15.3 Client-Side NFS Security
NFS can create security issues for NFS
clients as well as for NFS servers. Because the files that a client
mounts appear in the client's filesystem, an
attacker who is able to modify mounted files can directly compromise
the client's security.
The primary system that NFS uses for authenticating servers is based
on IP host addresses and hostnames. NFS packets are not encrypted or
digitally signed in any way. Thus, an attacker can spoof an NFS
client either by posing as an NFS server or by changing the data that
is en route between a server and the client. In this way, an attacker
can force a client machine to run any NFS-mounted executable. In
practice, this ability can give the attacker complete control over an
NFS client machine.
At mount time, the Unix mount command allows the
client system to specify whether SUID files on the remote filesystem
will be honored as such. This capability is one of the reasons that
the mount command requires superuser privileges
to execute. If you provide facilities to allow users to mount their
own filesystems (including NFS filesystems as well as filesystems on
floppy disks), you should make sure that the facility specifies the
nosuid option. Otherwise, users might mount a
disk that has a specially prepared SUID program that could cause you
some headaches later on.
It's also wise to avoid mounting device files from
the server. The nodev option to
mount, if available, prevents character and
block special devices from being interpreted as such on the client.
NFS can also cause availability and performance issues for client
machines. If a client has an NFS partition on a server mounted, and
the server becomes unavailable (because it crashed, or because
network connectivity is lost), then the client can freeze until the
NFS server becomes available. Occasionally, an NFS server will crash
and restart and—despite NFS's being a
connectionless and stateless protocol—the NFS
client's file handles will all become stale. In this
case, you may find that it is impossible to unmount the stale NFS
filesystem, and your only course of action may be to forcibly restart
the client computer.
Here are some guidelines for making NFS clients more reliable and
more secure:
Try to configure your system such that it is either an NFS server or
an NFS client, but not both.
Don't allow your NFS clients to mount from NFS
servers from outside your organization.
Minimize the number of NFS servers that each client mounts. A system
is usually far more reliable and more secure if it mounts two hard
disks from a single NFS server, rather than mounting partitions from
two NFS servers.
If possible, disable the honoring of SUID files and devices on
mounted partitions.
|