1# Allow everything but "meta". 2* / rw,alldirs,admin,maproot=0:0 3 4# Allow "meta". 5* . rw 6 7# Line format: 8# [ip range] [path] [options] 9# ip range: 10# * = any ip (same as 0.0.0.0/0) 11# A.B.C.D = single ip address 12# A.B.C.D-E.F.G.H = range of ip addresses 13# A.B.C.D/XX = A.B.C.D network with XX bits netmask 14# A.B.C.D/E.F.G.H = A.B.C.D network with E.F.G.H netmask 15# path: 16# . = special 'path' that means 'meta' 17# /... = path in mfs structure 18# options: 19# ro/rw/readonly/readwrite = meaning is obvious 20# alldirs = any subdirectory can be mounted as root 21# dynamicip = ip is tested only during first authentication, then client can use the same session id from any ip 22# ignoregid = group id (gid) is not tested - important when you want to use auxiliary groups 23# admin = administrative privileges - currently: manipulating quota values is allowed 24# maproot=UID[:GID] = treat all root (uid zero) operations as operations done by user with uid equal to UID and gid equal to GID (or default gid of this user if GID not specified) 25# mapall=UID[:GID} = like above but for all operations (for both options UID and/or GID can be specified as username or groupname existing on master machine) 26# password=TEXT = force authentication using given password 27# md5pass=MD5 = like above, but with password defined as it's MD5 hash (MD5 specified as 128-bit hexadecimal number) 28# minversion=VER = allow only clients with version number equal or greater than VER (VER can be specified as X or X.Y or X.Y.Z) 29# mingoal=N = do not allow to set goal below N (N should be a digit from '1' to '9') 30# maxgoal=N = do not allow to set goal above N (N as above) 31# mintrashtime=TIMEDURATION = do not allow to set trashtime below TIMEDURATION (TIMEDURATION can be specified as number of seconds or combination of elements #W,#D,#H,#M,#S in set order) 32# maxtrashtime=TIMEDURATION = do not allow to set trashtime above TIMEDURATION (TIMEDURATION can be specified as above) 33# disable=OPERATION[:OPERATION[:...]] = do not allow the client to perform certain operations, operations can be specified as one parameter delimited with colon (:) or as single operations with disable option repeated many times 34# 35# Operations for disable: 36# chown - don't allow the client to perform the chown operation 37# chmod - don't allow the client to perform the chmod operation 38# symlink - don't allow the client to create symbolic links 39# mkfifo - don't allow the client to create FIFOs 40# mkdev - don't allow the client to create devices 41# mksock - don't allow the client to create sockets 42# mkdir - don't allow the client to create directories 43# unlink - don't allow the client to remove non directory objects (will also deny move/rename operation if target inode already exists!) 44# rmdir - don't allow the client to remove directories (will also deny move/rename operation if target inode already exists!) 45# rename - don't allow the client to change inodes (files, directories) names 46# move - don't allow the client to move inodes (files, directories) to another path 47# link - don't allow the client to create hard links 48# create - don't allow the client to create new files 49# readdir - don't allow the client to list directories ('ls' command will not work) 50# read - don't allow the client to read from files 51# write - don't allow the client to write to files 52# truncate - don't allow the client to shorten the length of a file with truncate command 53# setlength - don't allow the client to increase the length of a file with truncate command 54# appendchunks - don't allow the client to add chunks from one file to another (mfsappendchunks) 55# snapshot - don't allow the client to create snapshots 56# settrash - don't allow the client to change trash retention time 57# setsclass - don't allow the client to set storage classes 58# seteattr - don't allow the client to set mfs extra attributes 59# setxattr - don't allow the client to set XATTRs 60# setfacl - don't allow the client to set ACLs 61# 62# Defaults: 63# readonly,maproot=999:999,mingoal=1,maxgoal=9,mintrashtime=0,maxtrashtime=4294967295 64# 65# TIMEDURATION examples: 66# 2H = 2 hours 67# 4h30M = 4 hours and 30 minutes (time units are case insensitive) 68# 12w = 12 weeks 69# 86400 = 86400 seconds = 1 day 70# 11d13h46m40s = 1000000 seconds (defined in a bit strage way as 11 days, 13 hours, 46 minutes and 40 seconds) 71# 48H = 48 hours = 2 days (it is allowed to use any positive number with any time unit as long as calculated number of seconds do not exceed 4294967295) 72# 30m12h = wrong definition (minutes before hours) 73# 30m12 = wrong definition (12 without unit definition - only a single number is allowed without unit definition, which then defaults to seconds) 74# 50000d = wrong definition (calculated number of seconds is 4320000000, which is greater than 4294967295) 75 76# Some examples: 77 78# Users from any IP can mount root directory as a read-only file system. Local roots are mapped as users with uid:gid = 999:999. 79#* / ro 80 81# Users from IP 192.168.1.0-192.168.1.255 can mount root directory as a standard read/write file system. Local roots are mapped as users with uid:gid = 999:999. 82#192.168.1.0/24 / rw 83 84# Users from IP 192.168.1.0-192.168.1.255 when give password 'passcode' can mount any subdirectory as a standard read/write file system. Local roots are left unmapped. 85#192.168.1.0/24 / rw,alldirs,maproot=0,password=passcode 86 87# Users from IP 10.0.0.0-10.0.0.5 when give password 'test' can mount 'test' subdirectory as a standard read/write file system. Local roots are mapped as 'nobody' users (usually uid=65534). 88#10.0.0.0-10.0.0.5 /test rw,maproot=nobody,password=test 89 90# Users from IP 10.1.0.0-10.1.255.255 can mount 'public' subdirectory as a standard read/write file system. All users are mapped as users with uid:gid = 1000:1000. 91#10.1.0.0/255.255.0.0 /public rw,mapall=1000:1000 92 93# Users from IP 10.2.0.0-10.2.255.255 can mount everything, but can't decrease trash time below 2 hours and 30 minutes nor increse it above 2 weeks 94#10.2.0.0/16 / rw,alldirs,maproot=0,mintrashtime=2h30m,maxtrashtime=2w 95 96# Users from IP 192.168.1.0-192.168.1.255 can mount root directory as a read/write file system, but with no possibility of removing any data. Local roots are mapped as users with uid:gid = 999:999. 97#192.168.1.0/24 / rw,disable=unlink:rmdir:truncate 98 99# Same as above, just in different format 100#192.168.1.0/24 / rw,disable=unlink,disable=rmdir,disable=truncate 101