Exporting Files

When files are exported on an NFS server, the administrator designates which clients can mount specific directory trees located on the server. The type of access may also be given for exported files.

For Sun Microsystems Network Filesystem (NFS), the /etc/exports file contains entries for directories that can be exported to NFS clients. Each line of the /etc/exports file has the following format:

directory -options[,options]...
``Directory'' is the pathname of a directory or a filesystem. ``Options'' allow a variety of security-related options to be specified. It is important that a system administrator is aware of default access that is allowed if certain options are not specified. It is also important that the system administrator is aware of the implications of using or not using certain options. The following list gives examples of how to export files so that the possibility of unauthorized file access is reduced. Examples given apply to the implementation of NFS in SunOS [SUN90b].

• Files should only be exported to clients that need to use those files. Having a line in the /etc/exports file of the format ``/usr'' is strongly discouraged because the /usr directory is being exported to all systems on the network. The ``access=client[:client]...'' option should be used so that mount access is only given to each client listed. The client field can either be a hostname or a netgroup. For remote mounts, the information in a netgroup is used to restrict access to a group of machines.

  The following example exports the /usr directory to clientA and clientB. All other systems are denied permission to mount these files.
  
  /usr -access=clientA:clientB

• Shared files, such as system files, should be exported read only, and owned by root. This will help to prevent system files from being modified. It should be noted that the default is for directories to be exported read-write. The following command exports /usr/bin read-only to the systems clientA, clientB, clientC, and clientD.
  
  /usr/bin -ro,-access=clientA:clientB:clientC:clientD

• Files should not be exported with the ``root=client[:client]...'' option. This option gives root access for root users from specified clients. If a client is impersonated, then an unauthorized user could modify files on the server.

• When possible, the minimal subdirectory tree should be exported. For example, if access is needed only for /usr/bin, /usr/bin should be exported instead of /usr. It is not possible to export either a parent directory or a subdirectory of an exported directory that is within the same filesystem. For example, it would be illegal to export both /usr and /usr/local if both directories resided on the same disk partition. As a result, sometimes it is necessary to give access to more files for more clients than is desired.

• The showmount command can be used to print all directories that are exported for either a local system or a remote system. Systems that do not export directories to specific clients are particularly vulnerable because the output of the showmount command will reveal that any client on the network can mount the directory. If a system is using the /etc/hosts facility, the /etc/exports file can contain aliases for host names. Using aliases for client names will prevent showmount from revealing which clients have permission to mount specific directories.

It is advisable for administrators to regularly inspect the file which gives permission for directories to be exported to clients (i.e., the /etc/exports file for SunOS) to verify that entries have not been modified.

In order to protect a system from unauthorized setuid and setgid programs, it is advisable to mount all files with the nosuid option. Use of the nosuid option provides a measure of protection on the client from someone with root access on the server gaining root access on the client through a setuid program that grants root privileges to the user executing the program. For example, the superuser on the server can create an executable file (e.g., a copy of sh) with setuid root, i.e., when sh is run, it runs as root. If this file is exported to a client, then any user on that client who can execute that file can become superuser on the client.