Why showmount command displays nfs shares to the clients that are not in /etc/exports list of the NFS server ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • NFS

Issue

  • Linux clients discovers NFS shares, though they are not mentioned in /etc/exports list of NFS server.
  • Remote vulnerability scanning tool detects this as vulnerability on NFS server.

Resolution

  • NFS server has to explicitly export the shares so that the clients can mount and access it.
  • The NFS share cannot be accessed on the client before mounting and mounting itself is denied for the clients that are not in export list of the server.
  • There is no security harm in displaying nfs shares to the clients that are not in /etc/exports list of NFS server.
  • As the scanning tool detects an exported shares on NFS server, there is nothing wrong in that. As the shares are meant to export for NFS clients.
  • Firewall/iptables rules can be implemented to stop the scanning tool from detecting the exported shares.
  • TCP wrappers can be used to completely deny the service for specific clients. Add below entry to '/etc/hosts.deny' file of your server :
   mountd : <IP_Address/Network_range_of_client(s)>

Root Cause

  • The man page for showmount says : "showmount queries the mount daemon on a remote host for information about the state of the NFS server on that machine. With no options showmount lists the set of clients who are mounting from that host. The output from showmount is designed to appear as though it were processed through ``sort -u'".
  • It is expected for the showmount program to discover the NFS shares for the server specified. There is no security harm in it.

Diagnostic Steps

  • Discover NFS shares from the client that is not in /etc/exports list of NFS server:
# showmount -e 192.168.122.169
Export list for 192.168.122.169:
/nfsshare 192.168.122.144
  • Then try to mount the NFS share on a system, permission is denied :
# mount -vvv 192.168.122.169:/nfsshare /mnt
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: no type was given - I'll assume nfs because of the colon
mount: spec:  "192.168.122.169:/nfsshare"
mount: node:  "/mnt"
mount: types: "nfs"
mount: opts:  "(null)"
final mount options: '(null)'
mount: external mount: argv[0] = "/sbin/mount.nfs"
mount: external mount: argv[1] = "192.168.122.169:/nfsshare"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw"
mount.nfs: timeout set for Tue Jan 12 18:33:27 2016
mount.nfs: trying text-based options 'vers=4,addr=192.168.122.169,clientaddr=192.168.122.109'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 192.168.122.169:/nfsshare

Even though the share is discoverable, access is denied for the clients that are not in export list of the server.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.