Improving NFS Security

There are many techniques that you can use to improve overall NFS security:

  • Limit the use of NFS by limiting the machines to which filesystems are exported, and limit the number of filesystems that each client mounts.

  • Export filesystems read-only if possible.

  • Use root ownership of exported files and directories.

  • Remove group write permissions from exported files and directories.

  • Do not export the server’s executables.

  • Do not export home directories.

  • Do not allow users to log into the NFS server.

  • Use the fsirand program, as described later in this chapter.

  • Set the portmon variable so that NFS requests that are not received from privileged ports will be ignored.

  • Use showmount -e to verify that you are exporting only the filesystem you wish to export to the hosts specified, and with the correct flags.

  • Use Secure NFS.

These techniques are described in the following sections.

Limit Exported and Mounted Filesystems

The best way to limit the danger of NFS is by having each computer export and/or mount only the particular filesystems that are needed.

If a filesystem does not need to be exported, do not export it. If it must be exported, export it to as few machines as possible by judiciously using restrictions in the exports list. If you have a sizeable number of machines to export to, and if such lists are tedious to maintain, consider careful use of the netgroups mechanism, if you have it. Do not export a filesystem to any computer unless you have to. If possible, export filesystems ...

Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.