Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
71727374757677787980
Another important security feature of NFSv4 is the removal of the use of the MO UNT protocol for
mounting file systems. This protocol presented possible security holes because of the way that it
processed file handles.
9.8.3. File Permissions
Once the NFS file system is mounted read/write by a remote host, the only protection each shared file
has is its permissions. If two users that share the same user ID value mount the same NFS file system,
they can modify each others' files. Additionally, anyone logged in as root on the client system can
use the su - command to access any files with the NFS share.
By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. Red
Hat recommends that this feature is kept enabled.
By default, NFS uses root squashing when exporting a file system. This sets the user ID of anyone
accessing the NFS share as the root user on their local machine to no bo d y. Root squashing is
controlled by the default option ro o t_sq uash; for more information about this option, refer to
Section 9.7.1, ā€œ The /etc/expo rts Configuration Fileā€. If possible, never disable root squashing.
When exporting an NFS share as read-only, consider using the al l _sq uash option. This option
makes every user accessing the exported file system take the user ID of the nfsno bo d y user.
9.9. NFS and rpcbi nd
Note
The following section only applies to NFSv2 or NFSv3 implementations that require the
rpcbi nd service for backward compatibility.
The rpcbi nd
[3]
utility maps RPC services to the ports on which they listen. RPC processes notify
rpcbi nd when they start, registering the ports they are listening on and the RPC program numbers
they expect to serve. The client system then contacts rpcbi nd on the server with a particular RPC
program number. The rpcbi nd service redirects the client to the proper port number so it can
communicate with the requested service.
Because RPC-based services rely on rpcbi nd to make all connections with incoming client
requests, rpcbi nd must be available before any of these services start.
The rpcbi nd service uses TCP wrappers for access control, and access control rules for rpcbi nd
affect all RPC-based services. Alternatively, it is possible to specify access control rules for each of
the NFS RPC daemons. The man pages for rpc. mo untd and rpc. statd contain information
regarding the precise syntax for these rules.
9.9.1. T roubleshoot ing NFS and rpcbi nd
Because rpcbi nd
[3]
provides coordination between RPC services and the port numbers used to
communicate with them, it is useful to view the status of current RPC services using rpcbi nd when
troubleshooting. The rpci nfo command shows each RPC-based service with port numbers, an
RPC program number, a version number, and an IP protocol type (TCP or UDP).
To make sure the proper NFS RPC-based services are enabled for rpcbi nd , issue the following
command:
ā Chapt er 9 . Net work File Syst em (NFS)
71