The Network File System (NFS) is the standard method for sharing files between Unix (and Unix-like) systems. Linux can be both an NFS server (offering its directories to other systems) and an NFS client (offering its own users access to directories on other systems).
The NFS server can be installed by default during your distribution's installation process, but if NFS was not installed, you can install it from your distribution's installation media or FTP site. In addition to the NFS packages, you will need the following daemons and utilities.
The NFS server system must be running the portmap daemon, a server for the RPC service directory.
These are typically started automatically at boot time through /etc/init.d/nfs start and consist of:
Handles file serving
Handle lock management
Manages quotas
Checks mount requests and hands out access handles
The server uses /etc/exports to configure NFS filesystems that it offers to remote systems. The format of the file entries is typically:
/path/to/export
[host
](options
)
The first field, /path/to/export
, is the path that you want to make available via NFS. An example would be /mnt/cdrom. The second field, host
, is the hostname, specified by name or IP address (with an optional netmask), to which you want the filesystem to be made available. If nothing is supplied for host
, the filesystem is exported to everyone. The last field, options
, is a comma-separated list of export options. Some standard examples are ro
for read-only and rw
for read/write.
The following is an example of an /etc/exports file:
/mnt/cdrom (ro) /tmp (rw) /home 192.168.0.0/255.255.255.0(rw)
The first line exports /mnt/cdrom read-only to the world. The second line exports /tmp read-write to the world. The third line exports /home read/write to only the 192.168.0.0 network.
Be very careful to not have any spaces between the host specification and the export options. The following are very different:
host (options) host(options)
For more information about the format and options of /etc/exports, view the exports manpage (man 5 exports).
Directories can also be exported based on hostname, wildcarded domain name (*.example.com), or NIS netgroups. If you use NIS, you can use @netgroup to specify the hosts defined in the given netgroup.
To initially add all your entries in /etc/exports to the list of exported filesystems (assuming mountd is already running), run exportfs -av. The -a option tells exportfs to add the entries and the -v option to print the output verbosely.
After you make any change to /etc/exports, you must update the NFS server using exportfs -rv. This command reexports all directories in /etc/exports, syncing the server's list of exports (maintained by mountd in /var/lib/nfs/xtab) with /etc/exports.
To remove a filesystem from mountd's list of exportable filesystems, use exportfs -u. More information about exportfs may be found in the exportfs(8) manpage.
NFS was ingenious when it was created, but it has been plagued by many security problems. Therefore, the Linux implementation has integrated TCP wrappers support. TCP wrappers is a somewhat paranoid IP access control mechanism that is more fully documented in Chapter 40. Suffice it to say here that all hosts that should be able to access your NFS server must be allowed to do so. To secure your NFS server, put a statement like the following in your /etc/hosts.deny file:
portmap,lockd,mountd,rquotad,statd: ALL
This disables access to all the NFS-related services altogether. To reenable NFS for your legitimate clients, put lines like the following in your /etc/hosts.allow file:
portmap,lockd,mountd,rquotad,statd: 192.168.0.0/255.255.0.0
This means that, even if your /etc/exports file exports your /mnt/cdrom and /tmp directories to the world, no one outside the 192.168.0.0/255.255.0.0 network will be able to contact the servers.
This mechanism does not allow netgroups to be used, but it does allow hostnames and domains (.example.com).
Even though the portmapper is, strictly speaking, not an NFS service, it too has been subject to security problems and access to it should also be restricted.
The /etc/hosts.allow and /etc/hosts.deny files also apply to your NFS client . It should be secured in the same way.
A server may not want to trust the remote root users. Trusting a remote root user would mean that the remote root can read all files, create device files with unhealthy permissions, and create setuid root scripts on the server. All these are bad things unless you are sure that the clients are all as secure as the server. Otherwise, add root_squash
to the export option list in order to deny root access—or, more accurately, to change the UID of root requests to the nobody user before they go to the filesystem. The opposite of root_squash
is no_root_squash
. If you trust no one on the client, but still want them to have some access, you can use all_squash
to squash all users down to nobodies. There are also the two options anonuid=
n
and anongid=
n
, which control exactly which account the squash options apply to. They used to be useful for PC/NFS, but that is obsolete now. They are perhaps useful if you want to share a public disk, such as an FTP server disk. If the FTP server user has UID 95 and GID 95, you can export relatively safely to the world through:
/home/ftp (ro,all_squash,anonuid=95,anongid=95)
The NFS client software on Linux consists of several parts: portmap, rpc.statd, and rpc.lockd. Commands such as mount, showmount, and rpcinfo are the tools you use.
The NFS client requires a specific set of kernel modules: nfs, lockd
, and sunrpc
. These kernel modules will be automatically loaded by the kernel module loader when you mount a remote filesystem.
The NFS client (as well as the server) require the system to be running the portmapper, the portmap daemon. To start it, run /etc/init.d/portmap start (or on some systems, /etc/rc.d/init.d/portmap start).
The utility required to get access to an NFS filesystem is mount. It is used to mount remote NFS filesystems as well as local filesystems. Generally, mount is used like this:
mount -ooptions remotehost
:/remote/path /local/path
Table 29-2 lists the most common mount options used on NFS.
Table 29-2. NFS mount options
Mount option |
Description |
---|---|
|
When this is specified, if a mount times out, it will be backgrounded so as to not block the boot process and to give the user his command prompt back. That is the theory anyway; it has never worked on Linux for us. |
|
If a timeout occurs, send a "Server not responding" message to the console and continue to retry. (This is the default behavior.) |
|
For a hard mount that has timed out, allow I/O to be interrupted with a signal to the calling program. (The default is to not allow I/O on a hard mount to be interrupted.) This allows users that get hung due to NFS server downtime to free themselves from the lockup by pressing Ctrl-C. |
|
Disable locking on this mount. |
|
Read |
|
If a timeout occurs, return an I/O error to the calling program. There is a definite risk that the program does not handle this error correctly and that the file will be incomplete or corrupted without warning. |
|
Write |
When mounting NFS shares, always include the options hard,intr
. It is absolutely reckless to use soft
. A good example mount command for mounting the filesystem /export on the NFS server linux.example.com with an 8-K block size on /mnt/nfs is the following:
mount -o rsize=8192,wsize=8192,hard,intr linux.example.com:/export /mnt/nfs
In addition to using the mount command to mount NFS filesystems, a few other useful NFS tools can help you use and administer them. In particular, the showmount and rpcinfo commands are regularly used.
nfsstat
nfsstat [options
]
Display NFS server and client statistics. This command displays the number of times each RPC procedure in the NFS servers and clients have been called. This is mostly uninteresting, although the counters can be used to graph loads and in some situations to do troubleshooting. By default, the command displays both server and client statistics and both NFS and RPC statistics.
Show client-side statistics only, not server-side statistics
Show NFS statistics only, not RPC statistics
Show RPC statistics only, not NFS statistics
Show server-side statistics only, not client-side statistics
rpcinfo
rpcinfo -p [host
] rpcinfo -n [portnum
] [-t | -tu] [host] program
[version
]
Show RPC services for host.
host
]
Probe the portmapper on host
and list registered RPC programs. If no host
is specified, the system's hostname is used.
portnum
]
Use portnum
as the port number for the -t or -u option instead of the port number supplied by portmapper.
-t [host] program [version]
-u [host] program [version]
Make an RPC call to program
on host
and report the response. The version
of the service can optionally be specified. If the -t option is used, the call is done by TCP, whereas the -u option does it by UDP. This can be used as a RPC ping command. Thus, the following command pings the NFS service, all versions:
# rpcinfo -u fileserver nfs
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting
showmount
showmount []
options
host
Show export mount information for host
.
List the client hostname and the mounted directory in host
:
dir
format.
List only the directories mounted by a client.
Show the NFS server's export list.
Suppress the descriptive headings from the output.