8.7. Securing NFS
8.7.1. NFS Security with AUTH_SYS and Export Controls
AUTH_UNIX) which relies on the client to state the UID and GID's of the user. Be aware that this means a malicious or misconfigured client can easily get this wrong and allow a user access to files that it should not.
rpcbind service with TCP wrappers. Creating rules with
iptablescan also limit access to ports used by
rpcbind, refer to
8.7.2. NFS Security with
Procedure 8.3. Configuring an NFS Server and Client for IdM to Use RPCSEC_GSS
For instructions, see the Adding and Editing Service Entries and Keytabs and Setting up a Kerberos-aware NFS Server sections in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
- Create the
nfs/hostname.domain@REALMprincipal on the NFS server side.
- Create the
host/hostname.domain@REALMprincipal on both the server and the client side.
- Add the corresponding keys to keytabs for the client and server.
- On the server side, use the
sec=option to enable the wanted security flavors. To enable all security flavors as well as non-cryptographic mounts:
/export *(sec=sys:krb5:krb5i:krb5p)Valid security flavors to use with the
sys: no cryptographic protection, the default
krb5: authentication only
krb5i: integrity protection
krb5p: privacy protection
- On the client side, add
sec=krb5p, depending on the setup) to the mount options:
# mount -o sec=krb5 server:/export /mntFor information on how to configure a NFS client, see the Setting up a Kerberos-aware NFS Client section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
- Although Red Hat recommends using IdM, Active Directory (AD) Kerberos servers are also supported. For details, see the following Red Hat Knowledgebase article: How to set up NFS using Kerberos authentication on RHEL 7 using SSSD and Active Directory.
- If you need to write files as root on the Kerberos-secured NFS share and keep root ownership on these files, see https://access.redhat.com/articles/4040141. Note that this configuration is not recommended.
- For more information on NFS client configuration, see the exports(5) and nfs(5) manual pages, and Section 8.4, “Common NFS Mount Options”.
- For further information on the
RPCSEC_GSSframework, including how
rpc.gssdinter-operate, see the GSSD flow description.
126.96.36.199. NFS Security with NFSv4
MOUNTprotocol for mounting file systems. The
MOUNTprotocol presented a security risk because of the way the protocol processed file handles.
8.7.3. File Permissions
su -command to access any files with the NFS share.
nobody. Root squashing is controlled by the default option
root_squash; for more information about this option, refer to Section 8.6.1, “The
/etc/exportsConfiguration File”. If possible, never disable root squashing.
all_squashoption. This option makes every user accessing the exported file system take the user ID of the