exports - Defines remote mount points for NFS mount requests
The exports file specifies remote mount points for the NFS mount protocol
per the NFS server specification (see Network File System Protocol Specifi-
Each entry in the /etc/exports file consists of a filesystem or directory
name followed by an optional list of options or an optional list of iden-
tifiers or both. The identifiers define which remote hosts can mount that
particular filesystem or directory. The identifiers listed beside the name
of each filesystem or directory can be either host names, IP addresses, or
NIS netgroups names. If no identifiers are listed, the entry is exported
to all hosts.
A backslash character (\) in the right-most position of a line indicates
line continuation. A number sign (#) either at the beginning of a line or
at the end of a syntax line marks a comment that extends to the end of that
line. You cannot use a number sign at the end of a line containing a
backslash character because the backslash nullifies the end of line charac-
Note that the mount command will touch the /etc/exports file when issued
with the -t nfs option. If you create a new /etc/exports file, you should
ensure that its ownership is equivalent to that of the default, which is;
The format of the exports file is as follows:
pathname [option ...] [identifier ...]
The pathname specifies the name of a mounted local filesystem or a direc-
tory of a mounted local filesystem. The pathname must begin in column 1.
The following are valid export file options:
-root=0 Maps client superuser access to uid 0 for all hosts mounting this
path. If you want to allow client superusers access to the
filesystem or directory with the same permissions as a local
superuser, use -root=0. Use -root=0 only if you trust the
superuser on the client system. The default is for client
superusers to be mapped to uid -2, which maps a client superuser
to nobody. This limits access to world accessible files. If
both the -root=0 option and the -anon=uid option are used, the
root option overrides the uid specified in anon for client
Maps the client superusers on the specified hosts only to uid 0.
The format for the hostlist argument is as follows:
The client specification can be a host name or IP address. By
default, client superusers are mapped to -2. This option over-
rides the uid specified in -anon=uid for client superusers in
-anon=uid Maps anonymous users to the specified uid. Client superusers are
considered anonymous by the NFS server, as are requests that come
in without UNIX authentication. By default, anonymous users are
mapped to uid -2. Setting anon to -1 disables anonymous access.
-ro The filesystem or directory is exported read-only (default is
read-write). The -o option is a synonym for -ro for backward
limits read-write access to the hosts specified. All other hosts
allowed to mount this path are granted read-only access. The
format for the hostlist argument is as follows:
The client specification can be a host name or IP address. If
you are exporting a file system to a client that has multiple
network interfaces on a subnet, you must specify the host names
or IP addresses for all of the interfaces; otherwise, export
requests from the unspecified interfaces will be denied.
If both the -ro and -rw=hostlist options are specified, -rw pre-
-public Exports a filesystem or directory for WebNFS public access. Note
that only one exported filesystem can have this option set.
When the -public option is set, the mount access list is ignored by
the WebNFS server. This means that all hosts using the WebNFS protocol
have access to this directory.
After setting the -public option, be sure to send the mountd process a
HUP signal. See kill(1) for further information.
-index Used with -public option. Enables the server to look for an
index.html file when given a directory name.
Specifies the hosts to grant mount access to. The format for the
hostlist argument is as follows:
The client specification can be a host name, IP address, or NIS
network group. This option is provided for readability and com-
patibility with certain export file formats. Alternatively, to
identify the client systems who are allowed access to this export
use the whitespace separated identifier list described below.
The options can be applied to both file system and directory entries in
Alternatively, you can list options using only one leading dash and
separating them with commas as in -option[,option]....
You use the identifier field to specify host names, network groups, or
both, separated by white space that specify the access list for this
export. Host names can optionally contain the local BIND domain name. A
whitespace character in the left-most position of a line indicates line
If no hosts or netgroups are specified, the mount daemon exports this
file system or directory to anyone requesting it. See the mountd(8)
reference page for information on how to limit this scope to known
hosts or to hosts in the same BIND domain.
For example, suppose you enter:
/usr -root=0 milan kuan_yin.cis.berkeley.edu
/u3/dir4 -root=0 milan venice florence
/u3/dir5 -root=milan -anon=-1
/u3/dir6 -ro -public milan venice florence
If /usr, /u2 and /u3 are local file system mount points, this specifies the
+ /usr is exported read-write to hosts milan and
kuan_yin.cis.berkeley.edu with root mapped to uid=0.
+ /usr/local is exported read-write to host 555.555.55.55 with root
mapped to -2. (For security reasons, this example uses the fictitious
IP address 555.555.55.55.)
+ /u2 is exported to all hosts read-only with root mapped to -2.
+ /u3/dir1 is exported read-write to hosts milan, venice, and florence
and read-only to all other hosts. For all hosts, root is mapped to
+ /u3/dir2 is exported with root mapped to 0 to host milan. Hosts
milan, venice, and florence are allowed to mount this directory read-
write. Root on hosts venice and florence is mapped to -2.
+ /u3/dir3 is exported read-write and with root mapped to 0 to hosts
milan, venice, and florence.
+ /u3/dir4 is exported in the same manner as the previous example.
+ /u3/dir5 is exported read-write to all hosts. Anonymous users are not
allowed to mount this directory, with the exception of the client
superuser on host milan. Root is mapped to 0 on host milan and to -2
on all other hosts.
+ /u3/dir6 Hosts milan, venice, and florence are allowed to mount this
directory read-only. All other hosts have read-only WebNFS access, but
cannot mount this directory.
Each file system that you want to allow clients to mount must be explicitly
defined. Exporting only the root (/) will not allow clients to mount /usr.
Exporting only /usr will not allow clients to mount /usr/local, if it is a
Duplicate directory entries are not allowed. The first entry is valid and
following duplicates are ignored.
Desired export options must be explicitly specified for each exported
resource: file system or directory. If a file system and subdirectories
within it are exported, the options associated with the file system are not
``inherited.'' You do not need to export an entire file system to allow
clients to mount subdirectories within it.
The access list associated with each exported resource identifies which
clients can mount that resource with the specified options. For example,
you can export an entire file system read-only, with a subdirectory within
it exported read-write to a subset of clients. If a client that is not
identified in the export access list of a directory attempts to mount it,
then access is checked against the closest exported ancestor. If mount
access is allowed at a higher level in the directory tree of the file sys-
tem, the export options associated with the successful match will be in
To make a change to the exports file and have it take effect immediately,
send the mountd process a HUP signal. Otherwise, the mountd process will
reread the exports file the next time it receives a mount request from an
NFS client or a showmount -e request.
Daemons: mountd(8), nfsd(8)
Files: hosts(4), netgroup(4)
Network Administration: Services