What security holes are associated with NFS?

The exact format for specifying which hosts can mount an exported directory varies between Unix implementations, but generally the information is contained within the file "/etc/exports".

This file contains a list of directories and for each one, it has a series of either specific "hosts" or "netgroups" which are allowed to NFS mount that directory. This list is called the "access list".

The "hosts" are individual machines, whilst "netgroups" are combinations of hosts and usernames specified in "/etc/netgroup". These are meant to provide a method of finetuning access. Read the relevant manual page for more information about netgroups.

The exports file also contains information about whether the directory is to be exported as read-only, read-write, and whether super-user access is to be allowed from clients which mount that directory.

The important point to remember is that if the access list for a particular directory in /etc/exports contains:

1. Your directory can be mounted by anyone, anywhere.

2. Your directory can be mounted by anyone permitted to run the mount command at hostname. This might not be a trustworthy person; for instance, if the machine is a PC running NFS, it could be anyone.

3. If the netgroup:

   1. is empty, anyone can mount your directory, from anywhere.
   2. contains "(,,)", anyone can mount your directory, from anywhere.
   3. contains the name of a netgroup which is empty or contains "(,,)", anyone can mount your directory, from anywhere.
   4. contains "(hostname,,)", anyone on the named host who is permissioned to mount files can mount your directory.
   5. contains "(,username,)", the named user can mount your directory, from anywhere.

4. If you meant to export the directory to the host "athena" but actually type "ahtena", the word "ahtena" is taken as a netgroup name, is found to be an empty netgroup, and thus the directory can be mounted by anyone, anywhere.