NFS Admin And Security

NFS Admin And SecurityNFS Admin And SecuritySteve NuchiaSteve Nuchia

Sravani MotatiSravani Motati

Ashish KatyarmalAshish Katyarmal

NFS OverviewNFS Overview

ba

home

binc

usr

/

Server

ba

home

binc

usr

/Client

NFS: Export SubtreeWindows: Share Folder

NFS: Mount a remote filesystemWindows: map a shared drive

In windows you get a new drive letter. In Unix, the imported file tree can be mounted as a subtree anywhere in your tree.

Setting Up NFS ServerSetting Up NFS Server

Three Main Configuration files Three Main Configuration files /etc/exports/etc/exports/etc/hosts.allow/etc/hosts.allow/etc/hosts.deny/etc/hosts.deny

Only /etc/exports is needed for NFS to workOnly /etc/exports is needed for NFS to work

but to make the sharing secure we need the but to make the sharing secure we need the other two other two

/etc/exports/etc/exports• This files is the standard for controlling which This files is the standard for controlling which

filesystems are exported to which hosts , as well filesystems are exported to which hosts , as well as specifying particular options that control as specifying particular options that control everything everything

• Contains list of entriesContains list of entries• Each entry indicates a volume that is shared and Each entry indicates a volume that is shared and

how it is shared how it is shared • Typical entry will look like Typical entry will look like directory machine1(option11,option12) machine2(option21,option22)directory machine1(option11,option12) machine2(option21,option22)

directory machine1(option11,option12) machine2(option21,option22)directory machine1(option11,option12) machine2(option21,option22)

directorydirectory

The directory you want to share .The directory you want to share .

All directory under it within same filesystem All directory under it within same filesystem will be shared as well.will be shared as well.

machine1 and machine2machine1 and machine2

Client machines that will have access to the Client machines that will have access to the directory . The machine may be listed by their directory . The machine may be listed by their IP address or their DNS addressIP address or their DNS address


optionxxoptionxxThe option listing for each machine will describe The option listing for each machine will describe

what kind of access that machine will havewhat kind of access that machine will have ro:ro:

The directory is shared read only --defaultThe directory is shared read only --default

rw:rw:

The client machine will have read and write The client machine will have read and write access to the directoryaccess to the directory


no_root_squash:no_root_squash:

The root on the client machine will have the The root on the client machine will have the same level of access to the files on the same level of access to the files on the system as root on the server system as root on the server

This can have serious security implications This can have serious security implications but one might need to perform any but one might need to perform any administrative work on the client machine administrative work on the client machine that involves the exported directories that involves the exported directories


no_subtree_checkno_subtree_check

If only part of a volume is exported, a routine called subtree checking verifies that a file that is requested from the client is in the appropriate part of the volume. If the entire volume is exported, disabling this check will speed up transfers.


syncsyncVersion 2 NFS server will tell a client machine that a file write is complete however, the file system may not sync it to the disk. The default behavior may therefore cause file corruption if the server reboots This option forces the filesystem to sync to disk every time NFS completes a write operation Version 3 NFS has a commit operation that the client can call that actually will result in a disk sync on the server end.

ExampleExample

Two client machines, slave1 and slave2,with Two client machines, slave1 and slave2,with IP addresses 192.168.0.1 and IP addresses 192.168.0.1 and 192.168.0.2, respectively . To share 192.168.0.2, respectively . To share software binaries and home directories software binaries and home directories with these machines the entry in the with these machines the entry in the /etc/exports will look like/etc/exports will look like

/usr/local 192.168.0.1(ro) 192.168.0.2(ro) /usr/local 192.168.0.1(ro) 192.168.0.2(ro)

/home 192.168.0.1(rw) 192.168.0.2(rw)/home 192.168.0.1(rw) 192.168.0.2(rw)

Simplifications for the EntriesSimplifications for the Entries

Can give access to a range of machines at once Can give access to a range of machines at once by specifying a network and a netmask.by specifying a network and a netmask.

eg eg /usr/local 192.168.0.0/255.255.255.0(ro)/usr/local 192.168.0.0/255.255.255.0(ro) Can use wildcards such as *.foo.com or Can use wildcards such as *.foo.com or

192.168. instead of hostnames192.168. instead of hostnamesThese simplification could cause a security risk if These simplification could cause a security risk if

there are machines in the netgroup or local there are machines in the netgroup or local network which cannot be trusted completely network which cannot be trusted completely

Few Cautions Few Cautions

If a directory is exported its parents and child If a directory is exported its parents and child directory cannot be exported if they are in the directory cannot be exported if they are in the same filesystems but if a directory is exported same filesystems but if a directory is exported all the underlying subdirectories within that file all the underlying subdirectories within that file system will be exportedsystem will be exported

Poor idea to export FAT filesystem with NFS Poor idea to export FAT filesystem with NFS Device or other special files may not exported Device or other special files may not exported

correctly to non-Linux clientscorrectly to non-Linux clients

/etc/hosts.allow and /etc/hosts.deny/etc/hosts.allow and /etc/hosts.denyThese files specify which computer on the network These files specify which computer on the network

can use services on the machine.can use services on the machine.Each line is an entry listing a service and a set of Each line is an entry listing a service and a set of

machines machines When a server gets a request from the clientWhen a server gets a request from the client It first checks hosts.allowIt first checks hosts.allow Then it checks hosts.denyThen it checks hosts.deny No listing in either files then access is allowedNo listing in either files then access is allowed

Security through daemonsSecurity through daemons

In addition to controlling access to services handled In addition to controlling access to services handled by inetd this file can also control access to NFS by by inetd this file can also control access to NFS by restricting connection to the daemons restricting connection to the daemons

The first daemons to restrict access to is the The first daemons to restrict access to is the portmapper. Restricting access to this is the best portmapper. Restricting access to this is the best defense but it is not enough if the intruder knows defense but it is not enough if the intruder knows how to find the daemons how to find the daemons

Restricting portmapper will also restrict NIS but Restricting portmapper will also restrict NIS but usually NFS and NIS are restricted in similar way usually NFS and NIS are restricted in similar way

Good idea to explicitly deny access to hosts that Good idea to explicitly deny access to hosts that don’t need to allow access.don’t need to allow access.

StepsSteps

Add portmap:ALL to /etc/hosts.denyAdd portmap:ALL to /etc/hosts.denyportmap:ALLportmap:ALL

Add entries for each of the NFS daemons to Add entries for each of the NFS daemons to /etc/hosts.deny/etc/hosts.denylockd:ALLlockd:ALL

mountd:ALL mountd:ALL rquotad:ALLrquotad:ALL statd:ALLstatd:ALL

By adding entry ALL:ALL to the file /etc/hosts.deny will By adding entry ALL:ALL to the file /etc/hosts.deny will causes any service that looks at these files to deny causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed (this is access to all hosts unless it is explicitly allowed (this is more secure behavior)more secure behavior)

Steps (continued)Steps (continued)

Add entry to hosts.allow to give any Add entry to hosts.allow to give any hosts accesshosts access

Typically entry in the host.allow will look Typically entry in the host.allow will look like like

service: host [or network/netmask] , host [or network/netmask] service: host [or network/netmask] , host [or network/netmask]

Here host is IP address of a potential client Here host is IP address of a potential client (it may be possible in some versions to (it may be possible in some versions to

use the DNS name of the host, but it is use the DNS name of the host, but it is strongly deprecated )strongly deprecated )

Example Example

To allow access to To allow access to slave1.foo.comslave1.foo.com and and slave2.foo.comslave2.foo.com, , and suppose that the IP addresses of these machines and suppose that the IP addresses of these machines are are 192.168.0.1192.168.0.1 and and 192.168.0.2192.168.0.2, respectively. We could , respectively. We could add the following entry to /etc/hosts.allow: add the following entry to /etc/hosts.allow:

portmap: 192.168.0.1 , 192.168.0.2 portmap: 192.168.0.1 , 192.168.0.2 For Recent nfs-utils we would add the following entriesFor Recent nfs-utils we would add the following entries lockd: 192.168.0.1 ,192.168.0.2 lockd: 192.168.0.1 ,192.168.0.2 rquotad: 192.168.0.1 , 192.168.0.2rquotad: 192.168.0.1 , 192.168.0.2 mountd: 192.168.0.1 , 192.168.0.2mountd: 192.168.0.1 , 192.168.0.2 statd: 192.168.0.1 , 192.168.0.2statd: 192.168.0.1 , 192.168.0.2

Getting the services startedGetting the services started

The NFS server is configured and we can start it The NFS server is configured and we can start it running for this we need to check the following running for this we need to check the following things:things:

1)Appropriate packages installed 1)Appropriate packages installed

This consists mainly of a new kernel and a new This consists mainly of a new kernel and a new version of the nfs-utils package version of the nfs-utils package

2)TCP/IP networking functioning correctly?2)TCP/IP networking functioning correctly?

If telnet, FTP, are working then chances are TCP If telnet, FTP, are working then chances are TCP networking is fine. networking is fine.

NFS starts up simply by rebooting the NFS starts up simply by rebooting the machine, and the startup scripts should machine, and the startup scripts should detect the set up of /etc/exports file. detect the set up of /etc/exports file.

To check this query the portmapper with the To check this query the portmapper with the command command rpcinfo -prpcinfo -p to find out what to find out what services it is providing services it is providing

Its should look something like:Its should look something like:

Program vers proto portProgram vers proto port 100000 2 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper100000 2 udp 111 portmapper 100011 1 udp 749 rquotad 100011 1 udp 749 rquotad 100011 2 udp 749 rquotad100011 2 udp 749 rquotad 100005 1 udp 759 mountd 100005 1 udp 759 mountd 100005 1 tcp 761 mountd100005 1 tcp 761 mountd 100005 2 udp 764 mountd 100005 2 udp 764 mountd 100005 2 tcp 766 mountd100005 2 tcp 766 mountd 100005 3 udp 769 mountd 100005 3 udp 769 mountd 100005 3 tcp 771 mountd100005 3 tcp 771 mountd 100003 2 udp 2049 nfs 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs100003 3 udp 2049 nfs 300019 1 tcp 830 amd 300019 1 tcp 830 amd 300019 1 udp 831 amd 300019 1 udp 831 amd 100024 1 udp 944 status100024 1 udp 944 status 100024 1 tcp 946 status100024 1 tcp 946 status 100021 1 udp 1042 nlockmgr 100021 1 udp 1042 nlockmgr 100021 3 udp 1042 nlockmgr100021 3 udp 1042 nlockmgr 100021 4 udp 1042 nlockmgr100021 4 udp 1042 nlockmgr 100021 1 tcp 1629 nlockmgr 100021 1 tcp 1629 nlockmgr 100021 3 tcp 1629 nlockmgr100021 3 tcp 1629 nlockmgr 100021 4 tcp 1629 nlockmgr100021 4 tcp 1629 nlockmgr

If we do not at least see a line that says If we do not at least see a line that says "portmapper", a line that says "nfs", and a "portmapper", a line that says "nfs", and a line that says "mountd" then we need to line that says "mountd" then we need to backtrack and try again to start up the backtrack and try again to start up the daemons daemons

If we see these services listed, then the If we see these services listed, then the server should be ready to set up NFS server should be ready to set up NFS clients to access files. clients to access files.

If this does not work, or if we cannot reboot If this does not work, or if we cannot reboot the machine then we can start the the machine then we can start the daemons in order to run NFS services.daemons in order to run NFS services.

Start the portmapper which should be Start the portmapper which should be located in the /sbin but is sometimes in located in the /sbin but is sometimes in /usr/sbin /usr/sbin

Portmap or rpc.portmap Portmap or rpc.portmap

Start the daemonsStart the daemonsNFS serving is taken care of by five daemons: NFS serving is taken care of by five daemons:

rpc.nfsd, which does most of the work; rpc.lockd rpc.nfsd, which does most of the work; rpc.lockd and rpc.statd, which handle file locking; and rpc.statd, which handle file locking; rpc.mountd, which handles the initial mount rpc.mountd, which handles the initial mount requests, and rpc.rquotad, which handles user requests, and rpc.rquotad, which handles user file quotas on exported volumes file quotas on exported volumes

The daemons are all part of the nfs-utils package, The daemons are all part of the nfs-utils package, and may be either in the /sbin directory or the and may be either in the /sbin directory or the /usr/sbin directory. /usr/sbin directory.

If the distribution does not include them in If the distribution does not include them in the startup scripts, then we need to add the startup scripts, then we need to add them, configured to start in the following them, configured to start in the following order: order:

rpc.portmaprpc.portmap

rpc.mountd, rpc.nfsdrpc.mountd, rpc.nfsdrpc.statd, rpc.lockd (if necessary),rpc.rquotadrpc.statd, rpc.lockd (if necessary),rpc.rquotad

Making Changes to the /etc/exports Making Changes to the /etc/exports

If we want to change etc/exports file, the If we want to change etc/exports file, the changes may not take effect immediately. changes may not take effect immediately. we should run the command we should run the command exportfs -raexportfs -ra to force nfsd to re-read the /etc/exports to force nfsd to re-read the /etc/exports file. If we cannot find the file. If we cannot find the exportfsexportfs command, then we can kill nfsd with the command, then we can kill nfsd with the --HUPHUP flag flag

TopicsTopics

Configure NFS clientConfigure NFS clientNFS DaemonsNFS DaemonsMounting NFS volumeMounting NFS volumeFiles used by NFS clientsFiles used by NFS clientsAutomount daemon (AMD)Automount daemon (AMD)RPC procedures in NFSRPC procedures in NFS

Configuring NFS ClientConfiguring NFS Client

In /etc/vfs file search the entry:In /etc/vfs file search the entry:#%Defaultvfs jfs nfs#%Defaultvfs jfs nfs#Nfs 2 /sbin/helpers/nfsmnthelp none remote#Nfs 2 /sbin/helpers/nfsmnthelp none remoteDelete # signs.Delete # signs.

In /proc/filesystems search for nfsIn /proc/filesystems search for nfs (new (new kernel versions):kernel versions):

$ Cat /proc/filesystems$ Cat /proc/filesystemsExt2Ext2Nodev procNodev procNodev nfsNodev nfsIf missing compile your own kernel with NFS enabled / type If missing compile your own kernel with NFS enabled / type insmod nfsinsmod nfs to check if it to check if it

exists.exists.

* * For old kernel versions try to mount a local directory.If mount For old kernel versions try to mount a local directory.If mount fails with error message ”fs type nfs not supported by fails with error message ”fs type nfs not supported by kernel”, then make a new kernel with NFS enabled.kernel”, then make a new kernel with NFS enabled.

NFS DaemonsNFS DaemonsDaemon Description Protocol

nfsd File creation,searching,reading,writing,authentication and file statistics, path:/usr/sbin/nfsd

nfs

portmap rpc portmapper daemon, path:/usr/sbin/portmap portmap

Lockd Network Lock Manager-locks clients to avoid data modification,path:/usr/sbin/rpc.lockd

nlm

statd Network Status Manager-monitor network nodes, path:/usr/sbin/rpc.statd

nsm

biod Block I/O daemon, Performs read-ahead and write-behind caching for the client. path:/usr/sbin/biod

nfs

mountd Mounting exported systems, handles mount and unmount requests, path: /usr/sbin/rpc.mountd

mountd

ugidd map the server's uid/gid space to the client's uid/gid space,path:/usr/ sbin/rpc.ugidd

UGID RPC

Starting NFS DaemonsStarting NFS DaemonsOrder of startup:Order of startup: rpc.portmaprpc.portmap rpc.mountdrpc.mountd rpc.nfsd rpc.nfsd =>=> rpc.lockd rpc.lockd rpc.statd (separate)rpc.statd (separate)Recent Linux distributions will have startup Recent Linux distributions will have startup

scripts for these daemons. scripts for these daemons. The daemons are part of the nfs-utils package, The daemons are part of the nfs-utils package,

and may be present in the /sbin or the /usr/sbin and may be present in the /sbin or the /usr/sbin directory.directory.

To check use command: To check use command: ps aux | grep portmapps aux | grep portmap

Starting NFS DaemonsStarting NFS DaemonsNFS daemons can be controlled NFS daemons can be controlled

by the by the system resource controller system resource controller (SRC) (SRC) ((

http://www.unet.univie.ac.at/aix/aixbman/admnconc/sys_res_overview.htm#A2729f9http://www.unet.univie.ac.at/aix/aixbman/admnconc/sys_res_overview.htm#A2729f9) ) by by SRC commands such as SRC commands such as startsrcstartsrc, , stopsrcstopsrc, , and and lssrclssrc to start, stop, and check the to start, stop, and check the status of the NFS daemons.status of the NFS daemons.

Some NFS daemons can be Some NFS daemons can be started and stopped by the inetd: started and stopped by the inetd: rpc.rexd, rpc.rusersd, rpc.rwalld, and rpc.rsprayd.rpc.rexd, rpc.rusersd, rpc.rwalld, and rpc.rsprayd.

Starting NFS DaemonsStarting NFS DaemonsStart the NFS Daemons at System Start the NFS Daemons at System

StartupStartup::The Web-based System Manager fast path, The Web-based System Manager fast path,

wsm network wsm network The SMIT fast path, smit mknfs The SMIT fast path, smit mknfs The mknfs commandThe mknfs command

Start the NFS Daemons individually:Start the NFS Daemons individually:startsrc -s startsrc -s DaemonDaemon Start all the NFS Daemons:Start all the NFS Daemons:startsrc -g nfsstartsrc -g nfs*To start nfsd*To start nfsd, , rpc.mountdrpc.mountd

daemons-/daemons-/etc/exportsetc/exports file must exist. file must exist.

Mounting an NFS VolumeMounting an NFS VolumeConfirm that NFS Server has exported the Confirm that NFS Server has exported the

directory:directory:Showmount –e ServerNameShowmount –e ServerName

Establish mount point(empty):Establish mount point(empty):mkdir mount_directorymkdir mount_directory

Mount is invoked by the following syntax:Mount is invoked by the following syntax:# mount –t nfs -o # mount –t nfs -o options nfs_volumeoptions nfs_volume

mount_pointmount_point Example:Example:

root@helium>>mount –t nfs –o nosuid,hard,intr root@helium>>mount –t nfs –o nosuid,hard,intr neon:/usr/local /usr/localneon:/usr/local /usr/local

Mounting an NFS VolumeMounting an NFS VolumeTo mount NFS volume at Boot Time:To mount NFS volume at Boot Time:Edit /etc/fstab on client “helium” with the Edit /etc/fstab on client “helium” with the

entry:entry:# volume mount point type options dump # volume mount point type options dump

fsckorderfsckorder

neon:/usr/localneon:/usr/local /usr/local nfs nosuid,hard,intr 0 /usr/local nfs nosuid,hard,intr 0 0 0

The /etc/fstab file is invoked by the The /etc/fstab file is invoked by the rc.bootrc.boot script at boot time script at boot time

The /etc/mtab file contains entries The /etc/mtab file contains entries for file systems for file systems currentlycurrently mounted mounted

Mount optionsMount optionsMountMount-p-p Print the list of mounted file systems Print the list of mounted file systems

-a-a all the file systems described in /etc/fstab all the file systems described in /etc/fstab

-n-n mount without making an entry in /etc/mtab mount without making an entry in /etc/mtab

-v-v Display a message indicating each file system Display a message indicating each file system

-t-t Specify a file system type. Specify a file system type.

-r-r Mount the specified file system as read-only Mount the specified file system as read-only

-o-o Specifies a comma-separated list of file Specifies a comma-separated list of file system system optionsoptions

option option ’-o’’-o’ specific to NFS specific to NFS bg|fgbg|fg If the first attempt fails, retry in the If the first attempt fails, retry in the

background, or, in the fore- ground. background, or, in the fore- ground. noquotanoquota Prevent Prevent quotaquota from checking if user is from checking if user is

over quota on this file system.over quota on this file system. retry=retry=nn The number of times to retry the mount The number of times to retry the mount

operation.operation. rsize=rsize=nn Set the read buffer size to Set the read buffer size to nn bytes. bytes. wsize=wsize=nn Set the write buffer size to Set the write buffer size to nn bytes. bytes. timeo=timeo=nn Set the NFS timeout to Set the NFS timeout to nn tenths of a tenths of a

second.second. retrans=retrans=nn The number of NFS retransmissions. The number of NFS retransmissions. port=port=nn The server IP port number. The server IP port number. soft|hardsoft|hard Return an error if server does not Return an error if server does not

respond |continue the retry request until the respond |continue the retry request until the server responds. server responds.

intrintr Allow keyboard interrupts on hard mounts. Allow keyboard interrupts on hard mounts.

option option ’-o’’-o’ specific to NFS specific to NFS posixposix Request POSIX.1 semantics for the file system. Request POSIX.1 semantics for the file system. securesecure Use a more secure protocol for NFS Use a more secure protocol for NFS

transactionstransactions acregmin=acregmin=nn Hold cached attributes for at least Hold cached attributes for at least nn

seconds after file modification. seconds after file modification. acregmax=acregmax=nn Hold cached attributes for no more Hold cached attributes for no more

than than nn seconds after file modification. seconds after file modification. acdirmin=acdirmin=nn Hold cached attributes for at least Hold cached attributes for at least nn

seconds after directory update. seconds after directory update. acdirmax=acdirmax=nn Hold cached attributes for no more than Hold cached attributes for no more than

nn seconds after directory update. seconds after directory update. actimeo=actimeo=nn Set Set minmin and and maxmax times for regular files times for regular files

and directories to and directories to nn seconds. seconds. noctonocto Suppress fresh attributes when open- ing a Suppress fresh attributes when open- ing a

file. file. noacnoac Suppress attribute and name (lookup) caching. Suppress attribute and name (lookup) caching.

Mount Options for Client Mount Options for Client SecuritySecurity

The nosuid mount option The nosuid mount option If a program resident on the remote filesystem is If a program resident on the remote filesystem is

setuid and it is run on the client, it will have the setuid and it is run on the client, it will have the privileges associated with that userid (perhaps privileges associated with that userid (perhaps root) on the client machine. Usually allowing root) on the client machine. Usually allowing this to happen is a bad idea. Setting the nosuid this to happen is a bad idea. Setting the nosuid option prevents it.option prevents it.

The broken_suid mount optionThe broken_suid mount optionSome older kernels rely on the idea that root can Some older kernels rely on the idea that root can

write everywhere. Programs that do this type of write everywhere. Programs that do this type of suid action can potentially be used to change suid action can potentially be used to change apparent uid on nfs servers doing uid mapping. apparent uid on nfs servers doing uid mapping. So it has to be disabled.So it has to be disabled.

Files Used by NFS ClientsFiles Used by NFS Clients/usr/etc/biod/usr/etc/biod -- Block I/O Deamon. -- Block I/O Deamon. /usr/etc/portmap/usr/etc/portmap -- rpc portmapper deamon. -- rpc portmapper deamon. /usr/etc/rpc.lockd/usr/etc/rpc.lockd -- Lock deamon. -- Lock deamon. /usr/etc/rpc.statd/usr/etc/rpc.statd -- Status deamon. -- Status deamon. /etc/fstab/etc/fstab -- File system table. -- File system table. /usr/etc/mount/usr/etc/mount -- mount program. -- mount program. /usr/etc/umount/usr/etc/umount -- umount program. -- umount program. /etc/rc.local/etc/rc.local -- local configuration file where -- local configuration file where

deamons are started. deamons are started. /etc/mtab/etc/mtab-- flat file that shows mounted file -- flat file that shows mounted file

systems. systems.

Automount DaemonAutomount Daemon Amd is a daemon that automatically mounts Amd is a daemon that automatically mounts

filesystems whenever a file or directory within that filesystems whenever a file or directory within that filesystem is accessed. filesystem is accessed.

Filesystems are automatically unmounted when they Filesystems are automatically unmounted when they appear to have become quiescent.appear to have become quiescent.

Amd operates by attaching itself as an NFS server to Amd operates by attaching itself as an NFS server to each of the specified directories.each of the specified directories.

Syntax:Syntax:/usr/sbin/automount [ /usr/sbin/automount [ -m-m ] [ ] [-n-n ] [ ] [ -T -T ] [ ] [ -v -v ] [ ] [ -D -D

namename==value value ] [ ] [ -f -f MasterFile MasterFile ] [ ] [ -M -M MountDirectory MountDirectory ] [ ] [ --tltl Duration Duration ] [ ] [ -tm-tm Interval Interval ] [ ] [ --twtw Interval Interval ] ] Directory Directory ..$...$. MapName MapName ... [ -... [ -MountOption MountOption [ ,[ ,MountOption MountOption ] ... ]] ... ]

Automount DaemonAutomount DaemonIts advantages include: Its advantages include: it never hangs if remote server goes down it never hangs if remote server goes down it sends ``keep alive'' queries to servers it sends ``keep alive'' queries to servers

and keeps a list of accessible servers. It and keeps a list of accessible servers. It returns ``operation would block'' errors returns ``operation would block'' errors rather than hanging. rather than hanging.

it is completely public domain it is completely public domain it offers more mount types it offers more mount types its maps can be in NIS, Hesiod, ndm its maps can be in NIS, Hesiod, ndm

formats among others formats among others the map syntax is more generic the map syntax is more generic makes handling of subdirectories easier.makes handling of subdirectories easier.

RPC Procedures Found in RPC Procedures Found in NFSNFS

NFSPROC_NULLNFSPROC_NULL This procedure is termed null This procedure is termed null because it does nothing. because it does nothing.

NFSPROC_GETATTRNFSPROC_GETATTR -- returns the attributes - -- returns the attributes - protection, owner, size, and access times. protection, owner, size, and access times.

NFSPROC_SETATTRNFSPROC_SETATTR-- sets the file attributes. -- sets the file attributes. NFSPROC_LOOKUPNFSPROC_LOOKUP -- does a directory lookup for the -- does a directory lookup for the

client.client. NFSPROC_READLINKNFSPROC_READLINK -- reads the value stored in a -- reads the value stored in a

symbolic link. symbolic link. NFSPROC_READNFSPROC_READ -- allows a client to read data from a -- allows a client to read data from a

file. file. NFSPROC_WRITENFSPROC_WRITE -- write data to a file. -- write data to a file. NFSPROC_CREATENFSPROC_CREATE -- allows a client to create -- allows a client to create

a file in a directory.a file in a directory.

RPC Procedures Found in RPC Procedures Found in NFSNFS

NFSPROC_REMOVENFSPROC_REMOVE -- deletes a file. -- deletes a file. NFSPROC_RENAMENFSPROC_RENAME -- rename a file. -- rename a file. NFSPROC_LINKNFSPROC_LINK -- to form a hard link to an -- to form a hard link to an

existing file. existing file. NFSPROC_SYMLINKNFSPROC_SYMLINK -- to create a symlink. -- to create a symlink. NFSPROC_MKDIRNFSPROC_MKDIR -- to create a directory. -- to create a directory. NFSPROC_RMDIRNFSPROC_RMDIR -- to remove a directory -- to remove a directory NFSPROC_READDIRNFSPROC_READDIR -- to get the contents of a -- to get the contents of a

directory. directory. NFSPROC_STATFSNFSPROC_STATFS -- Clients may use this call to -- Clients may use this call to

get information from the server on the status of get information from the server on the status of the filesystemthe filesystem..

ReferencesReferences http://www.linuxfocus.org/English/Novehttp://www.linuxfocus.org/English/Nove

mber2000/article164.shtmlmber2000/article164.shtml http://nfs.sourceforge.net/nfs-howto/indehttp://nfs.sourceforge.net/nfs-howto/inde

x.htmlx.html http://nfs.sourceforge.net/nfs-howto/sechttp://nfs.sourceforge.net/nfs-howto/sec

urity.html#CLIENT.SECURITYurity.html#CLIENT.SECURITY http://userpages.umbc.edu/~jack/ifsm49http://userpages.umbc.edu/~jack/ifsm49

8d/nfs.html8d/nfs.html

NFS SecurityNFS Security

NFS is layered over RPC/UDP (or TCP). NFS is layered over RPC/UDP (or TCP). The default RPC protocol relies on IP The default RPC protocol relies on IP address for identification of server and address for identification of server and client. No authentication.client. No authentication.

NFS architecture involves many moving NFS architecture involves many moving parts, most of which have been implicated parts, most of which have been implicated repeatedly in security problems.repeatedly in security problems.

Unlike windows, both server and client are Unlike windows, both server and client are multi-user machines. Access control multi-user machines. Access control requires careful planning.requires careful planning.

Generic NFS RecommendationsGeneric NFS Recommendations do install all NFS security patches (do install all NFS security patches (in particular, for SunOS, you in particular, for SunOS, you

should get 100173-09, 100536-02, and for Solaris, 101344-11should get 100173-09, 100536-02, and for Solaris, 101344-11) ) do configure NFS so that requests are only accepted from privileged do configure NFS so that requests are only accepted from privileged

system programs (system programs (requires a user on a remote machine to be root requires a user on a remote machine to be root before sending NFS requests (well, unless the remote machine is before sending NFS requests (well, unless the remote machine is running an OS, like MSDOS, that doesn't make a distinction running an OS, like MSDOS, that doesn't make a distinction between root and non- root, or if the OS doesn't require root access between root and non- root, or if the OS doesn't require root access to "privileged" ports, or the hacker has root...)to "privileged" ports, or the hacker has root...)), see: ), see: nfsdnfsd does does minimal continuing authentication, and will accept requests from minimal continuing authentication, and will accept requests from anyone with the correct filehandle) anyone with the correct filehandle)

do export file systems read-only whenever possible (do export file systems read-only whenever possible (this will prevent this will prevent anyone from writing to it, even if they get/guess the filehandleanyone from writing to it, even if they get/guess the filehandle) )

never ever never ever ever!ever! export a filesystem to the exporting server, or to a export a filesystem to the exporting server, or to a netgroupnetgroup which includes the server (which includes the server (at CCO we chose to create 3 at CCO we chose to create 3 netgroups, one for each server, that included all machines (client netgroups, one for each server, that included all machines (client and server), except for that one serverand server), except for that one server) )

do keep all suid code on one filesystem, export that filesystem no do keep all suid code on one filesystem, export that filesystem no root access (root access (the default on sunsthe default on suns), and mount all other filesystems -), and mount all other filesystems -nosuid (nosuid (some OSes have a -nodev option that should be used some OSes have a -nodev option that should be used similarly, though some turn dev access off when you turn suid offsimilarly, though some turn dev access off when you turn suid off) )

put all mount options like the ones above in your automounter put all mount options like the ones above in your automounter maps! maps!

Generic RecommendationsGeneric Recommendations the statmon directories, used by statd to control locking services of NFS, are the statmon directories, used by statd to control locking services of NFS, are

often world writeable. try find /var/statmon -exec chmod o-w {} \; (often world writeable. try find /var/statmon -exec chmod o-w {} \; (not widely not widely exploited, this (the writeability) can be used in a denial of service attack to trick exploited, this (the writeability) can be used in a denial of service attack to trick the client daemon to thinking server's deadthe client daemon to thinking server's dead) )

at your firewall/router, do at your firewall/router, do notnot pass TCP port 111, UDP port 111, TCP port 2049, pass TCP port 111, UDP port 111, TCP port 2049, or UDP port 2049 (or UDP port 2049 (111 is the portmapper, 2049 is nfsd111 is the portmapper, 2049 is nfsd) () (this will protect against this will protect against outside attacks, even those which get/guess filehandles, though it does nothing outside attacks, even those which get/guess filehandles, though it does nothing for internal attacksfor internal attacks) )

do do notnot allow the /etc/exports file to contain a "localhost" reference ( allow the /etc/exports file to contain a "localhost" reference (makes makes spoofing more difficultspoofing more difficult) )

do export only to fully qualified domain names (do export only to fully qualified domain names (makes spoofing more difficultmakes spoofing more difficult) ) do do notnot let export lists exceed 256 characters, even after expanding aliases let export lists exceed 256 characters, even after expanding aliases

((some nfsd implementations will ignore an access list completely if it is bigger some nfsd implementations will ignore an access list completely if it is bigger than this (although, this is perhaps an outdated reference to an old Sun bug)than this (although, this is perhaps an outdated reference to an old Sun bug)) )

do check for typos (do check for typos (exporting to a nonexistent netgroup is equivalent to exporting exporting to a nonexistent netgroup is equivalent to exporting to the worldto the world) )

do disable NFS completely if you don't need it do disable NFS completely if you don't need it do run /usr/etc/exportfs after making changes to /etc/exports do run /usr/etc/exportfs after making changes to /etc/exports if your portmap/rpcbins implementation allows you to, you can add some if your portmap/rpcbins implementation allows you to, you can add some

protection by disallowing connections from outside your firewall (protection by disallowing connections from outside your firewall ( though if your though if your firewall is penetrated, loose source routing might defeat thisfirewall is penetrated, loose source routing might defeat this) )

Source: http://www.cco.caltech.edu/~refguide/sheets/nfs-security.html Source: http://www.cco.caltech.edu/~refguide/sheets/nfs-security.html

The Userid ProblemThe Userid Problem Unix access control uses an integer to Unix access control uses an integer to

identify the user.identify the user. Access control rules are applied at the Access control rules are applied at the

server using credentials (the number) server using credentials (the number) supplied by the client.supplied by the client.

That integer is interpreted in the context of That integer is interpreted in the context of the server’s principal->numeric id map.the server’s principal->numeric id map.

For NFS to work properly, you must For NFS to work properly, you must ensure that the numeric ids are consistent ensure that the numeric ids are consistent between server and client.between server and client.

Securing RPCSecuring RPC

The DIY solution: Many site admins have The DIY solution: Many site admins have resorted to running NFS through encrypted resorted to running NFS through encrypted tunnels and manually crafting export and tunnels and manually crafting export and mount parameters to achieve acceptable mount parameters to achieve acceptable security.security.

See See http://www.linuxsecurity.com/feature_stories/feature_story-118.htmlhttp://www.linuxsecurity.com/feature_stories/feature_story-118.html for a recent example.for a recent example.

Side issue: use a good clock sync protocol. Side issue: use a good clock sync protocol. File timestamps are written by the server and File timestamps are written by the server and read back by the client without accounting for read back by the client without accounting for clock skew. Causes problems.clock skew. Causes problems.

Securing RPCSecuring RPC Sun Microsystems has had a DES-based Sun Microsystems has had a DES-based

proprietary somewhat-secure version of proprietary somewhat-secure version of RPC out since the late 80s.RPC out since the late 80s.

In the late Nineties an open-source effort In the late Nineties an open-source effort got underway. Pre-release Linux code for got underway. Pre-release Linux code for version 4 of NFS was released in February version 4 of NFS was released in February 2002.2002.

Based on a modern, negotiated-encryption Based on a modern, negotiated-encryption secure RPC called RPCSEC_GSS.secure RPC called RPCSEC_GSS.

See See http://www.citi.umich.edu/projects/nfsv4 http://www.citi.umich.edu/projects/nfsv4

Securing RPCSecuring RPC

Secure RPC promises to solve the Secure RPC promises to solve the client/server mutual authentication client/server mutual authentication problem but it does not, by itself, solve the problem but it does not, by itself, solve the numeric ID management problem.numeric ID management problem.

Kerberos solves the distributed Kerberos solves the distributed identification and authentication problem identification and authentication problem but does not provide assurance that the but does not provide assurance that the client TCB is intact and configured as client TCB is intact and configured as server security policy requires.server security policy requires.

The Trust RelationshipThe Trust Relationship

Assuming no protocol-level attacks, the Assuming no protocol-level attacks, the user, client and server end up in a complex user, client and server end up in a complex and problematic trust relationship.and problematic trust relationship.

The server is responsible to the user(s) for The server is responsible to the user(s) for the security of shared files.the security of shared files.

The user trusts the client to fairly represent The user trusts the client to fairly represent his/her intentions to the server.his/her intentions to the server.

The server trusts the client to vouch for the The server trusts the client to vouch for the authenticity of the credentials it presents authenticity of the credentials it presents with NFS requests.with NFS requests.

The Trust RelationshipThe Trust Relationship When the clients and servers are all When the clients and servers are all

administered together (e.g. a cluster of administered together (e.g. a cluster of compute and storage servers) this works compute and storage servers) this works well. That’s the model NFS was designed well. That’s the model NFS was designed for.for.

When user A has administrative control of When user A has administrative control of client A, the trust relationships of NFS are client A, the trust relationships of NFS are in conflict. A request from machine A in conflict. A request from machine A claiming to represent user B can’t be claiming to represent user B can’t be trusted, but the NFS protocol doesn’t know trusted, but the NFS protocol doesn’t know that.that.

Solving the UID and Trust ProblemsSolving the UID and Trust Problems

Two generic solutions:Two generic solutions: Multi-user filesystems (e.g. /home) shared Multi-user filesystems (e.g. /home) shared

among hosts with a single password database among hosts with a single password database and consistent security policies. Like a and consistent security policies. Like a Windows Domain.Windows Domain.

Single-user subtree exports, e.g. /home/steve, Single-user subtree exports, e.g. /home/steve, shared only with machines controlled by that shared only with machines controlled by that user.user.

Unfortunately, the mechanism for sharing Unfortunately, the mechanism for sharing the password database is also RPC-based the password database is also RPC-based and insecure (NIS).and insecure (NIS).

Using Kerberos to manage the user Using Kerberos to manage the user identification and authentication database identification and authentication database helps, but there is nothing in NFS that helps, but there is nothing in NFS that knows about Kerberos tickets.knows about Kerberos tickets.

The Just-Say-No solution: run a file sharing The Just-Say-No solution: run a file sharing protocol that is integrated with a distributed protocol that is integrated with a distributed authentication and access control protocol. authentication and access control protocol. See caltech link for discussion.See caltech link for discussion.

Solving the UID and Trust ProblemsSolving the UID and Trust Problems

ConclusionsConclusions NFS is available, efficient, and reliable.NFS is available, efficient, and reliable. NFS is quite insecure in default config.NFS is quite insecure in default config. For low-criticality information on a network For low-criticality information on a network

with physical security, reasonable users with physical security, reasonable users and stable user/client pairings NFS can be and stable user/client pairings NFS can be used when deployed with a good plan. used when deployed with a good plan. Good advice/sample designs widespread.Good advice/sample designs widespread.

NFS v4 will solve the RPC security NFS v4 will solve the RPC security problem soon-ish.problem soon-ish.

Mutual trust of user, client and server is a Mutual trust of user, client and server is a harder problem, but can be solved harder problem, but can be solved administratively in some environments.administratively in some environments.

ConclusionsConclusions For acceptable security in a more hostile For acceptable security in a more hostile

or more critical environment with multi-or more critical environment with multi-user clients (e.g., university computing user clients (e.g., university computing labs) NFS is not secure enough.labs) NFS is not secure enough.

NFS v4 may include features to fix this, NFS v4 may include features to fix this, but I don’t see anything about it in the but I don’t see anything about it in the high-level descriptions.high-level descriptions.

AFS was designed (at CMU) for this threat AFS was designed (at CMU) for this threat environment. It is probably secure environment. It is probably secure enough, but it is not free and is less widely enough, but it is not free and is less widely used.used.

Documents

NFS Admin And Security