Securing NFS Systems

NFS enables several hosts to share files over the network. Under the NFS service, a server holds the data and resources for several clients. The clients have access to the file systems that the server shares with the clients. Users who are logged in to the client systems can access the file systems by mounting the file systems from the server. To the user on the client system, the files appear to be local to the client.

One of the most common uses of NFS allows client systems in offices to access user files from a remote NFS server. Some features of the NFS service, such as the -nosuid option to the mount command, can be used to prohibit the opening of devices and file systems by regular users. For more information, see the mount(8) man page.

The NFS service can authenticate NFS clients to servers with the AUTH_SYS security mode. For information about all security modes available to NFS, including Kerberos security modes, see the nfssec(7) man page.

In a Kerberos environment, the RPCSEC_GSS security flavor provides several security modes that add integrity, privacy, and authentication to Kerberos NFS connections. See the rpcsec_gss(3C) man page. For an example of applying security modes to Kerberos NFS, see How to Configure Kerberos NFS Servers in Managing Kerberos in Oracle Solaris 11.4.