Archive for the tag 'NFS'

SBDavid
Oct 23rd, 2009

Using NFS over TCP

Using NFS over TCP

To mount a shared directory using NFS over TCP, use the “proto=tcp” mount option:

# mount -o proto=tcp :/pub /usr/local/pub

Make sure the target directory, in this example /usr/local/pub, exists on the client.

You can verify the NFS over TCP mount using the mount command:

If you need NFS, it is recommended to use NFS over TCP since NFS over UDP is not very secure. All 2.4 and 2.6 kernels support NFS over TCP on the client side. Server support for TCP appears in later 2.4 kernels, and in all 2.6 kernels.

To verify whether your server supports NFS over TCP, use the wire-test command (/usr/sbin/wire-test is part of the am-utils package). If your server supports NFS over TCP, the output looks like this:

# wire-test localhost
NFS Version and protocol tests to host “localhost”…
testing vers=2, proto=”udp” -> found version 2.
testing vers=3, proto=”udp” -> found version 3.
testing vers=2, proto=”tcp” -> found version 2.
testing vers=3, proto=”tcp” -> found version 3.
#
SBDavid
Oct 23rd, 2009

Securing NFS

Securing NFS

NFS (Network File System) allows servers to share files over a network. But like all network services using NFS involves risks.

If you don’t have shared directories to export, ensure that the NFS service is NOT enabled and running:

# service nfs status
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped

And then check using chkconfig

# chkconfig –list nfs
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#

You probably don’t need the portmap service as well which is used by NFS (the portmap daemon registers rpc-based services for services like NFS, NIS, etc.):

# service portmap status
portmap is stopped

Then check status using chkconfig

# chkconfig –list portmap
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#

NFS should not be enabled if not needed.
If you must use NFS, use TCP wrapper to restrict remote access.
Make sure you export to only those machines that you really need to.
Use fully qualified domain names to diminish spoofing attempts.
Export only directories you need to export.
Export read-only wherever possible.
Use NFS over TCP.

SBDavid
Oct 23rd, 2009

Exporting NFS File Systems

Exporting NFS File Systems

To allow a client access to a filesystem or directory, the /etc/exports serves as the access control list.

To give the network “lan.serverbuddies.com” read-only access to /public_docs, the entries in /etc/exports would look like as follows:

/public_docs *.lan.serverbuddies.com(ro,sync)

Security : It is very important NOT to give write access to NFS clients if not absolutely needed! Entries in /etc/exports are exported read-only (”ro” option) by default.

To allow servers lan1, lan2 and lan3 read-write access to the /backup/setup directory, the entries in /etc/exports would look like as follows:

/backup/setup lan1.serverbuddies.com(rw,sync) lan2.serverbuddies.com(rw,sync) lan3.serverbuddies.com(rw,sync)

Note that options MUST NOT be separated from hostnames or networks with whitespace(s). And use fully qualified domain names to diminish spoofing attempts.

All entries in /etc/exports are exported with the root_squash option (’root squashing’) by default. This means that a root user on a client machine does not have root privileges (root access) to root-owned files on exported NFS filesystems/directories. It is not recommended to turn ‘root squashing” off using the no_root_squash option!

After you’ve made all your entries in /etc/exports, you can export all filesystems/directories using the following command:

# exportfs -a

To unexport all shared filesystems/directories, run:

# exportfs -ua

To see all shared filesystems/directories, run:

# showmount -e localhost

Export list for localhost:

/public_docs *.lan.serverbuddies.com
/backup/setup lan1.serverbuddies.com lan2.serverbuddies.com lan3.serverbuddies.com
SBDavid
Oct 6th, 2009

Why we should not use the no_root_squash Option

Why we should not use the no_root_squash Option

By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account.

In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set.

no_root_squash - Allows root users on client computers to have root access on the server. Mount requests for root are not be mounted to the anonomous user. This option is needed for diskless clients.

root_squash - Requests from root clients are mapped to the nobody user and group ID so they will only have file privileges associated with other.

ro - read only access
rw - read write access

If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.

SBDavid
Oct 5th, 2009

Common NFS Syntax Errors

Common NFS Syntax Errors

The NFS server determines which file systems to export and which hosts to export these direct-
ories to via the /etc/exports file.

Be careful not to add extraneous spaces when editing this file.

For instance, the following line in the /etc/exports file shares the directory /tmp/nfs/ to the host serverbuddies.example.com with read/write permissions.

/tmp/nfs/ serverbuddies.example.com(rw)

This line in the /etc/exports file, on the other hand, shares the same directory to the host serverbuddies.example.com with read-only permissions and shares it to the world with read/write permis-sions due to a single space character after the hostname.

/tmp/nfs/ serverbuddies.example.com (rw)

It is good practice to check any configured NFS shares by using the showmount command to verify what is being shared:

showmount -e [hostname]