Network File System (NFS) Threats

The Network File System (NFS) is a stateless protocol which uses remote procedure calls (RPC) built on top of the external data representation (XDR) protocol [SUN90a]. NFS provides most of the properties of a UNIX file system and can be implemented on almost any operating system. Threats associated with using NFS include the following:

• If a directory is exported with no access list specified, any system on the network is capable of accessing the exported files.

• If a directory is exported with root access given to specified clients, anyone with superuser privileges on one of the clients can modify files on the server owned by root.

• An NFS server grants file access to users on clients that have user ID and group ID mappings which correspond to the server, i.e., a user on a client who has a user ID of 100 can access files on the server that are owned by user ID 100 and have the proper read, write, or execute permission bits for owner set. This is a threat because it is easy for one user to impersonate another, especially if the user has superuser privileges on the client.

• It is possible for a client to be impersonated, especially if the client is a system that is turned off regularly.

• NFS uses file handles to reference files. It is relatively easy to guess valid file handles because file handles consist of a file system id and and inode number. It is possible to increase the difficulty of guessing a valid file handle by using a program to randomize the inode of each file.

As is often the case, a vendor may distribute NFS with no security features enabled. Section 10.2.8 describes ways to export files so that threats of unwanted file access and manipulation are reduced. Other techniques for improving the security when using NFS are also discussed.