NFS SECURITY DESIGN                                                                                                        Back To Home

NFS like any other unprotected network protocol is vulnerable to two types of attacks: eavesdropping and impostor attack. An eavesdropper can pick up unauthorized data as it goes by on the network. An impostor can gain an unauthorized access to the network.

An NFS server is unable to distinguish falsified file handles from the file handles established by the mountd daemon. A client who manages to snoop the network and steal a file handle, can read and modify any file on the server not owned by root.

NFS exports are controlled locally – each mount point has a list of hosts to which the file system may be exported. This list is enforced by the mountd daemon only, a malicious client can access ask the servers’s portmap daemon to forward the request to the mount daemon. When mountd receives the request from portmap, it thinks it’s received from a valid client and forwards the file handle to the intruder.

If filesystem is exported without restrictions, an intruder can remotely compromise user or system files, and take over the machine.

By default, the user identity required to access a remote file or directory is specified with the UNIX numeric userid and groupid (AUTH_UNIX). Any user can run a program to generate an NFS request and obtain access to files on behalf
of any user.

Basic Measurements for Securing NFS

• Keep up with and install most current NFS security patches
• If possible export file systems read-only
• Export file systems to a restricted set of hosts
• Configure NFS so that requests are only accepted from privileged system programs
• Do not export a file system to the exporting server or to a netgroup which includes the server
• Make sure that there is no localhost reference in /etc/exportfs file and export to fully qualified domain names to diminish spoofing attempts
• Verify that the export lists does not exceed 256 characters (some systems known to ignore the list completely in this case)
• Keep all suid code on one filesystem and export it no root access, mount all other filesystems –nosuid
• Assure that statmon directories used by statd daemon to control locking services of NFS are not world writable
• Run a portmap (or rpcbind) program that does not forward mount requests
• Make sure that NIS netgroup does not contain empty host fields which are treated as wildcards and will cause mount daemon to grant access to any host
• Block TCP and UDP ports 2049 (nfs) and 111 (portmap) on the routers and firewalls
• Disable NFS if it’s not needed

Next: Mounting and Exporting

Source: http://www.sans.org/infosecFAQ/unix/nfs_security.htm