NFS Security

NFS by it’s very nature is insecure. One of the basic premises is that you are a trusted machine to begin with. A major flaw in NFS security is that it is name based and not based on IP address. Hostnames can be easily changed, which is an even bigger problem when access is granted to machines without domain names.

If it’s not properly secured, NFS can be used to gain access to a system. You need to be sure that the filesystems that you are exporting do not allow extra permissions and that you allow access to only those machines that need it. Be specific about who has what access.

I don’t recommend that any filesystem be accessible by the world unless it’s completely harmless and read-only. Even then, you could still provide the files via anonymous ftp and limit the potential for compromise. An example would be your man-pages and other documentation. It might be a good idea to share this directory to every system in an effort to keep things consistent and to save space.

Even if you do implement such a system, you should not export it to the world. By making the filesystem(s) accessible to only specific machines, you limit the potential for compromise. You know exactly the consequences of what you did. By using wildcards and making the systems available to everyone, you can’t be sure of can happen.

Even if you set up your NFS “correctly”, you should check the configuration at regular intervals. If your system has been compromised it would be a simple matter for someone to add an entry or change on to give him access. The showmount command will show you a list of machines that are currently mounting your filesystems. You should use this to check to see just who is accessing your system.

Check the /etc/exports file at regular intervals to ensure that you exporting only those directories that you think you are. Although it really is dependant on your company, the safest thin is to only export directories and filesystems to machines within your local domain. If you have machines outside of your domain, implementing a firewall that allows NFS is more difficult. Besides, I have yet to hear a convincing argument as to why it should be done at all.

The showmount command shows machines currently remotely mounting your filesystems. Only local machines should appear here. Monitor this. Only “normal”, non-system directories should be mounted and they should be read-only if possible.


You can find details of setting up NFS
here.