|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
News | NFS | Recommended Links | NFS Security | Mounting NFS Resources | Humor | Etc |
|
NFS is a widely-used file sharing protocol. It allows servers running nfsd and mountd to "export" entire file systems to other machines using NFS filesystem support built in to their kernels (or some other client support if they are not Linux machines). mountd keeps track of mounted file systems in /etc/mtab, and can display them with showmount.
Many sites use NFS to serve home directories to users, so that no matter what machine in the cluster they login to, they will have all their home files. There is some small amount of security allowed in exporting file systems. You can make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (or at least the same uid) files, the remote root user can login or su to their account and have total access to their files. This is only a small hindrance to an attacker that has access to mount your remote file systems.
|
Export the root dir to the workstation. The basic idea is to edit /etc/exports to include a line similar to one of the following:
For example, a DHCP client receiving an IP address on a class C subnet would need an exports entry similar to this:
The no_root_squash parameter allows the superuser (root) to be treated as such by the NFS server; otherwise root will be remapped to nobody and will generally be unable to do anything useful with the filesystem. The no_all_squash parameter is similar but applies to non-root users. See the exports(5) man page for details.
You will have to notify the NFS server after making any changes to the exports file. Under Red Hat this can easily be done by typing /etc/rc.d/init.d/nfs stop; /etc/rc.d/init.d/nfs start. On other systems, a simple /etc/rc.d/init.d/nfs restart or even exportfs -a may suffice, while on older machines running the user-mode NFS daemon you may actually need to killall -HUP rpc.mountd; killall -HUP rpc.nfsd. (Do not killall -HUP rpc.portmap, however!)
You may also need to edit /etc/hosts.allow and/or /etc/hosts.deny if tcp_wrappers are installed. In particular, if the remote system (client) gets RPC: connection refused errors, /etc/hosts.deny probably contains portmap: ALL or ALL: ALL. To enable the client to use the server's portmapper, add a corresponding line to /etc/hosts.allow:
portmap: <client-IP-number> portmap: <2nd-client-IP-number> portmap: <client-IP-network>/<client-IP-netmask>
There is no need to restart anything in this case. You can check by running rpcinfo -p on the NFS server and rpcinfo -p NFS-server on a Linux client within the allowed range; the RPC services listed by both should match.
The General Options tab allows the following options to be configured:
The User Access tab allows the following options to be configured:
|
Switchboard | ||||
Latest | |||||
Past week | |||||
Past month |
Google matched content |