Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 4 - ADMINISTRATION
81828384858687888990
Host Access in NFSv4
73
pointed to an unauthorized machine. At this point, the unauthorized machine is the system permitted
to mount the NFS share, since no username or password information is exchanged to provide
additional security for the NFS mount.
Wildcards should be used sparingly when exporting directories via NFS, as it is possible for the scope
of the wildcard to encompass more systems than intended.
You can also to restrict access to the rpcbind
1
service via TCP wrappers. Creating rules with
iptables can also limit access to ports used by rpcbind, rpc.mountd, and rpc.nfsd.
For more information on securing NFS and rpcbind, refer to man iptables.
10.7.2. Host Access in NFSv4
The release of NFSv4 brought a revolution to authentication and security to NFS exports. NFSv4
mandates the implementation of the RPCSEC_GSS kernel module, the Kerberos version 5 GSS-API
mechanism, SPKM-3, and LIPKEY. With NFSv4, the mandatory security mechanisms are oriented
towards authenticating individual users, and not client machines as used in NFSv2 and NFSv3. As
such, for security reasons, Red Hat recommends the use of NFSv4 over other versions whenever
possible.
Note
It is assumed that a Kerberos ticket-granting server (KDC) is installed and configured correctly,
prior to configuring an NFSv4 server. Kerberos is a network authentication system which allows
clients and servers to authenticate to each other through use of symmetric encryption and a
trusted third party, the KDC.
NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,
because of the former's features and wide deployment. NFSv2 and NFSv3 do not have support for
native ACL attributes.
Another important security feature of NFSv4 is the removal of the use of the MOUNT protocol for
mounting file systems. This protocol presented possible security holes because of the way that it
processed file handles.
For more information on the RPCSEC_GSS framework, including how rpc.svcgssd and rpc.gssd
inter-operate, refer to http://www.citi.umich.edu/projects/nfsv4/gssd/.
10.7.3. File Permissions
Once the NFS file system is mounted read/write by a remote host, the only protection each shared
file has is its permissions. If two users that share the same user ID value mount the same NFS file
system, they can modify each others files. Additionally, anyone logged in as root on the client system
can use the su - command to access any files via the NFS share.
By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. Red Hat
recommends that you keep this feature enabled.
By default, NFS uses root squashing when exporting a file system. This sets the user ID of anyone
accessing the NFS share as the root user on their local machine to nobody. Root squashing is
controlled by the default option root_squash; for more information about this option, refer to
Section 10.6.1, “ The /etc/exports Configuration File”. If possible, never disable root squashing.