Securing NFS

Important

NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3, rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module . Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports NFSv3 which utilize s rpcbind.

4.3.6.1. Caref ully Plan the Network

NFSv2 and NFSv3 traditionally pas s e d data ins e cure ly. All ve rs ions of NFS now have the ability to authe nticate (and optionally e ncrypt) ordinary file s ys te m ope rations us ing Ke rbe ros . Unde r NFSv4 all ope rations can us e Ke rbe ros ; unde r v2 or v3, file locking and mounting s till do not us e it. Whe n us ing NFSv4.0, de le gations may be turne d off if the clie nts are be hind NAT or a fire wall. For information on the us e of NFSv4.1 to allow de le gations to ope rate through NAT and fire walls , s e e the pNFS s e ction of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide .

4.3.6.2. Securing NFS Mount Options

The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options can als o be s pe cifie d in /etc/nfsmount.conf, which can be us e d to s e t cus tom de fault options .

4.3.6.2.1. Review t he NFS Server

Warning

Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the

e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on s ubtre e che cking in the exports(5) man page .

Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary dire ctorie s s uch as /tmp and /usr/tmp.

Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of pas s words or us ing Ke rbe ros would mitigate that ris k.

Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not s pe cifically re quire d.

Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is not us e d. Se e Se ction 4.3.6.4, “Do Not Us e the no_root_s quas h Option” for more

information.

The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to “re s e rve d”

ports . By de fault, the s e rve r allows clie nt communication only from “re s e rve d” ports (ports numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d “trus te d” code (s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and

re s triction of e xports to particular clie nts .

Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the

“nore s vport” mount option. If you wis h to allow this on an e xport, you may do s o with the

“ins e cure ” e xport option.

It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.

4.3.6.2.2. Review t he NFS Client

Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option

dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the clie nt and the s e rve r s ide .

The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and noexec options are s tandard options for mos t, if not all, file s ys te ms .

Us e the nodev option to pre ve nt “de vice -file s ” from be ing proce s s e d as a hardware de vice by the clie nt.

The resvport option is a clie nt-s ide mount option and secure is the corre s ponding s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a

"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a re s e rve d s ource port to communicate with the s e rve r.

All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option to e nable this is : sec=krb5.

NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy prote ction. The s e are us e d whe n mounting with sec=krb5, but ne e d to be configure d on the NFS s e rve r. Se e the man page on e xports (man 5 exports) for more information.

The NFS man page (man 5 nfs) has a “SECURITY CONSIDERATIONS” s e ction which e xplains the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options . 4.3.6.3. Beware of Syntax Errors

The NFS s e rve r de te rmine s which file s ys te ms to e xport and which hos ts to e xport the s e dire ctorie s to by cons ulting the /etc/exports file . Be care ful not to add e xtrane ous

s pace s whe n e diting this file .

For ins tance , the following line in the /etc/exports file s hare s the dire ctory /tmp/nfs/ to the hos t bob.example.com with re ad/write pe rmis s ions .

/tmp/nfs/ bob.example.com(rw)

The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory to the hos t bob.example.com with re ad-only pe rmis s ions and s hare s it to the world with re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos tname .

/tmp/nfs/ bob.example.com (rw)

It is good practice to che ck any configure d NFS s hare s by us ing the showmount command to ve rify what is be ing s hare d:

showmount -e <hostname>

4.3.6.4. Do Not Use the no_root_squash Option

By de fault, NFS s hare s change the root us e r to the nfsnobody us e r, an unprivile ge d us e r account. This change s the owne r of all root-cre ate d file s to nfsnobody, which pre ve nts uploading of programs with the s e tuid bit s e t.

If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly e xe cute .

4.3.6.5. NFS Firewall Conf iguration

NFSv4 is the de fault ve rs ion of NFS for Re d Hat Ente rpris e Linux 7 and it only re quire s port 2049 to be ope n for TCP. If us ing NFSv3 the n four additional ports are re quire d as

e xplaine d be low.

Co nf iguring Po rt s f o r NFSv3

The ports us e d for NFS are as s igne d dynamically by rpcbind, which can caus e proble ms whe n cre ating fire wall rule s . To s implify this proce s s , us e the /etc/sysconfig/nfs file to s pe cify which ports are to be us e d:

MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd) STATD_PORT — TCP and UDP port for s tatus (rpc.s tatd) LOCKD_TCPPORT — TCP port for nlockmgr (rpc.lockd) LOCKD_UDPPORT — UDP port nlockmgr (rpc.lockd)

Port numbe rs s pe cifie d mus t not be us e d by any othe r s e rvice . Configure your fire wall to allow the port numbe rs s pe cifie d, as we ll as TCP and UDP port 2049 (NFS).

Run the rpcinfo -p command on the NFS s e rve r to s e e which ports and RPC programs are be ing us e d.