/etc/exports
, elenca le directory che vengono rese disponibili attraverso la rete (esportate). Per ogni condivisione NFS l'accesso è garantito solo alla lista di macchine fornita. Un controllo degli accessi più accurato può essere ottenuto con qualche opzione. La sintassi di questo file è piuttosto semplice:
/directory/da/condividere macchina1(opzione1,opzione2,...) macchina2(...) ...
fsid=0
or fsid=root
.
*.falcot.com
o un intervallo di indirizzi IP come 192.168.0.0/255.255.255.0
o 192.168.0.0/24
.
ro
). L'opzione rw
permette l'accesso in lettura e scrittura. I client NFS si connettono tipicamente da una porta riservata a root (in altre parole inferiore a 1024): questa restrizione può essere sospesa con l'opzione insecure
(l'opzione secure
è implicita ma può essere resa esplicita, se necessario, per rendere le cose più chiare).
sync
option); this can be disabled with the async
option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
nobody
user. This behavior corresponds to the root_squash
option, and is enabled by default. The no_root_squash
option, which disables this behavior, is risky and should only be used in controlled environments. The anonuid=uid
and anongid=gid
options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user nobody
and group nogroup
).
sec
option to indicate the security level that you want: sec=sys
is the default with no special security features, sec=krb5
enables authentication only, sec=krb5i
adds integrity protection, and sec=krb5p
is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
mount
ed al file /etc/fstab
.
Esempio 11.22. Montare manualmente con il comando mount
#
mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared
Esempio 11.23. Condivisione NFS nel file /etc/fstab
arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
/shared/
NFS directory from the arrakis
server into the local /srv/shared/
directory. Read-write access is requested (hence the rw
parameter). The nosuid
option is a protection measure that wipes any setuid
or setgid
bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is noexec
, which prevents executing programs stored on the share. Note that on the server, the shared
directory is below the NFSv4 root export (for example /export/shared
), it is not a top-level directory.