Statement

Network File System (NFS) is a way to share files between machines on a network as if the files are located on the client’s local hard drive. It is an effective way to share files to a group of users using the same network. e.g. a group of users are working on a project and needs to share their files stored in a particular directory. In such a case, everyone can upload/share their files in a common folder( like /project) and share it over NFS.

For the NFS service, one ( any RedHat machine with the package installed)  machine in a system works as a server while others can connect to it to fetch/share files. Sharing files from an NFS server is known as exporting the directories. A X-Windows based application is available to edit the configuration file, but since in the previous post ( OD Hardening), I already mentioned that generally X Windows is not needed in production server and should be removed, I will discuss the procedure to edit the configuration file using text editors. 

The /etc/exports file controls what directories the NFS server exports and its provileges. The only option that needs to be specified is one of sync or async (sync is recommended). If the following is written in the /etc/exports file :

/myproject     station1.example.com(sync)

then, it lets users from station1.example.com  to mount the folder /myproject to their machines with read-only permissions. But if we specify the following the /etc/exports files :

/myproject     station1.example.com(rw,sync)

then, it will allow users from station1.example.com to mount /myproject with read-write privileges.

** There is one very interesting thing about the hostname and its privileges. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. e.g. lets consider the following two lines:

/myproject     station1.example.com(rw,sync)

/myproject     station1.example.com (rw,sync)

The first line grants users from station1.example.com read-write access and denies all other users. The second line grants users from station1.example.com read-only access (the default) and allows the rest of the world read-write access.

We can use the following options as per requirement:

-ro           -> Read only access

-rw           -> Read Write access

-access=list   -> list of hosts that can mount the filesystem

-root=list                 -> List of hosts allowed to access filesystem as root

-anon=n   -> List of UID to be used for requests from unknown users.

You can use the host(s)name in the following forms in the  /etc/exports file:

• Single machine — A fully qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address
• Series of machines specified with wildscards — Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidently work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example, *.example.com includes one.example.com but does not include one.two.example.com.
• IP networks — Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
• Netgroups — In the format @group-name, where group-name is the NIS netgroup name.

The following daemons are used for NFS :

nfsd -> handles client requests from remote systems

biod -> handles block I/O request

rpc.mountd -> handles mount request

rpc.lockd -> manages file locking on NFS client and server

rpc.statd -> manages lock crash and recovery services

portmap -> facilitates initial connection between local and remote servers.

When you are finished editing the /etc/exports file, you can export all filesystems/directories using the following command:

# exportfs -a

To unexport all shared filesystems/directories, run:

# exportfs -ua

To see all shared filesystems/directories, run:

# showmount -e localhost

Now to activate the NFS use the following commands

chkconfig portmap on

chkconfig nfs on

service portmap start

service nfs start

To probe the portmapper for all registered NFS related RPC programs, you can run rpcinfo. On Red Hat Advanced Server 3, the output will look like this:

# rpcinfo -p <server>

program vers proto   port

100000    2   tcp    111  portmapper

100000    2   udp    111  portmapper

100011    1   udp    607  rquotad

100011    2   udp    607  rquotad

100011    1   tcp    610  rquotad

100011    2   tcp    610  rquotad

100003    2   udp   2049  nfs

100003    3   udp   2049  nfs

100003    2   tcp   2049  nfs

100003    3   tcp   2049  nfs

100005    1   udp    623  mountd

100005    1   tcp    626  mountd

100005    2   udp    623  mountd

100005    2   tcp    626  mountd

100005    3   udp    623  mountd

100005    3   tcp    626  mountd

Security of NFS

One should always keep in mind about the security issues whenever their server is shared in a network. You can try the following basic rules :

- Donot enable/install NFS if not required.
- Use firewall to restrict remote access.
- Export to only those machines that you really need to.
- Use fully qualified domain names to diminish spoofing attempts.
- Export only directories you need to export.
- Export read-only wherever possible.
- Use NFS over TCP.

To allow NFS requests from e.g. servers station1.example.com, station2.example.com, station3.example.com , the file /etc/hosts.allow would look like as follows:

portmap:     station1.example.com station2.example.com station3.example.com

rpc.mountd:  station1.example.com station2.example.com station3.example.com  rpc.rquotad: station1.example.com station2.example.com station3.example.com