Updated: 2025/Nov/16
Please read Privacy Policy. It's for your privacy.
EXPORTS(5) File Formats Manual EXPORTS(5)
NAME
exports - exported filesystem mount points for NFS mount requests
DESCRIPTION
The exports file on an NFS server lists filesystems to be exported to NFS
clients. It is read and applied by mountd(8) on start and on SIGHUP.
Each entry in exports is a line with a list of directories followed by a
list of hosts, netgroups, and options, separated by spaces or tabs:
/dir ... [host | netgroup | -option] ...
All directories in a single line must live in the same filesystem, which
is exported to the hosts and netgroups listed, according to the options
specified. Exported directories must not have pathname components that
are symbolic links, `.', or `..'.
Warning: Exporting a directory exposes the entire contents of the
filesystem that the directory lives in to NFS clients. This happens even
if an exported directory is not the root directory of a filesystem on the
server. NFS clients are only prevented from access to files and
directories on filesystems that are not exported at all.
Warning: Access control is only by network address. NFS servers with any
non-public data should be exposed only to restricted or firewalled
networks with ingress filtering. There is no authentication or
encryption to make it safe for restricting access on the open internet.
Blank lines are ignored. Text beginning with `#' until the end of line
is ignored as a comment. Each line ending with `\' has the next line
appended, without the `\', as a continuation line. Characters can be
escaped with `\'.
All directories, which begin with `/', must come before any hosts,
netgroups, or options on a line. Options begin with `-'. All other
items on an export line are interpreted either as netgroups (see
netgroup(5)) or as hosts, which can be either names, as in example.com,
or numbers, as in 192.0.2.123 or 2001:db8:1234:abcd::42. Sets of hosts
in a contiguous network range can be specified with the -network option.
The same filesystem may be exported on multiple lines with different
options to different sets of hosts, as long as it is exported at most
once to each host, netgroup, or network.
Export lines with no hosts, netgroups, or -network options are exported
to any hosts on the network, with no access control.
Supported export options:
-alldirs Allow mount requests from clients at any point within the
filesystem, including regular files. Only the root directory
of the filesystem should be specified on the line.
Note that omitting the -alldirs option should not be used as
a security measure to make clients mount only those
subdirectories that they should have access to. A client can
still access the whole filesystem via individual RPCs if it
wanted to, even if just one subdirectory has been mounted.
-maproot=user
The credential of the specified user is used for remote
access by root. The credential includes all the groups to
which the user is a member on the local machine (see id(1)).
The user may be specified by name or number.
-maproot=user:[group1:group2:...]
The colon separated list is used to specify the precise
credential to be used for remote access by root. The
elements of the list may be either names or numbers. Note
that `user:' (with the trailing colon) should be used to
distinguish a credential containing no groups from a complete
credential for that user.
-mapall=user
-mapall=user:[group1:group2:...]
Mapping for all client uids (including root) using the same
semantics as -maproot.
-r user
-r user:[group1:group2:...]
Synonym for -maproot, for compatibility with older export
file formats.
Note: Not a synonym for the read-only option -ro.
In the absence of -maproot and -mapall options, remote accesses by root
will result in using a credential of -2:-2. All other users will be
mapped to their remote credential. If a -maproot option is given, remote
access by root will be mapped to that credential instead of -2:-2. If a
-mapall option is given, all users (including root) will be mapped to
that credential in place of their own.
-kerb Specifies that the Kerberos authentication server should be
used to authenticate and map client credentials. This option
is currently not implemented.
-ro Export filesystem read-only. Clients will be forbidden to
change or write to anything in the filesystem (except for
named pipes, sockets, and device nodes, where write semantics
is client-side anyway).
-o Synonym for -ro for compatibility with older export file
formats.
-noresvport
Allow NFS RPC calls for the filesystem to come from non-
reserved ports. Normally, clients are required to use
reserved ports for operations. Using this option decreases
the security of your system.
-noresvmnt Allow mount RPC requests for the filesystem to come from non-
reserved ports. Normally, clients are required to use
reserved ports for mount requests. Using this option
decreases the security of your system.
-webnfs (WebNFS) Enables WebNFS export, equivalent to combining
-public, -mapall=nobody, and -ro.
-public (WebNFS) Enables WebNFS export strictly according to the
spec, RFC 2054 and RFC 2055. This implies:
⊕ read/write access to all files in the filesystem
⊕ not requiring reserved ports (-noresvport, -noresvmnt)
⊕ not remapping uids
Warning: -public is only provided to conform to the spec, and
should normally not be used. For a WebNFS export, use the
-webnfs flag.
-index=file
(WebNFS) File whose handle will be returned if a directory is
looked up using the public filehandle. This is to mimic the
behavior of URLs. If no -index option is specified, a
directory filehandle will be returned as usual.
The -index option only makes sense in combination with the
-public or -webnfs flags.
Warning: exporting a filesystem both using WebNFS and read/write in the
normal way to other hosts should be avoided in an environment that is
vulnerable to IP spoofing. WebNFS enables any client to get filehandles
to the exported filesystem. Using IP spoofing, a client could then
pretend to be a host to which the same filesystem was exported
read/write, and use the handle to gain access to that filesystem.
-network=netname[/prefixlength]
Export the filesystem to all hosts in the specified network.
This approach to identifying hosts requires less overhead
within the kernel and is recommended for cases where the
export line refers to a large number of clients within an
administrative subnet.
The netmask may be specified either by prefixlength, or (for
IPv4 networks only) by using a separate -mask option. If the
mask is not specified, it will default to the mask for that
network class (A, B or C; see inet(4)).
Scoped IPv6 address must carry a scope identifier as
documented in inet6(4). For example, `fe80::%ne2/10' is used
to specify `fe80::/10' on `ne2' interface.
-mask=netmask
(IPv4-only) Netmask for -network options with no
prefixlength.
FILES
/etc/exports The default remote mount-point file.
If you have modified the /etc/exports file, send the mountd process a
SIGHUP to make it re-read it:
kill -HUP $(cat /var/run/mountd.pid)
EXAMPLES
/usr /usr/local -maproot=0:10 friends
/usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16
/usr -ro -mapall=nobody
/u -maproot=bin: -network 131.104.48 -mask 255.255.255.0
/a -network 192.168.0/24
/a -network 3ffe:1ce1:1:fe80::/64
/u2 -maproot=root friends
/u2 -alldirs -kerb -network cis-net -mask cis-mask
Given that /usr, /u, and /u2 are local filesystem mount points, the above
example specifies the following:
/usr is exported to hosts `friends' where `friends' is specified in
the netgroup(5) file with users mapped to their remote
credentials and root mapped to uid 0 and group 10. It is
exported read-write and the hosts in `friends' can mount either
/usr or /usr/local.
It is also exported to `131.104.48.16' and
`grumpy.cis.uoguelph.ca' with users mapped to their remote
credentials and root mapped to the user and groups associated
with `daemon'.
It is also exported to the rest of the world as read-only with
all users mapped to the user and groups associated with
`nobody'.
/u is exported to all hosts on the subnetwork `131.104.48' with
root mapped to the uid for `bin' and with no group access.
/u2 is exported to the hosts in `friends' with root mapped to uid
and groups associated with `root'; it is exported to all hosts
on network `cis-net' allowing mounts at any directory within
/u2 and mapping all uids to credentials for the principal that
is authenticated by a Kerberos ticket. (Kerberos not
implemented.)
/a is exported to the network `192.168.0.0', with a netmask of
`255.255.255.0'. However, the netmask in the entry for /a is
not specified through a -mask option, but through the
/prefixlen notation.
/a is also exported to the IPv6 network `3ffe:1ce1:1:fe80::'
address, using the upper 64 bits as the prefix. Note that,
unlike with IPv4 network addresses, the specified network
address must be complete, and not just contain the upper bits.
With IPv6 addresses, the -mask option must not be used.
SEE ALSO
netgroup(5), mountd(8), nfsd(8), showmount(8)
NFS: Network File System Protocol Specification, IETF Network Working
Group, RFC 1094,
https://datatracker.ietf.org/doc/html/rfc1094#appendix-A.1, Appendix A.
B. Callaghan, B. Pawlowski, and P. Staubach, NFS Version 3 Protocol
Specification, IETF Network Working Group, RFC 1813,
https://datatracker.ietf.org/doc/html/rfc1813#section-5.0, Appendix I.
CAVEATS
Don't re-export NFS-mounted filesystems unless you are sure of the
implications. NFS has some assumptions about the characteristics of the
file systems being exported, e.g. when timestamps are updated. Re-
exporting should work to some extent and can even be useful in some
cases, but don't expect it works as well as with local file systems.
Filesystems that provide a namespace for a subtree of another filesystem
such as nullfs (mount_null(8)) and umapfs (mount_umap(8)) do not restrict
NFS clients to that namespace, so they cannot be used to securely limit
NFS clients to a subtree of a filesystem. If you want to export one
subtree and prevent access to other subtrees, the exported subtree must
be on its own filesystem on the server.
BUGS
The export options are tied to the local mount points in the kernel and
must be non-contradictory for any exported subdirectory of the local
server mount point. It is recommended that all exported directories
within the same server filesystem be specified on adjacent lines going
down the tree. You cannot specify a hostname that is also the name of a
netgroup. Specifying the full domain specification for a hostname can
normally circumvent the problem.
NetBSD 11.99 March 27, 2024 NetBSD 11.99