Securing NFS
The Network File System or NFS is an RPC service used in conjunction
with portmap and other related services to provide
network accessible mount points for client machines. For more
information on how NFS works, see the chapter titled Network
File System (NFS) in the Official Red Hat Linux Reference Guide. For
more information about configuring NFS, refer to the
Official Red Hat Linux Customization Guide. The following subsections will assume
basic knowledge of NFS.
It is recommended that anyone planning to implement an NFS
server first secure the portmap service as outlined
in the Section called Securing Portmap, then address following issues.
Carefully Plan the Network
Because NFS passes all information unencrypted over the network, it is
important the service be run behind a firewall and on a segmented and
secure network. Any time information is passed over NFS an insecure
network, it risks being intercepted. Careful network design in these
regards can help prevent security breaches.
Beware of Syntax Errors
The NFS server determines which file systems to export and who to
export these directories to via the /etc/exports
file. Be careful not to add extraneous spaces when editing this file.
For instance, the following line in the
/etc/exports file shares the directory
/tmp/nfs/ to the host
my.example.com with read and write
permissions.
/tmp/nfs/ my.example.com(rw) |
This line in the /etc/exports file, on the other
hand, shares the same directory to the host
my.example.com with read-only
permissions and shares is to the world with read
and write permissions due to a single space after the hostname.
/tmp/nfs/ my.example.com (rw) |
It is good practice to check any configured NFS shares by using the
following command to verify they are correctly configured:
Do Not Use the no_root_squash
Option
By default, NFS shares change root-owned files to user
nfsnobody. This prevents uploading of
programs with the setuid bit set.
