paulgorman.org/technical

NFS: A Quick Rundown

Network File System.

Security

WARNING: nfs can be insecure.

It sends data in the clear, and authenticates clients only by host name or IP address.

The server’s file system permissions apply to the share, but if the user on the client has a name (or uid) collision with an account on the server, the client could gain inappropriate access.

By default nfs does “root squashing”, which sets the uid of anyone accessing the share as root (i.e. the root user of the client machine) to the server’s nobody account. This should not be turned off!

NFSv4 includes significant security enhancements over previous versions, including ACLs and Kerberos authentication of individual users.

Server Side

Define shares in /etc/exports. See exports(5).

/share client1 client2

After making changes to /etc/exports, on linux do:

exportfs -ra

or on FreeBSD do:

kill -s HUP `cat /var/run/mountd.pid`

Client Side

Mount the share like mount -t nfs nfsServer:/shareName /localMountPoint.

NFS mounts can be added to the client fstab.

Useful Commands

nfsstat Show nfs activity statistics

rpcinfo -p Probe rpc on this host, and show all registered listeners

showmount -e Shows the host’s exports list

Minimal NFSv4 Setup

References