Chapter 3. Securing NFS
To minimize NFS security risks and protect data on the server, consider the following sections when exporting NFS file systems on a server or mounting them on a client.
3.1. NFS security with AUTH_SYS and export controls
NFS provides the following traditional options in order to control access to exported files:
- The server restricts which hosts are allowed to mount which file systems either by IP address or by host name.
The server enforces file system permissions for users on NFS clients in the same way it does for local users. Traditionally, NFS does this using the
AUTH_SYScall message (also called
AUTH_UNIX), which relies on the client to state the UID and GIDs of the user. Be aware that this means that a malicious or misconfigured client might easily get this wrong and allow a user access to files that it should not.
To limit the potential risks, administrators often limits the access to read-only or squash user permissions to a common user and group ID. Unfortunately, these solutions prevent the NFS share from being used in the way it was originally intended.
Additionally, if an attacker gains control of the DNS server used by the system exporting the NFS file system, they can point the system associated with a particular hostname or fully qualified domain name to an unauthorized machine. At this point, the unauthorized machine is the system permitted to mount the NFS share, because no username or password information is exchanged to provide additional security for the NFS mount.
Wildcards should be used sparingly when exporting directories through NFS, as it is possible for the scope of the wildcard to encompass more systems than intended.
To secure NFS and
rpcbind, use, for example,
3.2. NFS security with
All version of NFS support RPCSEC_GSS and the Kerberos mechanism.
Unlike AUTH_SYS, with the RPCSEC_GSS Kerberos mechanism, the server does not depend on the client to correctly represent which user is accessing the file. Instead, cryptography is used to authenticate users to the server, which prevents a malicious client from impersonating a user without having that user’s Kerberos credentials. Using the RPCSEC_GSS Kerberos mechanism is the most straightforward way to secure mounts because after configuring Kerberos, no additional setup is needed.
3.3. Configuring an NFS server and client to use Kerberos
Kerberos is a network authentication system that allows clients and servers to authenticate to each other by using symmetric encryption and a trusted third party, the KDC. Red Hat recommends using Identity Management (IdM) for setting up Kerberos.
The Kerberos Key Distribution Centre (
KDC) is installed and configured.
nfs/hostname.domain@REALMprincipal on the NFS server side.
host/hostname.domain@REALMprincipal on both the server and the client side.
- Add the corresponding keys to keytabs for the client and server.
- Create the
On the server side, use the
sec=option to enable the wanted security flavors. To enable all security flavors as well as non-cryptographic mounts:
Valid security flavors to use with the
sys: no cryptographic protection, the default
krb5: authentication only
krb5i: integrity protection
- uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
krb5p: privacy protection
- uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead.
On the client side, add
sec=krb5p, depending on the setup) to the mount options:
# mount -o sec=krb5 server:/export /mnt
- Creating files as root on krb5-secured NFS. Not recommended.
3.4. NFSv4 security options
NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model, because of the Microsoft Windows NT model’s features and wide deployment.
Another important security feature of NFSv4 is the removal of the use of the
MOUNT protocol for mounting file systems. The
MOUNT protocol presented a security risk because of the way the protocol processed file handles.
3.5. File permissions on mounted NFS exports
Once the NFS file system is mounted as either read or read and write by a remote host, the only protection each shared file has is its permissions. If two users that share the same user ID value mount the same NFS file system on different client systems, they can modify each others' files. Additionally, anyone logged in as root on the client system can use the
su - command to access any files with the NFS share.
By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. Red Hat recommends to keep this feature enabled.
By default, NFS uses root squashing when exporting a file system. This sets the user ID of anyone accessing the NFS share as the root user on their local machine to
nobody. Root squashing is controlled by the default option
root_squash; for more information about this option, see NFS server configuration.
When exporting an NFS share as read-only, consider using the
all_squash option. This option makes every user accessing the exported file system take the user ID of the