ( Xr mount_umap 8 ) | | 411 | .No ( Xr mount_umap 8 ) |
431 | .Em do not | | 412 | .Em do not |
432 | restrict | | 413 | restrict |
433 | .Tn NFS | | 414 | .Tn NFS |
434 | clients to that namespace, so they cannot be used to securely limit | | 415 | clients to that namespace, so they cannot be used to securely limit |
435 | .Tn NFS | | 416 | .Tn NFS |
436 | clients to a subtree of a filesystem. | | 417 | clients to a subtree of a filesystem. |
437 | If you want to export one subtree and prevent access to other subtrees, | | 418 | If you want to export one subtree and prevent access to other subtrees, |
438 | the exported subtree must be on its own filesystem on the server. | | 419 | the exported subtree must be on its own filesystem on the server. |
439 | .Sh BUGS | | 420 | .Sh BUGS |
440 | The export options are tied to the local mount points in the kernel and | | 421 | The export options are tied to the local mount points in the kernel and |