LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-22-2005, 03:28 AM   #1
jess1975
Member
 
Registered: Jul 2004
Location: Germany
Distribution: Suse 11.1
Posts: 87

Rep: Reputation: 15
How can I secure NFS


How can I secure NFS with restricted access or user x only or whatever.

Cause right now everything is wide open to all users.
 
Old 03-22-2005, 03:31 AM   #2
Harlin
Member
 
Registered: Dec 2004
Location: Atlanta, GA U.S.
Distribution: I play with them all :-)
Posts: 316

Rep: Reputation: 30
Hi jess 1975,

Here's a start: http://publib16.boulder.ibm.com/pser...secure_nfs.htm

Cheers,

Harlin
 
Old 03-22-2005, 03:43 AM   #3
jess1975
Member
 
Registered: Jul 2004
Location: Germany
Distribution: Suse 11.1
Posts: 87

Original Poster
Rep: Reputation: 15
I'd read that too, but it's not what I'm really looking for.

I want to be able to connect to a certain share as one user only. I don't want anonymous users to be able to rread/write the share
 
Old 03-22-2005, 05:32 AM   #4
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
Hi,

I'm no security meister. And, given that, some of the basics on NFS that I discovered pertinent to your "limiting" are as follows:

(share(s) ) or what is so called "exported" is starting point. Controlled/managed by the /etc/exports file.

(On the 'puter that is to be the host) (machine with a shared folder(s)). It is the

/etc/exports

file has to do with this. In it, I think that

/usr/local/networkbackup *(rw)

That's a (for instance) line from /etc/exports. The * means anyone or any computer can conect to that shared folder with read and write access as per the (rw) -- an potential exception - root - unless the no_root_squash option however, do not use no_root_squash except for only a couple isolated computers and if you also know what it's all about. NFS - root normally gets "squashed" (permissions de or downgrade to that of user) -- no_root_squash is the inverse of that, lets root still be root to do totally whatever to your machine.
----

http://linux.omnipotent.net/article....ticle_id=12432

Exporting File Systems With NFS

^^^more (for instance)^^^lines^^^from an /etc/exports file shows looser versus tighter permissions on the "exported" share. Hint: * is the loosest. (ro) is read only. A specific machine (without a *) is tighter or more restrictive.


http://www.google.com/linux?hl=en&lr...=Google+Search

I've also turned off the NFS server when NFS is not in use. No running NFS server, no NFS file sharing.

--
Alan.
 
Old 03-22-2005, 05:35 AM   #5
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
I perhaps mistook "one user" to mean one machine. Sorry. I do not know how to do (allow only) one certain user from one certain machine.

Alan.
 
Old 03-22-2005, 05:41 AM   #6
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
OTOH

/home/josh/work bob(rw) mary(rw) john(rw) simon(ro)


perhaps that for instance line from url my former post is sharing only certain users. but that's a guess on my part.

Alan.
 
Old 03-22-2005, 08:25 AM   #7
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

I believe that in a line from /etc/exports such as :
/home/me/movies foobar(rw)

foobar can only be a machine (or IP address), not a user.

A nfs share has the permissions of the original file system shared :
Code:
$ ls -l movies/file1
rwxr-x---  23 foo  bar            0 Oct 26 10:37 movies/file1
$ grep foo /etc/password
foo:x:1001:100::/home/foo:/bin/bash
$ grep bar /etc/group
bar:x:1002:
With this config, and the line in /etc/exports, the user that as UID 1001 on the foobar mahcine will be seen has the owner of the shared .movies/file1 file. The members of the group GID 1002 will have r-x permissions....

So by correctly setting permissions you can limit users rights BUT, because there's a GREAT HUGE BUT : but you have to synchronise your UID/GID on all the machine that have access to the nfs share.

In a big network, that means using NIS, LDAP or other.

And even with such a system, someone with root access can change the users IDs, and so get full access easily. Of course root access must be limited to administrators... but if I come with my laptop, I'll too be root on a machine, and will be able to use the UID/GID I want... so you also need to control the network access

All this is why I prefer using samba shares that can be controlled with a user/password request (but that has also its own security issues)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 05:12 PM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 02:39 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 07:12 PM
secure nfs somesh Linux - Networking 0 07-22-2003 01:02 PM
Can I mount NFS over the Internet through secure tunnel??? cvega99 Linux - Networking 1 03-10-2003 07:19 AM


All times are GMT -5. The time now is 09:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration