DistributedNetworks DistributedNetworks


Network File Services  «Prev  Next»
Lesson 5 NFS security
Objective List potential NFS security problems and resolutions.

List potential NFS Security Problems and Resolutions

NFS evolved in an era when security was not a primary concern. Consequently, there is little mechanism inside NFS to protect against misuse.

Common problems

Common security problems associated with NFS include:
  1. Incorrectly specifying the tcpd access information
    Red Hat Linux wraps portmap (and therefore NFS) access with tcpd[1], allowing the administrator to identify particular hosts or networks that have access. Incorrectly specifying the tcpd access information is a common exposure.
  2. User and group IDs on the NFS client and server are not the same
    Suppose a user with an ID of 242 owns some files on your NFS server. Any NFS client with a user ID of 242 can access these files, regardless of whether it's the same user 242 or not.

Solutions to common problems

It is much easier to prevent security problems from arising than to try to resolve them once they appear. Some thought beforehand, coupled with the following suggestions, will help prevent any intrusions:
  1. Create sensible access restrictions in /etc/exports. Think about your NFS users and only give the appropriate minimum access to users.
  2. Never export the root (/) filesystem because this exposes too much of your system's configuration. If you absolutely must export the root directory, export it read-only.
  3. Use wildcards only when absolutely necessary. Miscreants could gain access to your files by spoofing[2] DNS, and a wildcard only increases their chances of being successful.
  4. In /etc/hosts.deny, deny all access to the portmap service. In /etc/hosts.allow, allow access only to those hosts and networks to which you want to give NFS services. (See the tcpd man page for more information about these files.)
  5. Ensure user and group IDs match on both the NFS server and clients.

Question: Why should user and group IDs match on both the NFS client and server?
Answer: Because NFS grants access based on user and group ID.
Explanation: A user should have the same user and group ID on both client and server

[1]Tcpd: A program that provides host-based security for many Linux Internet applications.
[2]Spoofing: Faking a hostname to bypass one or more security mechanisms.