See Also
Chapter 4. Hardening Your System with Tools and Services
4.3. Securing Services
4.3.6. Securing NFS
Important
NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3, rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module . Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports NFSv3 which utilize s rpcbind.
4.3.6.1. Caref ully Plan the Network
NFSv2 and NFSv3 traditionally pas s e d data ins e cure ly. All ve rs ions of NFS now have the ability to authe nticate (and optionally e ncrypt) ordinary file s ys te m ope rations us ing Ke rbe ros . Unde r NFSv4 all ope rations can us e Ke rbe ros ; unde r v2 or v3, file locking and mounting s till do not us e it. Whe n us ing NFSv4.0, de le gations may be turne d off if the clie nts are be hind NAT or a fire wall. For information on the us e of NFSv4.1 to allow de le gations to ope rate through NAT and fire walls , s e e the pNFS s e ction of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide .
4.3.6.2. Securing NFS Mount Options
The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options can als o be s pe cifie d in /etc/nfsmount.conf, which can be us e d to s e t cus tom de fault options .
4.3.6.2.1. Review t he NFS Server
Warning
Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the
e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on s ubtre e che cking in the exports(5) man page .
Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary dire ctorie s s uch as /tmp and /usr/tmp.
Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of pas s words or us ing Ke rbe ros would mitigate that ris k.
Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not s pe cifically re quire d.
Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is not us e d. Se e Se ction 4.3.6.4, “Do Not Us e the no_root_s quas h Option” for more
information.
The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to “re s e rve d”
ports . By de fault, the s e rve r allows clie nt communication only from “re s e rve d” ports (ports numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d “trus te d” code (s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and
re s triction of e xports to particular clie nts .
Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the
“nore s vport” mount option. If you wis h to allow this on an e xport, you may do s o with the
“ins e cure ” e xport option.
It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.
4.3.6.2.2. Review t he NFS Client
Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option
dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the clie nt and the s e rve r s ide .
The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and noexec options are s tandard options for mos t, if not all, file s ys te ms .
Us e the nodev option to pre ve nt “de vice -file s ” from be ing proce s s e d as a hardware de vice by the clie nt.
The resvport option is a clie nt-s ide mount option and secure is the corre s ponding s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a
"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a re s e rve d s ource port to communicate with the s e rve r.
All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option to e nable this is : sec=krb5.
NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy prote ction. The s e are us e d whe n mounting with sec=krb5, but ne e d to be configure d on the NFS s e rve r. Se e the man page on e xports (man 5 exports) for more information.
The NFS man page (man 5 nfs) has a “SECURITY CONSIDERATIONS” s e ction which e xplains the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options . 4.3.6.3. Beware of Syntax Errors
The NFS s e rve r de te rmine s which file s ys te ms to e xport and which hos ts to e xport the s e dire ctorie s to by cons ulting the /etc/exports file . Be care ful not to add e xtrane ous
s pace s whe n e diting this file .
For ins tance , the following line in the /etc/exports file s hare s the dire ctory /tmp/nfs/ to the hos t bob.example.com with re ad/write pe rmis s ions .
/tmp/nfs/ bob.example.com(rw)
The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory to the hos t bob.example.com with re ad-only pe rmis s ions and s hare s it to the world with re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos tname .
/tmp/nfs/ bob.example.com (rw)
It is good practice to che ck any configure d NFS s hare s by us ing the showmount command to ve rify what is be ing s hare d:
showmount -e <hostname>
4.3.6.4. Do Not Use the no_root_squash Option
By de fault, NFS s hare s change the root us e r to the nfsnobody us e r, an unprivile ge d us e r account. This change s the owne r of all root-cre ate d file s to nfsnobody, which pre ve nts uploading of programs with the s e tuid bit s e t.
If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly e xe cute .
4.3.6.5. NFS Firewall Conf iguration
NFSv4 is the de fault ve rs ion of NFS for Re d Hat Ente rpris e Linux 7 and it only re quire s port 2049 to be ope n for TCP. If us ing NFSv3 the n four additional ports are re quire d as
e xplaine d be low.
Co nf iguring Po rt s f o r NFSv3
The ports us e d for NFS are as s igne d dynamically by rpcbind, which can caus e proble ms whe n cre ating fire wall rule s . To s implify this proce s s , us e the /etc/sysconfig/nfs file to s pe cify which ports are to be us e d:
MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd) STATD_PORT — TCP and UDP port for s tatus (rpc.s tatd) LOCKD_TCPPORT — TCP port for nlockmgr (rpc.lockd) LOCKD_UDPPORT — UDP port nlockmgr (rpc.lockd)
Port numbe rs s pe cifie d mus t not be us e d by any othe r s e rvice . Configure your fire wall to allow the port numbe rs s pe cifie d, as we ll as TCP and UDP port 2049 (NFS).
Run the rpcinfo -p command on the NFS s e rve r to s e e which ports and RPC programs are be ing us e d.