• Choose a category
• All
• Classic-Fiction

In this example, the machines in system-engineering netgroup are authorized to only browse the source code; they get read-only access. Of course, this prevents users on machines authorized to modify the source from doing their job. So you might instead use:

share -o rw=source-group,ro=system-engineering /source

In this example, the machines in source-group are authorized to modify the source code get read and write access, whereas the machines in the system-engineering netgroup, which are authorized to only browse the source code, get read-only access.

Port monitoring

Port monitoring is used to frustrate "spoofing" — hand-crafted imitations of valid NFS requests that are sent from unauthorized user processes. A clever user could build an NFS request and send it to the nfsd daemon port on a server, hoping to grab all or part of a file on the server. If the request came from a valid NFS client kernel, it would originate from a privileged UDP or TCP port (a port less than 1024) on the client. Because all UDP and TCP packets contain both source and destination port numbers, the NFS server can check the originating port number to be sure it came from a privileged port.

NFS port monitoring may or may not be enabled by default. It is usually governed by a kernel variable that is modified at boot time. Solaris 8 lets you modify this via the /etc/system file, which is read-only at boot time. You would add this entry to /etc/system to enable port monitoring:

set nfssrv:nfs_portmon = 1

In addition, if you don't want to reboot your server for this to take effect, then, you can change it on the fly by doing:

echo "nfs_portmon/W1" | adb -k -w

This script sets the value of nfs_ portmon to 1 in the kernel's memory image, enabling port monitoring. Any request that is received from a nonprivileged port is rejected.

By default, some mountd daemons perform port checking, to be sure that mount requests are coming from processes running with root privileges. It rejects requests that are received from nonprivileged ports. To turn off port monitoring in the mount daemon, add the -n flag to its invocation in the boot script:

mountd -n

Not all NFS clients send requests from privileged ports; in particular, some PC implementations of the NFS client code will not work with port monitoring enabled. In addition, some older NFS implementations on Unix workstations use nonprivileged ports and require port monitoring to be disabled. This is one reason why, by default, the Solaris 8 nfs_ portmon tunable is set to zero. Another reason is that on operating systems like Windows, with no concept of privileged users, anyone can write a program that binds to a port less than 1024. The Solaris 8 mountd also does not monitor ports, nor is there any way to turn on mount request port monitoring. The reason is that as of Solaris 2.6 and onward, each NFS request is checked against the rw=, ro=, and root= lists. With that much checking, filehandles given out a mount time are longer magic keys granting access to an exported filesystem as they were in previous versions of Solaris and in other, current and past, NFS server implementations.

Check your system's documentation and boot scripts to determine under what conditions, if any, port monitoring is enabled.

Using NFS through firewalls

If you are behind a firewall that has the purpose of keeping intruders out of your network, you may find your firewall also prevents you from accessing services on the greater Internet. One of these services is NFS. It is true there aren't nearly as many public NFS servers on the Internet as FTP or HTTP servers. This is a pity, because for downloading large files over wide area networks, NFS is the best of the three protocols, since it copes with dropped connections. It is very annoying to have an FTP or HTTP connection time-out halfway into a 10 MB download. From a security risk perspective, there is no difference between surfing NFS servers and surfing Web servers.

You, or an organization that is collaborating with you, might have an NFS server outside your firewall