environment, and your security concerns. The following sections explain the differencesbetween implementing security measures with NFSv2, NFSv3, and NFSv4. If at all possible,use of NFSv4 is recommended over other versions of NFS.5.1.1. Using NFSv2 or NFSv3NFS controls who can mount an exported file system based on the host making the mountrequest, not the user that actually uses the file system. Hosts must be given explicit rights tomount the exported file system. Access control is not possible for users, other than through fileand directory permissions. In other words, once a file system is exported via NFS, any user onany remote host connected to the NFS server can access the shared data. To limit the potentialrisks, administrators often allow read-only access or squash user permissions to a commonuser and group ID. Unfortunately, these solutions prevent the NFS share from being used in theway it was originally intended.Additionally, if an attacker gains control of the DNS server used by the system exporting theNFS file system, the system associated with a particular hostname or fully qualified domainname can be pointed to an unauthorized machine. At this point, the unauthorized machine is thesystem permitted to mount the NFS share, since no username or password information isexchanged to provide additional security for the NFS mount.Wildcards should be used sparingly when exporting directories via NFS as it is possible for thescope of the wildcard to encompass more systems than intended.It is also possible to restrict access to the portmap service via TCP wrappers. Access to portsused by portmap, rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules withiptables.For more information on securing NFS and portmap, refer to the chapter titled Server Securityin the Red Hat Enterprise Linux Security Guide. Additional information about firewalls can befound in Chapter 18, iptables.5.1.2. Using NFSv4The release of NFSv4 brought a revolution to authentication and security to NFS exports.NFSv4 mandates the implementation of the RPCSEC_GSS kernel module, the Kerberosversion 5 GSS-API mechanism, SPKM-3, and LIPKEY. With NFSv4, the mandatory securitymechanisms are oriented towards authenticating individual users, and not client machines asused in NFSv2 and NFSv3.NoteIt is assumed that a Kerberos ticket-granting server (KDC) is installed andconfigured correctly, prior to configuring an NFSv4 server.NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,Chapter 9. Network File Syste...144
