Cover V10, I12

Article
Sidebar

dec2001.tar

Security Measures and Resources

Linux Security

Several of the daemons that provide Linux's NFS services provide additional control lists through its internal inclusion of the tcp_wrapper library, which uses the /etc/hosts.allow and /etc/hosts.deny to create access control lists. A complete review of the tcp_wrapper rules are beyond the scope of this article, but the basic rule is a match is followed immediately with the /etc/hosts.allow being checked first, and then /etc/hosts.deny. If no rule is found, then the requested service will not be allowed. To get around this last requirement and ensure very tight security, an:

ALL: All
can be added as the last entry in the /etc/hosts.deny. Then the /etc/hosts.allow can be used to permit specific behavior. For example, for this article, I used the following entries in /etc/hosts.allow:

lockd:192.168.1.0/255.255.255.0
mountd:192.168.1.0/255.255.255.0
portmap:192.168.1.0/255.255.255.0
rquotad:192.168.1.0/255.255.255.0
statd:192.168.1.0/255.255.255.0
This allows specific access to hosts before it provides application-level access.

At the application level, the Linux /etc/exports file provides control as well. The /etc/exports is made up of entries that have the following format:

export directory {space} host|network(options)
The export directory is the directory that nfsd is allowed to serve up when requested. The host|network is the host or network that is allowed to access the exported file system, and the options determine which limitations the nfsd applies to the share, such as read only or user id mapping.

The following example is used to export /home/mcwrite.net to the complete mcwrite.net domain in read-only mode:

/home/mcwrite.net    *.mcwrite.net(ro)
The exports man page gives some additional examples.

Solaris NFS Security

Solaris provides similar NFS security as Linux does with the parameters identified as part of the share command with the -o (for options) with the command.

For example, to allow /export/mcwrite.net to be mounted read only by any host in the domain mcwrite.net, use:

#share -F nfs -o ro=.mcwrite.net /export/mcwrite.net
The man page for share_nfs gives a thorough overview of Solaris's access control lists.

Resources

NFS and RPC has had their share of security holes. Generally, NFS should not be used on the Internet, and holes should not be poked through firewalls to all NFS access. Additionally, security patches for RPC and NFS should be closely watched using multiple sources of security information. Two popular sources are Bugtraq and CERT. Bugtraq:

http://www.securityfocus.com
can be searched regularly or subscribed to. The CERT Coordination Center:

http://www.cert.org/
is also a good source for security information. Although often not as timely as other sources, the information provided is thorough and avoids much of the sensational journalism of some security sites.