Red Hat ENTERPRISE LINUX 4.5.0 Reference Manual page 168

Chapter 9. Network File Syste...
environment, and your security concerns. The following sections explain the differences
between implementing security measures with NFSv2, NFSv3, and NFSv4. If at all possible,
use of NFSv4 is recommended over other versions of NFS.
5.1.1. Using NFSv2 or NFSv3
NFS controls who can mount an exported file system based on the host making the mount
request, not the user that actually uses the file system. Hosts must be given explicit rights to
mount the exported file system. Access control is not possible for users, other than through file
and directory permissions. In other words, once a file system is exported via NFS, any user on
any remote host connected to the NFS server can access the shared data. To limit the potential
risks, administrators often allow read-only access or squash user permissions to a common
user and group ID. Unfortunately, these solutions prevent the NFS share from being used in the
way it was originally intended.
Additionally, if an attacker gains control of the DNS server used by the system exporting the
NFS file system, the system associated with a particular hostname or fully qualified domain
name can be pointed to an unauthorized machine. At this point, the unauthorized machine is the
system permitted to mount the NFS share, since no username or password information is
exchanged to provide additional security for the NFS mount.
Wildcards should be used sparingly when exporting directories via NFS as it is possible for the
scope of the wildcard to encompass more systems than intended.
It is also possible to restrict access to the
used by ,
portmap rpc.mountd
.
iptables
For more information on securing NFS and
in the Red Hat Enterprise Linux Security Guide. Additional information about firewalls can be
found in Chapter 18,
iptables
5.1.2. Using NFSv4
The release of NFSv4 brought a revolution to authentication and security to NFS exports.
NFSv4 mandates the implementation of the RPCSEC_GSS kernel module, the Kerberos
version 5 GSS-API mechanism, SPKM-3, and LIPKEY. With NFSv4, the mandatory security
mechanisms are oriented towards authenticating individual users, and not client machines as
used in NFSv2 and NFSv3.
Note
It is assumed that a Kerberos ticket-granting server (KDC) is installed and
configured correctly, prior to configuring an NFSv4 server.
NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,
144
service via TCP wrappers. Access to ports
portmap
, and can also be limited by creating firewall rules with
rpc.nfsd
, refer to the chapter titled Server Security
portmap
.