15.3 Client-Side NFS Security

NFS can create security issues for NFS clients as well as for NFS servers. Because the files that a client mounts appear in the client's filesystem, an attacker who is able to modify mounted files can directly compromise the client's security.

The primary system that NFS uses for authenticating servers is based on IP host addresses and hostnames. NFS packets are not encrypted or digitally signed in any way. Thus, an attacker can spoof an NFS client either by posing as an NFS server or by changing the data that is en route between a server and the client. In this way, an attacker can force a client machine to run any NFS-mounted executable. In practice, this ability can give the attacker complete control over an NFS client machine.

At mount time, the Unix mount command allows the client system to specify whether SUID files on the remote filesystem will be honored as such. This capability is one of the reasons that the mount command requires superuser privileges to execute. If you provide facilities to allow users to mount their own filesystems (including NFS filesystems as well as filesystems on floppy disks), you should make sure that the facility specifies the nosuid option. Otherwise, users might mount a disk that has a specially prepared SUID program that could cause you some headaches later on.

It's also wise to avoid mounting device files from the server. The nodev option to mount, if available, prevents character and block special devices from being interpreted as such on the client.

NFS can also cause availability and performance issues for client machines. If a client has an NFS partition on a server mounted, and the server becomes unavailable (because it crashed, or because network connectivity is lost), then the client can freeze until the NFS server becomes available. Occasionally, an NFS server will crash and restart and?despite NFS's being a connectionless and stateless protocol?the NFS client's file handles will all become stale. In this case, you may find that it is impossible to unmount the stale NFS filesystem, and your only course of action may be to forcibly restart the client computer.

Here are some guidelines for making NFS clients more reliable and more secure:

  • Try to configure your system such that it is either an NFS server or an NFS client, but not both.

  • Don't allow your NFS clients to mount from NFS servers from outside your organization.

  • Minimize the number of NFS servers that each client mounts. A system is usually far more reliable and more secure if it mounts two hard disks from a single NFS server, rather than mounting partitions from two NFS servers.

  • If possible, disable the honoring of SUID files and devices on mounted partitions.

    Part VI: Appendixes