UNIX System Administration Handbook - Evi Nemeth [296]
/users *.xor.com(rw)
/users/evi (noaccess)
allows hosts in the xor.com domain to access all of /users except for /users/evi. The lack of a client name on the second line means that the option applies to all hosts; it’s perhaps somewhat more secure this way.
Red Hat provides a rich set of facilities for mapping between remote and local UIDs. While we don’t advise using them at a heterogeneous site, an all-Linux shop might find them useful. See the exports(5) man page for more information.
Red Hat’s mountd can be run out of inetd rather than run continuously. This configuration allows supplemental access control to be performed by Wietse Venema’s TCP wrapper program, tcpd. See page 666 for more information.
Red Hat’s NFS implementation does not currently support NFS 3, although it is expected to do so in the near future. Clients that default to version 3 must be told explicitly to mount using version 2 or cryptic errors will ensue.
Exports under FreeBSD
In yet a third similar but different take on the exports file, FreeBSD entries consist of a whitespace-separated list of directories, a whitespace-separated group of options (all of which start with a dash), and then a series of client specifications separated by whitespace. Here’s a short example:
/chimchim/users -maproot=root band
/chimchim/users moon
/usr/share/man -ro -mapall=daemon xorasaurus rastadon moon
The FreeBSD philosophy is unusual in that directories can appear on more than one line. Each line defines one set of options and the clients to which those options apply. If different option sets apply to different clients, there must be more than one entry for the directory.
Table 17.8 describes the most common export options. Unlike most implementations, FreeBSD does not permit clients to mount subdirectories of exported filesystems unless this is explicitly allowed with the -alldirs option. Why this is considered a feature must remain forever a mystery; it does not appear to enhance security.
Table 17.8 Common export options for FreeBSD
Clients in FreeBSD can be specified as hostnames or netgroup names, or they can be network numbers specified with the following syntax:
-network netaddr -mask mask
The documentation sometimes shows an = between -network or -mask and its argument, but either notation seems to work equally well. Both the network and the mask are specified in the traditional dotted notation. For example:
/chimchim/users -ro -network 128.138.243. 0 -mask 255.255.255.0
A network and mask specification can’t appear on the same line with hosts and netgroups. If you would like to use both, include multiple lines for the same directory.
Remember to send mountd a HUP signal to tell it to reread /etc/exports after you have finished making changes. Unfortunately, this convention does not give mountd any opportunity to provide you with error messages if you have botched the configuration. You will have to check the system logs; mountd submits error messages via syslog under the “daemon” facility.
nfsd: serve files
Once a client’s mount request has been validated by mountd, it can request various filesystem operations. These requests are handled on the server side by nfsd, the NFS operations daemon.5
nfsd need not be run on an NFS client machine unless the client exports filesystems of its own.
nfsd takes a numeric argument that specifies the number of copies of itself that it should fork. Selecting the appropriate number of nfsds is important and is unfortunately something of a black art. If the number is too low or too high, NFS performance can suffer.
The performance of older systems could degrade quite a bit as a result of having too many nfsds because the kernel would wake up all the idle nfsds in response to each incoming request. Current systems are better about this, and it’s OK to err a bit on the side of generosity.