Network File System NFS

written by: Andreas Schmidt; article published: year 2007, month 06;


In: Categories » Electronics and communication » Protocols » Network File System NFS

The Network File System (NFS) protocol defines a way for co-operating systems to share filesystems. Today, everyone seems to refer to NFS mounts as shares.

NFS is based on the RPC (Remote Procedure Call), a protocol that defines how machines can make calls to procedures on remote machines as if they were local.

NFS implementations consist of more than just a single NFS server process. In fact, they require mountd, statd, and lockd. These daemons have had a plethora of problems— especially statd.

NFS is an insecure protocol that you don't want to run. Trust me.

Full details of NFS v2 can be found in RFC 1094. NFS v3 is defined in RFC 1813.

NFS Risks

· If you're running an unsupported or unpatched version of NFS, you're dead in the water if someone takes a shot.

· Misconfigurations are common with NFS. Sharing system-related filesystems is asking for trouble.

· Weak authentication is used. The requests can be spoofed or sometimes proxied through the local portmapper.

· No encryption is used, so your darkest secrets go across the network in plaintext.

· NFS-related daemons commonly run as root. An exploitable security hole can leave you with a root compromise on your hands.

· Watch your defaults! The file / etc / exports (or / etc / dfs / dfstab) controls which filesystems you share and with whom. Unless you specify otherwise, your implementation might default to using insecure options or giving write access by default.

Securing NFS

Don't run it! Solve security headaches in one fail swoop—turn if off! OK, so you want this functionality? Read on…

· Is NFS the right file-sharing mechanism for what you want? Given its security problems, examine your file-sharing requirements. For example, if you want a mirror of some files, you could just buy another disk (they are cheap these days) and use rdist over SSH to make replicas to other systems. If you can find a way around using NFS, then do so.

· Avoid using NFS for sensitive information and never run Internet-facing NFS servers.

· Firewall NFS to limit your exposure on the wider network.

· Stay up to date with vendor security patches! NFS-related patches seem to come out thick and fast. If your vendor isn't supplying patches, this could be "a Bad Thing." They might simply not be patching known holes.

· Share filesystems on a need-to-have basis. Restrict this to read-only sharing wherever possible. Always specify nosuid as an option, to ensure that the set-id bit is not honored on files created on exported filesystems.

· Remove any references to localhost in your exports file.

· Do not self-reference an NFS server in its own export file.

· Limit export lists to 256 characters (including expanded aliases if aliases are in use).

· Consider using a replacement portmapper that won't forward, or proxy, mount requests. .

· Where read-only sharing is possible, consider mounting a locally exported filesystem as read-only (that is, in / etc / vfstab or similar).

NFS version 4 is the next generation of NFS. Production ready implementations are not readily available as yet. See http: / / www.nfsv4.org for more information.

Alternatives to NFS include AFS (http: / / www.contrib.andrew.cmu.edu / ~shadow / afs.html) and CODA (http: / / www.coda.cs.cmu.edu / ).

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Standardized Protocols for Private Instant Messaging
Although momentum is building for a standardized protocol for instant messaging, interoperability among IM applications continues to be vexed by unresolved business and security issues. Recently, the Internet Engineering Task Force (IETF)-sponsored protocol that would be a key to interoperability was criticized for being insecure by IM software vendors such as AOL Time Warner Inc. and IBM’s Lotus Software. The Lotus-AOL test used a variation of Simple Implementation Protocol (SIP) known as SIP for Instant Messaging ...

2. Detecting Unauthorized 802.11 Cards and Access Points
The first goal is detection. Can we tell when someone powers on a card within range of the local network? This can be done with off-the-shelf components and free software. The Cisco Aironet driver included with the more recent Linux kernels supports "RF Monitor" mode, which permits promiscuous monitoring of 802.11 packets - specifically, monitoring raw 802.11 frames to detect if there are any telltale frames broadcast by a rogue access point or card. As outlined in the original 802.11 specification, ther...

3. The HTTP Request and Response Codes
The HTTP protocol can be likened to a conversation based on a series of questions and answers, which we refer to respectively as HTTP requests and HTTP responses. The contents of HTTP requests and responses are easy to read and understand, being near to plain English in their syntax. This section examines the structure of these requests and responses, along with a few examples of the sorts of data they may contain. The HTTP Request After opening a connection to the intended serv...

4. INFRASTRUCTURE PROTOCOLS AND APPLICATIONS
H.323 H.323 defines packet standards for terminal equipment and services for multimedia communications over local and wide area  networks  communicating  with  systems  connected  to telephony networks such as ISDN. The initial version of this standard  came from the International Telecommunications Union (ITU) in June 1996. It  defines  communication over IP-based local area networks (LANs). A later version (v2), adopted in January 1998, extended it over wide are...

5. Wireless IN Services
The IN protocols and concepts can be used to implement enhanced wireless services rapidly and to have these services available across serving areas in an untethered wireless network. Some of these services are listed below: Voice-Based User Identification. This service employs a form of automatic speech recognition to validate the identity of the speaker. Access to services can then be restricted to the user whose voice (phrase) has been used to train the recognition device. Voice-Based Featur...

6. Wireless LAN and Personal Area Network
The Wireless Internet is not just wireless communications across town or the country. It is also local—sometimes in a home or office building. Wireless LANs are just becoming popular with economically  priced  wireless  Ethernet  equipment.  Standards such as IEEE 802.11, HiperLAN2, and Home RF are leading the way to untethered communications in-building or outside over small areas. Another important development is the Personal Area Network, also known as Bluetooth. Let’s take a look at each of th...

7. The Domain Concept
The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controllera computer so important, it's usually locked away in a closet or a data-center room. A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain with your PC,...

8. Duplexing Techniques in Wireless communication systems
Wireless communication systems have evolved through several stages of multiple-access control. The foremost controllable resource has always been the frequency spectrum. Other resources such as time, code, and space were initially manipulated in a very precarious and, therefore, ineffective manner. The early systems operated in the simplex mode in the forward link. Halfduplex systems soon appeared, in which forward link and reverse link shared the same channel. Access control was performed on a push-to-talk basis wit...

9. Wireless Networks (WiFi or 802.11)
Millions of people, have embraced the flexibility of a networking system that involves no wires at alla cordless networking technology called WiFi or 802.11 ("eight-oh-two dot eleven"). (Your Macintosh friends probably call the same thing AirPort, because that's what Apple calls it.) To get onto a wireless network, your PC needs a WiFi transmitter. Almost every laptop sold today has WiFi built in. You can also add it to a desktop in the form of a wireless card or USB adapter; either way, you gain a little antenna. Once...

10. VPN and Tunneling Protocols
Let us discuss the most common and widely used real-world VPN protocols. The growing number of users, the ease of accessibility, and the reduced cost of the Internet connection have introduced a greater need for cost-effective and secure communications without purchase of leased lines. Many companies participated in the development that resulted in the creation of different VPN standards and protocols. We discuss the most common ones here. IPSec IPSec is the most widely acknowledged, supported, and standardize...