2 .\" (C) 2008, Pascal Schmidt
4 .TH unfsd 8 "05 Jan 2008"
6 unfsd \- NFS server process
8 .BI "/usr/sbin/unfsd [" options "]"
12 program implements the MOUNT and NFS version 3 protocols. It listens for
13 client requests, performs them on the local filesystem of the server, and
14 then returns the results of the operations to the clients.
18 reads the exports file,
20 by default, to find out which directories are available to clients
21 and what options are in effect (see
23 section below for syntax and possible options).
29 user. It will then switch its effective
30 user and group id to the numbers listed in incoming NFS requests. This
31 means filesystem operations will be performed as if done by a local
32 user with the same ids. If the incoming request is for user or group
35 will switch to the user and group id of the
37 user before performing filesystem operations (this is known as
38 .BR "root squashing" ")."
41 does not exist on the system, a user and group id of 65534 will be used.
42 This behavior can be modified by use of the
46 options in the exports file as well as the
50 options on a per-share basis.
54 is running as a normal unprivileged user, no switching of the effective
55 user and group id will take place. Instead, all filesystem operations
56 will be performed with the id of the user running
59 Some NFS clients may attempt to perform operations that
64 When creating filesystem objects, it is only possible to specify the
65 initial mode for the object. The initial user and group ownership,
66 object size, and timestamps cannot be specified and will be set to
70 The network lock manager (NLM) protocol is not supported. This means that
71 clients may have to mount with special mount options, disabling locking
72 on the mounted NFS volume (nolock for Linux clients).
76 Display a short option summary.
79 Use the given file as the exports file, instead of using
81 Note that the file needs to be specified using an absolute path.
84 Use the given file as pid file. When the daemon starts up, it will
85 write its pid (process id) to the given file. Upon exit, the daemon
86 will remove the file. Failure to create or remove the pid file is
87 not considered fatal and only reported to syslog.
90 Use an unprivileged port for NFS and MOUNT service. Normally,
92 will use port number 2049, which is the standard port for NFS.
93 When this option is in effect, arbitrary ports chosen by the RPC library
94 will be used. You may need to use this option when running
96 from a normal user account.
99 Use the specified port for the NFS service.
101 .BI "\-m " "\<port\>"
102 Use the specified port for the MOUNT service. The default is to
103 use port number 2049, the same as for the NFS service. You can use
104 the same port for both services if you want.
107 TCP only operation. By default,
109 provides its services to clients using either UDP or TCP as communications
110 protocol. When this option is present, only TCP connections are
114 Do not register with the portmapper. This will prevent other hosts from
115 finding out the port numbers used for the MOUNT and NFS services by
116 querying the portmap daemon. Clients
117 will need to manually specify the port numbers to use (on Linux clients,
119 .BR mountport " and " port
123 Enable cluster extensions. This feature is only available when
125 was compiled with cluster support. When this option is enabled, so-called
126 tagged files are handled differently from normal files, making it possible
127 to serve different file contents to different clients for the same filename.
130 for a description of tagged files. This option causes a performance hit.
133 Limit the use of cluster extensions to a list of colon-seperated
134 directories. When this option is present, the performance hit caused by
135 clustering extensions only applies to the listed directories and their
139 Single user mode; activate basic uid translation. This option is
140 useful when the server and client are using different user and group
141 ids. All requests from the client will be served from the user id that started
143 no user id switching will take place (even if unfsd was started by
145 Ownership is reported as follows: files belonging to the user id
148 will look as if they are owned by the client's user. Other files will
149 look as if they are owned by root. The same principle applies to
153 Enable brute force file searching. Normally, when you rename a file
154 across several directories on an NFS volume, the filehandle for that
155 file becomes stale. When this option is enabled,
157 will attempt a recursive search on the relevant server filesystem to
158 find the file referenced by the filehandle. This can have a huge
159 performance impact as this will also happen for files that were
160 really deleted (by another NFS client) instead of moved, and cannot be found.
163 Bind to interface with specified address. The default is to bind to
164 all local interfaces.
167 Debug mode. When this option is present,
169 will not fork into the background at startup, and all messages that
170 would normally go to the system log go to stdout instead.
173 Report unreadable executables as readable. This applies both to
174 returned attributes and ACCESS requests. Please note that READ
175 requests for unreadable executables are always allowed, if
177 is running as root, regardless of this option.
180 Test exports file and exit. When this option is given,
182 will try to parse the exports file and exit with status 0 if this
183 is successful. If there is a syntax error in the exports file,
184 a message is printed on standard error and
189 .BR "SIGTERM " "and " SIGINT
192 to unregister itself from the portmapper and exit.
197 to re-read its configuration data. Currently, this means the program
200 database to find out the user and group id of user
203 will also attempt to reload the exports file. If the exports file
206 sends a warning message to the system log and nothing is exported until
207 the situation is corrected and another
214 to output statistics about its filehandle and file descriptor cache
215 to the system log. For the filehandle cache, it will output the number
216 of filehandles in the cache, the total number of cache accesses, and the
217 number of hits and misses. For the file descriptor cache, it will output
218 the number of currently held open READ and WRITE file descriptors.
222 by default, determines which directories on the server can be accessed
223 from NFS clients. An example:
226 # sample NFS exports file
227 /home trusted(rw,no_root_squash) (ro)
228 "/with spaces" weirdo
229 /usr 1.2.3.4(rw) 192.168.2.0/24(ro,all_squash)
230 /home/foo bar(rw) 10.0.0.0/255.0.0.0(root_squash)
231 /home/joe joes_pc(anonuid=1100,anongid=1100,rw,all_squash)
234 Comments start with a # character and cause the rest of the line to be
235 ignored. Extremely long exports can be split across multiple lines by
236 escaping the intermediate newlines with a backslash character.
238 Each line starts with a directory that is to be exported. If
239 the directory name contains whitespace, it must be enclosed in double
240 quotes. To the right of the directory name, a list of client
241 specifications can be given. If this list is missing, the directory
242 is exported to everyone, using default options
243 .RB ( ro " and " root_squash ")."
245 If the directory name contains symbolic links, they are expanded. This
246 means that you have to force
248 to reload the exports file if the symlinks happen to change.
250 Clients can be specified using either a hostname, an IP address, or
251 an IP network. Networks can be given by specifying the number of leading 1
252 bits in the netmask or by giving the full netmask. If the hostname is
253 empty, the directory is exported to everyone.
255 Options can follow a client specification and have to be enclosed
256 in parenthesis, with the opening paren directly following the client
257 name or address. If no options are given,
261 are enabled by default. The following options are supported by
265 Enable root squashing, mapping all NFS request done with a user id of
266 0 to the user id of the
268 user. This option is enabled by default.
271 Disable root squashing. When this option is present, NFS requests done
272 with a user id of 0 will be done as the
274 user of the server, effectively disabling all permissions checks.
277 Squash all users. When this option is present, all NFS requests will
283 Don't squash all users. This option is enabled by default.
286 Allow read and write access on the exported directory. When this option
287 is present, clients are allowed to modify files and directories on
291 Allow only read access on the exported directory. When this option
292 is present, clients are not allowed to modify files and directories
293 on the server. This option is enabled by default.
296 Sets the uid and gid for anonymous mounts for this share - by default the
297 uid for nobody will be used, but using these options you can change this
298 on a per-share basis.
301 Allow only mount requests coming from a source port below 1024. Using
302 these ports requires super-user privileges on many operating systems.
303 This option is enabled by default.
306 Allow mount requests coming from any source port.
309 Consider this directory to be on a removable medium. When this option
312 will not keep files open across multiple read or write requests. This
313 allows unmounting of the underlying filesystem on the server at any time.
316 will not require that the exported path exists at startup or mount
317 time. If the path does not exist, an empty directory will be presented
318 to the client. This is useful for exporting mount points handled by
322 Consider this directory to be on a fixed medium. This options is enabled
323 by default and allows
325 to keep files open between multiple read or write requests.
327 .B password=<password>
328 To be able to mount this export, the specified password is
329 required. The password needs be given in the mount request,
330 as in "mount yourhost:@password:gazonk/tmp /mnt". One time passwords
331 are also supported. When using passwords, the file handles
332 will include a hash of the password. This means that
333 .B if you change the password, all clients will need to remount this export.
334 See the file "doc/passwords.txt" in the source for more information.
336 If options not present on this list are encountered by
338 they are silently ignored.
340 There are a few possible race conditions with other processes on the
341 server. They can happen if
343 is performing an operation on a filesystem object while another
344 process is simultaneously first (a) removing the object and then (b)
345 creating a new object of the same name. If this happens,
347 will attempt to perform the operation on the wrong, new object.
348 The time window in which this can happen is small.
350 When a client does a CREATE EXCLUSIVE procedure call,
352 stores the verifier data in the mtime and atime attributes of the
353 created file. Malicious processes on the server could manipulate
354 those attributes, breaking the semantics of the exclusive create
355 operation. A process attempting to do so would need to be able
356 to see the NFS network traffic.
358 unfsd always uses the "nohide" semantics, which means that clients
359 will see all file systems mounted below the exported path. However,
360 some NFS clients do not cope well with this situation as, for
361 instance, it is then possible for two files in the one apparent
362 filesystem to have the same inode number. To avoid this, make sure
363 that the client mounts each exported file system.
367 operates, it needs execute (lookup) and read permission on all directories
368 from the root directory all the way up to exported directories.
373 is going to need permission for
374 .IR / ", " /usr ", and " /usr/share .
375 Since root squashing can be in effect,
377 may run as the nobody user, which normally means having to grant
378 execute (lookup) and read permission for everybody on the server.
379 In the above example,
381 also needs permission to access
383 which can be different from
385 for some special setups (for example when using bind mounts under
390 Default exports file.