Server-Side NFS Security
Because NFS allows users on a network to access files stored on the server, NFS has significant security implications for the server. These implications fall into three broad categories:
- Client access
NFS can (and should) be configured so that only certain clients on the network can mount filesystems stored on the server.
- User authentication
NFS can (and should) be configured so that users can access and alter only files to which they have been granted access.
- Eavesdropping and data spoofing
NFS should (but does not) protect information on the network from eavesdropping and surreptitious modification.
Limiting Client Access: /etc/exports and /etc/dfs/dfstab
The NFS server can be configured so that only certain hosts are allowed to mount filesystems on the server. This is a very important step in maintaining server security: if an unauthorized host is denied the ability to mount a filesystem, then unauthorized users on that host should not be able to access the server’s files. This configuration is controlled by settings in a file. Depending on the version of Unix/Linux/etc. that you are using, the specific file structure and usage is different. Systems with a BSD heritage use /etc/exports, and systems with a System V heritage use /etc/dfs/dfstab.
Many versions of Unix, including Sun’s SunOS, HP’s HP-UX, SGI’s IRIX, and Linux use the /etc/exports file to designate which clients can mount the server’s filesystem and what access those clients can ...
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.