man -s 1M share_nfs
...
root=access_list Only root users from the hosts
specified in access_list have root
access. See access_list below. By
default, no host has root access, so
root users are mapped to an
anonymous user ID (see the anon=uid
option described above). Netgroups
can be used if the file system
shared is using UNIX authentication
( AUTH_SYS).
...
rw=access_list Sharing is read-write to the clients
listed in access_list; overrides the
ro suboption for the clients speci-
fied. See access_list below.
...
access_list
The access_list argument is a colon-separated list whose
components may be any number of the following:
hostname The name of a host. With a server con-
figured for DNS or LDAP naming in the
nsswitch "hosts" entry, any hostname
must be represented as a fully quali-
fied DNS or LDAP name.
netgroup A netgroup contains a number of host-
names. With a server configured for
DNS or LDAP naming in the nsswitch
"hosts" entry, any hostname in a net-
group must be represented as a fully
qualified DNS or LDAP name.
domain name suffix To use domain membership the server
must use DNS or LDAP to resolve host-
names to IP addresses; that is, the
"hosts" entry in the
/etc/nsswitch.conf must specify "dns"
or "ldap" ahead of "nis" or "nisplus",
since only DNS and LDAP return the
full domain name of the host. Other
name services like NIS or NIS+ cannot
be used to resolve hostnames on the
server because when mapping an IP
address to a hostname they do not
return domain information. For exam-
ple,
NIS or NIS+ 172.16.45.9 --> "myhost"
and
DNS or LDAP 172.16.45.9 -->
"myhost.mydomain.mycompany.com"
The domain name suffix is dis-
tinguished from hostnames and net-
groups by a prefixed dot. For example,
rw=.mydomain.mycompany.com
A single dot can be used to match a
hostname with no suffix. For example,
rw=.
matches "mydomain" but not
"mydomain.mycompany.com". This feature
can be used to match hosts resolved
through NIS and NIS+ rather than DNS
and LDAP.
network The network or subnet component is
preceded by an at-sign (@). It can be
either a name or a dotted address. If
a name, it is converted to a dotted
address by getnetbyname(3SOCKET). For
example,
=@mynet
would be equivalent to:
=@172.16 or =@172.16.0.0
The network prefix assumes an octet
aligned netmask determined from the
zero octets in the low-order part of
the address. In the case where network
prefixes are not byte-aligned, the
syntax allows a mask length to be
specified explicitly following a slash
(/) delimiter. For example,
=@theothernet/17 or =@172.16.132/22
where the mask is the number of left-
most contiguous significant bits in
the corresponding IP address.
A prefixed minus sign (-) denies access to that component of
access_list. The list is searched sequentially until a match
is found that either grants or denies access, or until the
end of the list is reached. For example, if host "terra" is
in the "engineering" netgroup, then
rw=-terra:engineering
denies access to terra but
rw=engineering:-terra
grants access to terra.