Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 20.2 Server-Side NFS SecurityChapter 20
NFS
Next: 20.4 Improving NFS Security
 

20.3 Client-Side NFS Security

NFS can create security issues for NFS clients as well as servers. Because the files that a client mounts appear in the client's filesystem, an attacker who is able to modify mounted files can directly compromise the client's security.

The primary system that NFS uses for authenticating servers is based on IP host addresses and hostnames. NFS packets are not encrypted or digitally signed in any way. Thus, an attacker can spoof an NFS client either by posing as an NFS server or by changing the data that is en route between a server and the client. In this way, an attacker can force a client machine to run any NFS-mounted executable. In practice, this ability can give the attacker complete control over an NFS client machine.

At mount time, the UNIX mount command allows the client system to specify whether or not SUID files on the remote filesystem will be honored as such. This capability is one of the reasons that the mount command requires superuser privileges to execute. If you provide facilities to allow users to mount their own filesystems (including NFS filesystems as well as filesystems on floppy disks), you should make sure that the facility specifies the nosuid option. Otherwise, users might mount a disk that has a specially prepared SUID program that could cause you some headaches later on.

NFS can also cause availability and performance issues for client machines. If a client has an NFS partition on a server mounted, and the server becomes unavailable (because it crashed, or because network connectivity is lost), then the client can freeze until the NFS server becomes available. Occasionally, an NFS server will crash and restart and - despite NFS's being a connectionless and stateless protocol - the NFS client's file handles will all become stale. In this case, you may find that it is impossible to unmount the stale NFS filesystem, and your only course of action may be to forcibly restart the client computer.

Here are some guidelines for making NFS clients more reliable and more secure:


Previous: 20.2 Server-Side NFS SecurityPractical UNIX & Internet SecurityNext: 20.4 Improving NFS Security
20.2 Server-Side NFS SecurityBook Index20.4 Improving NFS Security