Red Hat LINUX 7.2 Reference Manual page 286

286
NFS version 2 uses the User Datagram Protocol (UDP) to provide a stateless network connection
between the client and server. (NFS version 3 can use UDP or TCP running over an IP.) The stateless
UDP connection minimizes network traffic, as the NFS server sends the client a cookie after the client
is authorized to access the shared volume. This cookie, or random value that is stored on the server's
side, is passed with any RPC requests from the client to the server. The NFS server can be restarted
without affecting the clients and the cookie remains intact.
Using NFS, authentication only occurs when the client is attempting to mount to a remote filesystem.
The NFS server uses the /etc/hosts.allow and /etc/hosts.deny files to determine if a
particular host should be specifically permitted or prevented access via NFS. Then, the NFS server
refers to the /etc/exports file to uncover that host's privileges for the various mounts available.
After granting access, any file and directory operations are sent to the server using remote procedure
calls.
NFS mount privileges are granted specifically to a host, not a user. If
you grant a host access to a particular part of your hard drive with NFS,
users of that machine will have access to your shared data.
When configuring the /etc/exports file, be extremely careful when
sharing directories with read-write permissions (rw) to a remote host.
Users of remote systems mounting your export will be able to modify
data in the exported filesystem.
17.1.1 NFS and portmap
NFS relies upon remote procedure calls (RPC) to function. portmap is required to map RPC requests
to the correct services. RPC processes notify portmap when they start, revealing the port number
they are monitoring and the RPC program numbers they expect to serve. The client system then con-
tacts portmap on the server with a particular RPC program number. portmap then redirects the
client to the proper port number to communicate with its intended service.
Because RPC-based services rely on portmap to make all connections with incoming client requests,
portmap must be available before any of these services start. If, for some reason, the portmap
service unexpectedly quits, restart portmap and any services running when it was started.
The portmap service can be used with the host access files (/etc/hosts.allow and
/etc/hosts.deny) to control which remote systems are permitted to use RPC-based services on
your machine. See Chapter 9, TCP Wrappers and xinetd for more information. Access control
rules for portmap will affect all RPC-based services. Alternatively, you can specify each of the NFS
Chapter 17:Network File System (NFS)
WARNING