From 7235a2164aabfd8dba1f7e1577047bda45053db0 Mon Sep 17 00:00:00 2001 From: James Pearson Date: Tue, 7 Jun 2011 16:25:13 -0400 Subject: [PATCH] exports: Clearly Defining Exports Priorities Added some verbiage to the exports(5) man page that clearly explains the precedence around how exports will work with regard to netgroups. Signed-off-by: Steve Dickson --- utils/exportfs/exports.man | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 85e25d4..241b3af 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -48,19 +48,6 @@ NFS clients may be specified in a number of ways: This is the most common format. You may specify a host either by an abbreviated name recognized be the resolver, the fully qualified domain name, or an IP address. -.IP "netgroups -NIS netgroups may be given as -.IR @group . -Only the host part of each -netgroup members is consider in checking for membership. Empty host -parts or those containing a single dash (\-) are ignored. -.IP "wildcards -Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. -This can be used to make the \fIexports\fR file more compact; for instance, -\fI*.cs.foo.edu\fR matches all hosts in the domain -\fIcs.foo.edu\fR. As these characters also match the dots in a domain -name, the given pattern will also match all hosts within any subdomain -of \fIcs.foo.edu\fR. .IP "IP networks You can also export directories to all hosts on an IP (sub-) network simultaneously. This is done by specifying an IP address and netmask pair @@ -72,6 +59,25 @@ For example, either `/255.255.252.0' or `/22' appended to the network base IPv4 address results in identical subnetworks with 10 bits of host. Wildcard characters generally do not work on IP addresses, though they may work by accident when reverse DNS lookups fail. +.IP "wildcards +Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. +This can be used to make the \fIexports\fR file more compact; for instance, +\fI*.cs.foo.edu\fR matches all hosts in the domain +\fIcs.foo.edu\fR. As these characters also match the dots in a domain +name, the given pattern will also match all hosts within any subdomain +of \fIcs.foo.edu\fR. +.IP "netgroups +NIS netgroups may be given as +.IR @group . +Only the host part of each +netgroup members is consider in checking for membership. Empty host +parts or those containing a single dash (\-) are ignored. +.IP "anonymous +This is specified by a single +.I * +character (not to be confused with the +.I wildcard +entry above) and will match all clients. '''.TP '''.B =public '''This is a special ``hostname'' that identifies the given directory name @@ -92,6 +98,12 @@ may work by accident when reverse DNS lookups fail. '''.B \-\-public\-root '''option. Multiple specifications of a public root will be ignored. .PP +If a client matches more than one of the specifications above, then +the first match from the above list order takes precedence - regardless of +the order they appear on the export line. However, if a client matches +more than one of the same type of specification (e.g. two netgroups), +then the first match from the order they appear on the export line takes +precedence. .SS RPCSEC_GSS security You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" to restrict access to clients using rpcsec_gss security. However, this -- 2.39.2