home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 20.2 Server-Side NFS Security Chapter 20
NFS
Next: 20.4 Improving NFS Security
 

20.3 Client-Side NFS Security

NFS can create security issues for NFS clients as well as servers. Because the files that a client mounts appear in the client's filesystem, an attacker who is able to modify mounted files can directly compromise the client's security.

The primary system that NFS uses for authenticating servers is based on IP host addresses and hostnames. NFS packets are not encrypted or digitally signed in any way. Thus, an attacker can spoof an NFS client either by posing as an NFS server or by changing the data that is en route between a server and the client. In this way, an attacker can force a client machine to run any NFS -mounted executable. In practice, this ability can give the attacker complete control over an NFS client machine.

At mount time, the UNIX mount command allows the client system to specify whether or not SUID files on the remote filesystem will be honored as such. This capability is one of the reasons that the mount command requires superuser privileges to execute. If you provide facilities to allow users to mount their own filesystems (including NFS filesystems as well as filesystems on floppy disks), you should make sure that the facility specifies the nosuid option. Otherwise, users might mount a disk that has a specially prepared SUID program that could cause you some headaches later on.

NFS can also cause availability and performance issues for client machines. If a client has an NFS partition on a server mounted, and the server becomes unavailable (because it crashed, or because network connectivity is lost), then the client can freeze until the NFS server becomes available. Occasionally, an NFS server will crash and restart and - despite NFS 's being a connectionless and stateless protocol - the NFS client's file handles will all become stale . In this case, you may find that it is impossible to unmount the stale NFS filesystem, and your only course of action may be to forcibly restart the client computer.

Here are some guidelines for making NFS clients more reliable and more secure:

  • Make sure that your computer is either an NFS server or an NFS client, but not both.

  • If possible, do not allow users to log into your NFS server.

  • Don't allow your NFS clients to mount NFS servers outside your organization.

  • Minimize the number of NFS servers that each client mounts. A system is usually far more reliable and more secure if it mounts two hard disks from a single NFS server, rather than mounting partitions from two NFS servers.

  • If possible, disable the honoring of SUID files and devices on mounted partitions.


Previous: 20.2 Server-Side NFS Security Practical UNIX & Internet Security Next: 20.4 Improving NFS Security
20.2 Server-Side NFS Security Book Index 20.4 Improving NFS Security