Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

114 Chapter 9. Network File System (NFS)WarningNFS mount privileges are granted to the client host, not the user. Therefore, exported file systemscan be accessed by any user on a client host with access permissions. When configuring the NFSshares, be very careful which hosts get read/write permissions (rw).9.1.1. Required ServicesRed Hat Enterprise Linux uses a combination of kernel-level support and daemon processes to provideNFS file sharing. NFS relies on Remote Procedure Calls (RPC) to route requests between clients andservers . RPC services under Linux are controlled by the portmap service. To share or mount NFSfile systems, the following services work together:• nfs — Starts the appropriate RPC processes to service requests for shared NFS file systems.• nfslock — An optional service that starts the appropriate RPC processes to allow NFS clients tolock files on the server.• portmap — The RPC service for Linux; it responds to requests for RPC services and sets upconnections to the requested RPC service.The following RPC processes work together behind the scenes to facilitate NFS services:• rpc.mountd — This process receives mount requests from NFS clients and verifies the requestedfile system is currently exported. This process is started automatically by the nfs service and doesnot require user configuration.• rpc.nfsd — This process is the NFS server. It works with the Linux kernel to meet the dynamicdemands of NFS clients, such as providing server threads each time an NFS client connects. Thisprocess corresponds to the nfs service.• rpc.lockd — An optional process that allows NFS clients to lock files on the server. This processcorresponds to the nfslock service.• rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol whichnotifies NFS clients when an NFS server is restarted without being gracefully brought down. Thisprocess is started automatically by the nfslock service and does not require user configuration.• rpc.rquotad — This process provides user quota information for remote users. This process isstarted automatically by the nfs service and does not require user configuration.9.1.2. NFS and portmapThe portmap service under Linux maps RPC requests to the correct services. RPC processes notifyportmap when they start, revealing the port number they are monitoring and the RPC program num-bers they expect to serve. The client system then contacts portmap on the server with a particularRPC program number. The portmap service redirects the client to the proper port number so it cancommunicate with the requested service.Because RPC-based services rely on portmap to make all connections with incoming client requests,portmap must be available before any of these services start.The portmap service uses TCP wrappers for access control, and access control rules for portmapaffect all RPC-based services. Alternatively, it is possible to specify access control rules for each of theNFS RPC daemons. The man pages for rpc.mountd and rpc.statd contain information regardingthe precise syntax for these rules.