184.108.40.206.2. Review the NFS Client
nosuidoption to disallow the use of a setuid program. The
nosuidoption disables the
set-group-identifierbits. This prevents remote users from gaining higher privileges by running a setuid program. Use this option on the client and the server side.
noexecoption disables all executable files on the client. Use this to prevent users from inadvertently executing files placed in the file system being shared. The
noexecoptions are standard options for most, if not all, file systems.
nodevoption to prevent “device-files” from being processed as a hardware device by the client.
resvportoption is a client-side mount option and
secureis the corresponding server-side export option (see explanation above). It restricts communication to a "reserved port". The reserved or "well known" ports are reserved for privileged users and processes such as the root user. Setting this option causes the client to use a reserved source port to communicate with the server.
All versions of NFS now support mounting with Kerberos authentication. The mount option to enable this is:
NFSv4 supports mounting with Kerberos using
krb5ifor integrity and
krb5pfor privacy protection. These are used when mounting with
sec=krb5, but need to be configured on the NFS server. Refer to the man page on exports (
man 5 exports) for more information.
The NFS man page (
man 5 nfs) has a “SECURITY CONSIDERATIONS” section which explains the security enhancements in NFSv4 and contains all the NFS specific mount options.