Securing NFS
The Network File System (NFS) is a service that provides network accessible file systems for client machines. Refer to Network File System (NFS) for more information about NFS. The following subsections assume a basic knowledge of NFS.
The version of NFS included in Community Enterprise Linux, NFSv4, no longer requires the Now that NFSv4 has the ability to pass all information encrypted using Kerberos over a network, it is important that the service be configured correctly if it is behind a firewall or on a segmented network. NFSv2 and NFSv3 still pass data insecurely, and this should be taken into consideration. Careful network design in all of these regards can help prevent security breaches. The NFS server determines which file systems to export and which hosts to export these directories to by consulting the For instance, the following line in the The following line in the It is good practice to check any configured NFS shares by using the By default, NFS shares change the root user to the If portmap service as outlined in "Securing Portmap". NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. Information on portmap is still included, since Community Enterprise Linux supports NFSv2 and NFSv3, both of which utilize portmap.
Carefully Plan the Network
Beware of Syntax Errors
/etc/exports file. Be careful not to add extraneous spaces when editing this file.
/etc/exports file shares the directory /tmp/nfs/ to the host bob.example.com with read/write permissions.
/tmp/nfs/ bob.example.com(rw)
/etc/exports file, on the other hand, shares the same directory to the host bob.example.com with read-only permissions and shares it to the world with read/write permissions due to a single space character after the hostname.
/tmp/nfs/ bob.example.com (rw)
showmount command to verify what is being shared:
showmount -e <hostname>Do Not Use the
no_root_squash Optionnfsnobody user, an unprivileged user account. This changes the owner of all root-created files to nfsnobody, which prevents uploading of programs with the setuid bit set.
no_root_squash is used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute.