5.4. Securing NFS
The Network File System or NFS is an RPC service used in conjunction
with portmap and other related services to provide
network accessible file systems for client machines. For more
information on how NFS works, refer to the chapter titled Network
File System (NFS) in the Red Hat Linux Reference Guide. For
more information about configuring NFS, refer to the
Red Hat Linux Customization Guide. The following subsections will assume
basic knowledge of NFS.
 | Important |
|---|
| | It is recommended that anyone planning to implement an NFS server
first secure the portmap service as outlined in
Section 5.2 Securing Portmap, before addressing the following
issues.
|
5.4.1. Carefully Plan the Network
Because NFS passes all information unencrypted over the network, it is
important the service be run behind a firewall and on a segmented and
secure network. Any time information is passed over NFS on an insecure
network, it risks being intercepted. Careful network design in these
regards can help prevent security breaches.
5.4.2. Beware of Syntax Errors
The NFS server determines which file systems to export and which hosts
to export these directories to via the
/etc/exports file. Be careful not to add
extraneous spaces when editing this file.
For instance, the following line in the
/etc/exports file shares the directory
/tmp/nfs/ to the host
bob.example.com with read and write
permissions.
/tmp/nfs/ bob.example.com(rw) |
This line in the /etc/exports file, on the other
hand, shares the same directory to the host
bob.example.com with read-only
permissions and shares it to the world with read
and write permissions due to a single space character after the
hostname.
/tmp/nfs/ bob.example.com (rw) |
It is good practice to check any configured NFS shares by using the
showmount command to verify what is being shared:
5.4.3. Do Not Use the no_root_squash
Option
By default, NFS shares change root-owned files to user
nfsnobody. This prevents uploading of
programs with the setuid bit set.
