NFS Howto Server
From Linux NFS
(→/etc/hosts.allow and /etc/hosts.deny) |
|||
Line 49: | Line 49: | ||
Third, device or other special files may not export correctly to non-Linux clients. See Section 8 for details on particular operating systems. | Third, device or other special files may not export correctly to non-Linux clients. See Section 8 for details on particular operating systems. | ||
===== /etc/hosts.allow and /etc/hosts.deny ===== | ===== /etc/hosts.allow and /etc/hosts.deny ===== | ||
+ | These two files specify which computers on the network can use services on your machine. Each line of the file contains a single entry listing a service and a set of machines. When the server gets a request from a machine, it does the following: | ||
+ | *It first checks ''hosts.allow'' to see if the machine matches a description listed in there. If it does, then the machine is allowed access. | ||
+ | *If the machine does not match an entry in ''hosts.allow'', the server then checks ''hosts.deny'' to see if the client matches a listing in there. If it does then the machine is denied access. | ||
+ | *If the client matches no listings in either file, then it is allowed access. | ||
+ | |||
+ | In addition to controlling access to services handled by ''inetd'' (such as telnet and FTP), this file can also control access to NFS by restricting connections to the daemons that provide NFS services. Restrictions are done on a per-service basis. | ||
+ | |||
+ | The first daemon to restrict access to is the portmapper. This daemon essentially just tells requesting clients how to find all the NFS services on the system. Restricting access to the portmapper is the best defense against someone breaking into your system through NFS because completely unauthorized clients won't know where to find the NFS daemons. However, there are two things to watch out for. First, restricting portmapper isn't enough if the intruder already knows for some reason how to find those daemons. And second, if you are running NIS, restricting portmapper will also restrict requests to NIS. That should usually be harmless since you usually want to restrict NFS and NIS in a similar way, but just be cautioned. (Running NIS is generally a good idea if you are running NFS, because the client machines need a way of knowing who owns what files on the exported volumes. Of course there are other ways of doing this such as syncing password files. See the [http://www.linuxdoc.org/HOWTO/NIS-HOWTO.html NIS HOWTO] for information on setting up NIS.) | ||
+ | |||
+ | In general it is a good idea with NFS (as with most internet services) to explicitly deny access to IP addresses that you don't need to allow access to. | ||
+ | |||
+ | The first step in doing this is to add the followng entry to ''/etc/hosts.deny'': | ||
+ | <pre> | ||
+ | portmap:ALL | ||
+ | </pre> | ||
+ | Starting with nfs-utils 0.2.0, you can be a bit more careful by controlling access to individual daemons. It's a good precaution since an intruder will often be able to weasel around the portmapper. If you have a newer version of nfs-utils, add entries for each of the NFS daemons (see the next section to find out what these daemons are; for now just put entries for them in ''hosts.deny''): | ||
+ | <pre> | ||
+ | lockd:ALL | ||
+ | mountd:ALL | ||
+ | rquotad:ALL | ||
+ | statd:ALL | ||
+ | </pre> | ||
+ | Even if you have an older version of nfs-utils, adding these entries is at worst harmless (since they will just be ignored) and at best will save you some trouble when you upgrade. Some sys admins choose to put the entry '''ALL:ALL''' in the file ''/etc/hosts.deny'', which causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed. While this is more secure behavior, it may also get you in trouble when you are installing new services, you forget you put it there, and you can't figure out for the life of you why they won't work. | ||
+ | |||
+ | Next, we need to add an entry to ''hosts.allow'' to give any hosts access that we want to have access. (If we just leave the above lines in ''hosts.deny'' then nobody will have access to NFS.) Entries in hosts.allow follow the format: | ||
+ | <pre> | ||
+ | service: host [or network/netmask] , host [or network/netmask] | ||
+ | </pre> | ||
+ | Here, host is IP address of a potential client; it may be possible in some versions to use the DNS name of the host, but it is strongly discouraged. | ||
+ | |||
+ | Suppose we have the setup above and we just want to allow access to ''slave1.foo.com'' and ''slave2.foo.com'', and suppose that the IP addresses of these machines are ''192.168.0.1'' and ''192.168.0.2'', respectively. We could add the following entry to ''/etc/hosts.allow'': | ||
+ | <pre> | ||
+ | portmap: 192.168.0.1 , 192.168.0.2 | ||
+ | </pre> | ||
+ | For recent nfs-utils versions, we would also add the following (again, these entries are harmless even if they are not supported): | ||
+ | <pre> | ||
+ | lockd: 192.168.0.1 , 192.168.0.2 | ||
+ | rquotad: 192.168.0.1 , 192.168.0.2 | ||
+ | mountd: 192.168.0.1 , 192.168.0.2 | ||
+ | statd: 192.168.0.1 , 192.168.0.2 | ||
+ | </pre> | ||
+ | If you intend to run NFS on a large number of machines in a local network, ''/etc/hosts.allow'' also allows for network/netmask style entries in the same manner as ''/etc/exports'' above. | ||
+ | |||
==== Where to get help and further information ==== | ==== Where to get help and further information ==== | ||
As of November 2000, the Linux NFS homepage is at http://nfs.sourceforge.net. Please check there for NFS related mailing lists as well as the latest version of nfs-utils, NFS kernel patches, and other NFS related packages. | As of November 2000, the Linux NFS homepage is at http://nfs.sourceforge.net. Please check there for NFS related mailing lists as well as the latest version of nfs-utils, NFS kernel patches, and other NFS related packages. |
Revision as of 17:27, 5 April 2006
Contents |
Introduction to NFS Server Setup
It is assumed that you will be setting up both a server and a client. If you are just setting up a client to work off of somebody else's server (say in your department), you can skip to Section 4. However, every client that is set up requires modifications on the server to authorize that client (unless the server setup is done in a very insecure way), so even if you are not setting up a server you may wish to read this section to get an idea what kinds of authorization problems to look out for.
Setting up the server will be done in two steps: Setting up the configuration files for NFS, and then starting the NFS services.
Setting up the Configuration Files
There are three main configuration files you will need to edit to set up an NFS server: /etc/exports, /etc/hosts.allow, and /etc/hosts.deny. Strictly speaking, you only need to edit /etc/exports to get NFS to work, but you would be left with an extremely insecure setup. You may also need to edit your startup scripts; see Section 3.3.3 for more on that.
/etc/exports
This file contains a list of entries; each entry indicates a volume that is shared and how it is shared. Check the man pages (man exports) for a complete description of all the setup options for the file, although the description here will probably satistfy most people's needs.
An entry in /etc/exports will typically look like this:
directory machine1(option11,option12) machine2(option21,option22)
where:
directory: the directory that you want to share. It may be an entire volume though it need not be. If you share a directory, then all directories under it within the same file system will be shared as well.
machine1 and machine2: client machines that will have access to the directory. The machines may be listed by their DNS address or their IP address (e.g., machine.company.com or 192.168.0.8). Using IP addresses is more reliable and more secure. If you need to use DNS addresses, and they do not seem to be resolving to the right machine, see Section 7.3.
optionxx: the option listing for each machine will describe what kind of access that machine will have. Important options are:
- ro: The directory is shared read only; the client machine will not be able to write to it. This is the default.
- rw: The client machine will have read and write access to the directory.
- no_root_squash: By default, any file request made by user root on the client machine is treated as if it is made by user nobody on the server. (Excatly which UID the request is mapped to depends on the UID of user "nobody" on the server, not the client.) If no_root_squash is selected, then root on the client machine will have the same level of access to the files on the system as root on the server. This can have serious security implications, although it may be necessary if you want to perform any administrative work on the client machine that involves the exported directories. You should not specify this option without a good reason.
- no_subtree_check: If only part of a volume is exported, a routine called subtree checking verifies that a file that is requested from the client is in the appropriate part of the volume. If the entire volume is exported, disabling this check will speed up transfers.
- sync: By default, all but the most recent version (version 1.11) of the exportfs command will use async behavior, telling a client machine that a file write is complete - that is, has been written to stable storage - when NFS has finished handing the write over to the filesysytem. This behavior may cause data corruption if the server reboots, and the sync option prevents this. See Section 5.9 for a complete discussion of sync and async behavior.
Suppose we have two client machines, slave1 and slave2, that have IP addresses 192.168.0.1 and 192.168.0.2, respectively. We wish to share our software binaries and home directories with these machines. A typical setup for /etc/exports might look like this:
/usr/local 192.168.0.1(ro) 192.168.0.2(ro) /home 192.168.0.1(rw) 192.168.0.2(rw)
Here we are sharing /usr/local read-only to slave1 and slave2, because it probably contains our software and there may not be benefits to allowing slave1 and slave2 to write to it that outweigh security concerns. On the other hand, home directories need to be exported read-write if users are to save work on them.
If you have a large installation, you may find that you have a bunch of computers all on the same local network that require access to your server. There are a few ways of simplifying references to large numbers of machines. First, you can give access to a range of machines at once by specifying a network and a netmask. For example, if you wanted to allow access to all the machines with IP addresses between 192.168.0.0 and 192.168.0.255 then you could have the entries:
/usr/local 192.168.0.0/255.255.255.0(ro) /home 192.168.0.0/255.255.255.0(rw)
See the Networking-Overview HOWTO for further information about how netmasks work, and you may also wish to look at the man pages for init and hosts.allow.
Second, you can use NIS netgroups in your entry. To specify a netgroup in your exports file, simply prepend the name of the netgroup with an "@". See the NIS HOWTO for details on how netgroups work.
Third, you can use wildcards such as *.foo.com or 192.168. instead of hostnames. There were problems with wildcard implementation in the 2.2 kernel series that were fixed in kernel 2.2.19.
However, you should keep in mind that any of these simplifications could cause a security risk if there are machines in your netgroup or local network that you do not trust completely.
A few cautions are in order about what cannot (or should not) be exported. First, if a directory is exported, its parent and child directories cannot be exported if they are in the same filesystem. However, exporting both should not be necessary because listing the parent directory in the /etc/exports file will cause all underlying directories within that file system to be exported.
Second, it is a poor idea to export a FAT or VFAT (i.e., MS-DOS or Windows 95/98) filesystem with NFS. FAT is not designed for use on a multi-user machine, and as a result, operations that depend on permissions will not work well. Moreover, some of the underlying filesystem design is reported to work poorly with NFS's expectations.
Third, device or other special files may not export correctly to non-Linux clients. See Section 8 for details on particular operating systems.
/etc/hosts.allow and /etc/hosts.deny
These two files specify which computers on the network can use services on your machine. Each line of the file contains a single entry listing a service and a set of machines. When the server gets a request from a machine, it does the following:
- It first checks hosts.allow to see if the machine matches a description listed in there. If it does, then the machine is allowed access.
- If the machine does not match an entry in hosts.allow, the server then checks hosts.deny to see if the client matches a listing in there. If it does then the machine is denied access.
- If the client matches no listings in either file, then it is allowed access.
In addition to controlling access to services handled by inetd (such as telnet and FTP), this file can also control access to NFS by restricting connections to the daemons that provide NFS services. Restrictions are done on a per-service basis.
The first daemon to restrict access to is the portmapper. This daemon essentially just tells requesting clients how to find all the NFS services on the system. Restricting access to the portmapper is the best defense against someone breaking into your system through NFS because completely unauthorized clients won't know where to find the NFS daemons. However, there are two things to watch out for. First, restricting portmapper isn't enough if the intruder already knows for some reason how to find those daemons. And second, if you are running NIS, restricting portmapper will also restrict requests to NIS. That should usually be harmless since you usually want to restrict NFS and NIS in a similar way, but just be cautioned. (Running NIS is generally a good idea if you are running NFS, because the client machines need a way of knowing who owns what files on the exported volumes. Of course there are other ways of doing this such as syncing password files. See the NIS HOWTO for information on setting up NIS.)
In general it is a good idea with NFS (as with most internet services) to explicitly deny access to IP addresses that you don't need to allow access to.
The first step in doing this is to add the followng entry to /etc/hosts.deny:
portmap:ALL
Starting with nfs-utils 0.2.0, you can be a bit more careful by controlling access to individual daemons. It's a good precaution since an intruder will often be able to weasel around the portmapper. If you have a newer version of nfs-utils, add entries for each of the NFS daemons (see the next section to find out what these daemons are; for now just put entries for them in hosts.deny):
lockd:ALL mountd:ALL rquotad:ALL statd:ALL
Even if you have an older version of nfs-utils, adding these entries is at worst harmless (since they will just be ignored) and at best will save you some trouble when you upgrade. Some sys admins choose to put the entry ALL:ALL in the file /etc/hosts.deny, which causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed. While this is more secure behavior, it may also get you in trouble when you are installing new services, you forget you put it there, and you can't figure out for the life of you why they won't work.
Next, we need to add an entry to hosts.allow to give any hosts access that we want to have access. (If we just leave the above lines in hosts.deny then nobody will have access to NFS.) Entries in hosts.allow follow the format:
service: host [or network/netmask] , host [or network/netmask]
Here, host is IP address of a potential client; it may be possible in some versions to use the DNS name of the host, but it is strongly discouraged.
Suppose we have the setup above and we just want to allow access to slave1.foo.com and slave2.foo.com, and suppose that the IP addresses of these machines are 192.168.0.1 and 192.168.0.2, respectively. We could add the following entry to /etc/hosts.allow:
portmap: 192.168.0.1 , 192.168.0.2
For recent nfs-utils versions, we would also add the following (again, these entries are harmless even if they are not supported):
lockd: 192.168.0.1 , 192.168.0.2 rquotad: 192.168.0.1 , 192.168.0.2 mountd: 192.168.0.1 , 192.168.0.2 statd: 192.168.0.1 , 192.168.0.2
If you intend to run NFS on a large number of machines in a local network, /etc/hosts.allow also allows for network/netmask style entries in the same manner as /etc/exports above.
Where to get help and further information
As of November 2000, the Linux NFS homepage is at http://nfs.sourceforge.net. Please check there for NFS related mailing lists as well as the latest version of nfs-utils, NFS kernel patches, and other NFS related packages.
When you encounter a problem or have a question not covered in this manual, the faq or the man pages, you should send a message to the nfs mailing list mailto:nfs@lists.sourceforge.net. To best help the developers and other users help you assess your problem you should include:
- the version of nfs-utils you are using
- the version of the kernel and any non-stock applied kernels.
- the distribution of linux you are using
- the version(s) of other operating systems involved.
It is also useful to know the networking configuration connecting the hosts.
If your problem involves the inability mount or export shares please also include:
- a copy of your /etc/exports file
- the output of rpcinfo -p localhost run on the server
- the output of rpcinfo -p servername run on the client
Sending all of this information with a specific question, after reading all the documentation, is the best way to ensure a helpful response from the list.
You may also wish to look at the man pages for nfs(5), exports(5), mount(8), fstab(5), nfsd(8), lockd(8), statd(8), rquotad(8), and mountd(8).