NFS

See also: SMB | File sharing

Home Page: ???

Acronym: Network File System.

A protocol using RPC (“portmapper” or “sunrpc”). NFS is commonly used in UNIX environments to share a directory with a specific other IP address or host name. Invented by Sun Microsystems. Commonly used by thin clients back in the late 80’s and 90’s. Easily ported to Linux kernel thanks to the open implementation, as opposed to SMB and CIFS. It also works on the BSD‘s.

There are currently 3 NFS implementations

  • NFSv2; protocol version 1. Not very common anymore.
  • NFSv3; protocol version 2. The current standard. Supported by most Unices, including BSD‘s, Linux, MacOSX, Solaris, SunOS and many others. A free (beer) Windows NFSv3 implementation also exists, called Windows Services for UNIX 3.5. Freely (beer) available on the Internet.
  • NFSv4; protocol version 3. The future. Fixes various reliability flaws in earlier versions. Supported, either by userland or kernel, by at least Solaris and Linux.

Security

In its history, NFS and the daemons it relies on have been teased with numerous flaws. Configuration errors are also common in these environments. NFS uses several TCP and UDP ports and it may be a security risk to allow the Internet to connect to these. Because of this, it is advised to let these daemons not listen on any WAN ports or firewall these ports out.

NFS also uses no encryption. It has no support for file locking (NFSv3 <=) in contrast to SMB. Finally, a user who becomes root on a computer with a mounted NFS share also has access to the mounted NFS share.

Related

  • Implememtations: there are several userland and kernelland NFS implementations available. Consolt for example Freshmeat or Google.
  • SFS (http://www.fs.net) – Self-certifying FileSystem. Client(s) and/or server(s) use NFS internally, but use a authentication and encryption.
  • Secure Export System (ftp://ftp.monash.edu.au/pub/keithl/SES/) – Using Kerberos as layer between a NFS client and a NFS server.
  • Secure NFS and NIS via SSH Tunnel (http://www.math.ualberta.ca/imaging/snfs/).
  • Secure NFS (http://www.crufty.net/Products/sNFS.html) – SSL as layer between a NFS client and NFS server.
  • Sharity-Light (http://www.obdev.at/Products/shlight.html) – User-land layer acting between a NFSd and SMBd. Derived from SMBFS. Proprietary, commercial program called “Sharity” also available.

TakeDown.NET -> “NFS