Securing Nfs - Red Hat ENTERPRISE LINUX 3 Reference Manual

Chapter 9. Network File System (NFS)
This line states that any directory a user tries to access under the local
the asterisk character) should result in an NFS mount on the
mount point
/home/
a particular collection of settings. For more information on mount options, including the ones used in
this example, refer to Section 9.4.3 Common NFS Mount Options.
For more information about
9.4.3. Common NFS Mount Options
Beyond mounting a file system via NFS on a remote host, a number of different options can be
specified at the time of the mount that can make it easier to use. These options can be used with
manual commands,
mount
The following are options commonly used for NFS mounts:
or — Specifies whether the program using a file via an NFS connection should stop
• hard soft
and wait ( ) for the server to come back online if the host serving the exported file system is
hard
unavailable, or if it should report an error (
If is specified, the user cannot terminate the process waiting for the NFS communication to
hard
resume unless the
If , is specified, the user can set an additional
soft
specifies the number of seconds to pass before the error is reported.
— Allows NFS requests to be interrupted if the server goes down or cannot be reached.
• intr
or
• nfsvers=2 nfsvers=3
— Disables file locking. This setting is occasionally required when connecting to older
•
nolock
NFS servers.
— Prevents execution of binaries on mounted file systems. This is useful if the system is
•
noexec
mounting a non-Linux file system via NFS containing incompatible binaries.
— Disables set-user-identifier or set-group-identifier bits. This prevents remote users from
• nosuid
gaining higher privileges by running a setuid program.
and
• rsize=8192
and writes (
wsize
careful when changing these values; some older Linux kernels and network cards do not work well
with larger block sizes.
— Specifies for the NFS mount to use the TCP protocol instead of UDP.
• tcp
Many more options are listed on the
systems.

9.5. Securing NFS

NFS is well suited for sharing entire file systems with a large number of known hosts in a transparent
manner. However, with ease of use comes a variety of potential security problems.
The following points should be considered when exporting NFS file systems on a server or mounting
them on a client. Doing so minimizes NFS security risks and better protects data on the server.
For a concise listing of steps administrators can take to secure NFS servers, refer the the chapter titled
Server Security in the Red Hat Enterprise Linux Security Guide.
. The mount options specify that each
configuration files, refer to the
autofs
/etc/fstab
option is also specified.
intr
— Specifies which version of the NFS protocol to use.
— These settings speed up NFS communication for reads (
wsize=8192
) by setting a larger data block size, in bytes, to be transferred at one time. Be
mount
server.example.com
/home/
settings, and
autofs
).
soft
timeo= value
man page, including options for mounting non-NFS file
/home/
directory NFS mounts should use
auto.master
.
option, where
121
directory (due to
system on the
man page.
value
)
rsize