Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
51525354555657585960
Securing NFS
45
2.2.4. Securing NFS
Important
The version of NFS included in Red Hat Enterprise Linux 6, NFSv4, no longer requires the
portmap service as outlined in Section 2.2.2, “Securing Portmap”. NFS traffic now utilizes
TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes
Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. Information
on portmap is still included, since Red Hat Enterprise Linux 6 supports NFSv2 and NFSv3, both
of which utilize portmap.
2.2.4.1. Carefully Plan the Network
Now that NFSv4 has the ability to pass all information encrypted using Kerberos over a network, it is
important that the service be configured correctly if it is behind a firewall or on a segmented network.
NFSv2 and NFSv3 still pass data insecurely, and this should be taken into consideration. Careful
network design in all of these regards can help prevent security breaches.
2.2.4.2. Beware of Syntax Errors
The NFS server determines which file systems to export and which hosts to export these directories to
by consulting the /etc/exports file. Be careful not to add extraneous spaces when editing this file.
For instance, the following line in the /etc/exports file shares the directory /tmp/nfs/ to the host
bob.example.com with read/write permissions.
/tmp/nfs/ bob.example.com(rw)
The following line in the /etc/exports file, on the other hand, shares the same directory to the host
bob.example.com with read-only permissions and shares it to the world with read/write permissions
due to a single space character after the hostname.
/tmp/nfs/ bob.example.com (rw)
It is good practice to check any configured NFS shares by using the showmount command to verify
what is being shared:
showmount -e <hostname>
2.2.4.3. Do Not Use the no_root_squash Option
By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account.
This changes the owner of all root-created files to nfsnobody, which prevents uploading of programs
with the setuid bit set.
If no_root_squash is used, remote root users are able to change any file on the shared file system
and leave applications infected by trojans for other users to inadvertently execute.
2.2.4.4. NFS Firewall Configuration
The ports used for NFS are assigned dynamically by rpcbind, which can cause problems when
creating firewall rules. To simplify this process, use the /etc/sysconfig/nfs file to specify which ports are
to be used: