manpagez: man pages & more
man exports(5)
Home | html | info | man
exports(5)                  BSD File Formats Manual                 exports(5)


     exports -- define remote mount points for NFS mount requests




     The exports file specifies remote mount points for the NFS mount protocol
     per the NFS server specification; see Network File System Protocol
     Specification RFC 1094, Appendix A and NFS: Network File System Version 3
     Specification, Appendix I.

     Fields are separated by space or tab characters.  Lines that begin with a
     # are considered comments and are ignored.

     Each line in the file specifies one or more exported directories, any
     additional mountable sub-directories within those directories, export
     flags, and one or more hosts (if access to the export is to be
     restricted).  All directories on the line must exist within the same
     local file system.

     Within a file system there may be several exported sub-directories with
     different export options.  However, none of those exported directories
     may lie within another.

     A host may be specified only once for each exported directory and there
     may be only one default entry for each exported directory that applies to
     all other hosts.  The latter exports the file system to the ``world'' and
     should be used only when the file system contains public information.
     Any attempt to export the same directory to a host with different export
     options will cause the conflicting export entry to be rejected.

     The first field(s) of an export entry is a list of directories on a local
     file system to export.  At least one pathname must be to an exported
     directory.  Other pathnames may refer to sub-directories of the exported
     directory to indicate that hosts are also allowed to explicitly mount
     those sub-directories of the exported directory.  (Note that the -alldirs
     flag can be used to allow mounting any sub-directories of the pathnames

     Mount points for a file system may appear on multiple lines, each with
     different sets of hosts and export options.

     The pathnames must not have any symbolic links in them and should not
     have any "." or ".." components.  Single and double quote characters
     occuring in a pathname must be escaped with \' and \", respectively.
     Space characters occuring in a pathname must be escaped, or alterna-
     tively, the pathname can be enclosed in single or double quotes.

     Note that because an export entry only lists a set of pathnames, it is up
     to the NFS server to correctly determine what file system is meant to be
     exported by that entry.  To that end, the server will attempt to intelli-
     gently decide which file system best matches the entry by comparing all
     the pathnames with both the current list of mounted file systems and the
     list of previously-exported file systems.  If the server determines that
     the intended file system is not available, it will automatically mark
     that export as offline until the file system becomes available (see the
     -offline export option below for more info).  To avoid any ambiguity, use
     of the -fs export option is recommended (see below).

     The second component of a line specifies how the file system is to be
     exported to the host set.  The option flags specify whether the file sys-
     tem is exported read-only or read-write and how the client uid is mapped
     to user credentials on the server.

     Export options are specified as follows:

     -maproot=user The credential of the specified user is used for remote
     access by root.  The credential includes all the groups to which the user
     is a member on the local machine ( see id(1) ). The user may be specified
     by name or number.

     -maproot=user:group1:group2:... The colon separated list is used to spec-
     ify the precise credential to be used for remote access by root.  The
     elements of the list may be either names or numbers.  Note that ``user:''
     should be used to distinguish a credential containing no groups from a
     complete credential for that user.

     -mapall=user or -mapall=user:group1:group2:... specifies a mapping for
     all client uids (including root) using the same semantics as -maproot.

     The option -r is a synonym for -maproot in an effort to be backward com-
     patible with older export file formats.

     In the absence of -maproot and -mapall options, remote accesses by root
     will result in using a credential of -2:-2.  All other users will be
     mapped to their remote credential.  If a -maproot option is given, remote
     access by root will be mapped to that credential instead of -2:-2.  If a
     -mapall option is given, all users (including root) will be mapped to
     that credential in place of their own.

     The -alldirs flag allows the host(s) to mount at any point within the
     file system, including regular files if the -R option is used on nfsd.

     The -ro option specifies that the file system should be exported read-
     only (default read/write).  The option -o is a synonym for -ro in an
     effort to be backward compatible with older export file formats.

     The -32bitclients option causes the NFS server to guarantee that direc-
     tory cookies will fit within 32 bits even though directory cookies are 64
     bits in NFSv3.  This option may be required with NFS clients that do not
     properly support 64 bit directory cookies.  Use of this option may result
     in sub-optimal performance of the exported file system.

     The -manglednames option causes the NFS server to guarantee that file-
     names will fit into 255 bytes. For NFSv2 this is always the case. For
     NFSv3 specifying this option on an export will cause filenames greater
     than 255 characters from that export be mangled in such a way that when
     the client presents a received mangled name it will refer to the same
     name as the original name on the server.

     -sec=mechanism1:mechanism2... This option specifies one or more security
     mechanisms required for access to the exported directory.  The security
     mechanisms currently supported are krb5p, krb5i, krb5, and sys.  Multiple
     security mechanisms can be specified as a colon separated list, and
     should be in the order of most preferred to least preferred.  In the
     absence of this option, the security mechanism defaults to sys.

     -offline This option specifies that the given export should be treated as
     if the exported file system is not available.  For NFSv3, this will cause
     clients to receive "jukebox" errors directing them to try the request
     later.  For NFSv2 (which does not support this error value), the export
     will be treated as non-existent and clients will receive stale file han-
     dle errors.

     -fspath=/path and/or -fsuuid=UUID These options can be used to specify
     the pathname to and/or the UUID of the file system that is intended to be
     exported.  This can be useful to disambiguate the export entry.  Since
     the export syntax only specifies the path to the directory to be
     exported, it can be ambiguous as to what file system is expected to be
     exported.  Specifying "/Volumes/XRAID" can be interpreted as exporting
     either a file system mounted on that directory or the "Volumes/XRAID"
     subdirectory of the root file system.  Specifying -fspath=/Volumes/XRAID
     can prevent exporting the wrong file system - for example, if the exports
     are evaluated at a point when the directory exists but the volume has not
     yet been mounted on it.  The export will fail if the file system referred
     to in an export entry either (1) is not mounted at the same path as the
     given -fspath=/path.  or (2) does not have a UUID that matches the given

     The third component of a line specifies the host set to which the line
     applies.  The set may be specified in three ways.  The first way is to
     list the host name(s) separated by white space.  (Standard internet IPv4
     ``dot'' addresses or IPv6 colon addresses may be used in place of names.)
     The second way is to specify a ``netgroup'' as defined in the netgroup
     file (see netgroup(5) ). The third way is to specify an internet sub-net-
     work using a network and network mask that is defined as the set of all
     hosts with addresses within the sub-network.  This latter approach
     requires less overhead within the kernel and is recommended for cases
     where the export line refers to a large number of clients within an
     administrative sub-net.

     The first two cases are specified by simply listing the name(s) separated
     by whitespace.  All names are checked to see if they are ``netgroup''
     names first and are assumed to be hostnames otherwise.  Using the full
     domain specification for a hostname can normally circumvent the problem
     of a host that has the same name as a netgroup.  The third case is speci-
     fied by the flag -network=netname and optionally -mask=netmask.  If the
     mask is not specified, it will default to the mask for that network class
     (A, B or C; see inet(5) ).


           /usr /usr/local -maproot=0:10 friends
           /usr -maproot=daemon
           /usr -ro -mapall=nobody
           /u -maproot=bin: -network 131.104.48 -mask
           /u1 -alldirs -network 2001:DB8:: -mask ffff:ffff::
           /u2 -maproot=root friends
           /u2 -alldirs -network cis-net -mask cis-mask
           /Users -alldirs -network -mask
           /Applications -ro -network -mask

     Given that /usr, /u, /u1, /u2, and / are local file system mount points,
     the above example specifies the following:

     /usr is exported to hosts friends, where friends is specified in the net-
     group file with users mapped to their remote credentials and root mapped
     to uid 0 and group 10.  It is exported read-write and the hosts in
     friends can mount either /usr or /usr/local.  It is exported to and with users mapped to their
     remote credentials and root mapped to the user and groups associated with
     ``daemon''; it is exported to the rest of the world as read-only with all
     users mapped to the user and groups associated with ``nobody''.

     /u is exported to all hosts on the sub-network 131.104.48 with root
     mapped to the uid for ``bin'' and with no group access.

     /u1 is exported to all hosts on the IPv6 sub-network 2001:DB8::

     /u2 is exported to the hosts in ``friends'' with root mapped to uid and
     groups associated with ``root''; it is exported to all hosts on network
     ``cis-net'' allowing mounts at any directory within /u2.

     The /Users and /Applications sub-directories of / are exported to all
     hosts on the sub-network 2.29.96.  Any directory within /Users can be
     mounted.  /Users is exported read-write and /Applications is exported


     /etc/exports  The default remote mount-point file.


     netgroup(5), nfsd(8), showmount(8) portmap(8)


     It is recommended that all exported directories within the same server
     file system be specified on adjacent lines going down the tree.  You can-
     not specify a hostname that is also the name of a netgroup.  Specifying
     the full domain specification for a hostname can normally circumvent the

BSD                            October 25, 2006                            BSD

Mac OS X 10.9 - Generated Wed Oct 16 18:24:05 CDT 2013
© 2000-2024
Individual documents may contain additional copyright information.