Improving your NFS server security
NFS (Network file system) allows hosts to mount remote partitions (from
other systems) and use them as local files. NFS is very easy to configure,
but some aditional steps are necessary to improve its security. The default
directory used to export file system is the /etc/exports.
Restrict the directories to be exported.
If you want to export, for example, the directory /home/name/xx, you do not
need to export all /home, or all /home/name directories. Only export the
/home/name/xx
/home/name/xx 192.168.1.1(ro)
Restric the IPs that will be able to access the directories.
NFS allows you to control wich IPs will be able to access your system, so
use it! If you need to export a directory to the IP 192.168.1.1, or to the
network 192.168.1.0/24, only allow that hosts to access it.
/home/name/xx 192.168.1.1/24(ro)
Restric root access to your files.
If someone in another machine have root access, it doesnt mean that he
needs root access to your exported directory. The option root_squash
permit this kind of control. You can apply it to all users with the option
all_squash (all users will access your directories as user "nobody")
/home/name/xx 192.168.1.1/24(root_squash,ro)
$RootCheck: nfs-conf.php ,v 1.0 2003/10/16, Daniel B. Cid$