Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NFS: is /export necessary?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 993

PostPosted: Tue Aug 12, 2014 2:09 am    Post subject: NFS: is /export necessary? Reply with quote

I followed the Gentoo wiki to set up NFS:

http://wiki.gentoo.org/wiki/NFSv4

I skipped the /export stuff and just added the actual paths I want to share to /etc/exports. Is that OK? Why use /export?
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Tue Aug 12, 2014 8:13 am    Post subject: Reply with quote

I think for compatibility reasons [1].


[1] http://doc.opensuse.org/products/draft/SLES/SLES-admin_sd_draft/cha.nfs.html#sec.nfs.export.coexisting
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7170

PostPosted: Tue Aug 12, 2014 10:27 am    Post subject: Reply with quote

You don't have to use /export but any directory you wish.
But if you add the actual paths and not bind them to a directory that you will fsid=0 you are just doing a nfsv3 config file and not an nfsv4 config file.
It mean everything will appears ok as long as all your clients use nfsv3 implementation. But if any use nfsv4 you'll be in trouble as the results will just be unexpected.

So it's not for compatibility reason, you must attach your directories to one that will be the root of your server because it's nfsv4 implementation.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 993

PostPosted: Tue Aug 12, 2014 2:46 pm    Post subject: Reply with quote

Thanks krinn. Am I OK to run an nfsv3 implementation or should I use nfsv4 for some reason?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1764

PostPosted: Tue Aug 12, 2014 7:41 pm    Post subject: Reply with quote

You can run whatever you are comfortable with.
NFS2, NFS3, and NFS4 are all NFS (that stands for No File Security).
They are well integrated, easy to use and completly insecure. I'm happy with NFS3.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7269
Location: Saint Amant, Acadiana

PostPosted: Tue Aug 12, 2014 9:40 pm    Post subject: Reply with quote

NFSv4 was designed to work securely on the internet.

Read more: http://www.sans.org/reading-room/whitepapers/linux/nfs-security-trusted-untrusted-environments-1956
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 993

PostPosted: Wed Aug 13, 2014 3:07 pm    Post subject: Reply with quote

szatox wrote:
You can run whatever you are comfortable with.
NFS2, NFS3, and NFS4 are all NFS (that stands for No File Security).
They are well integrated, easy to use and completly insecure. I'm happy with NFS3.

If /etc/exports says something like:

Code:
/media/music    192.168.0.0/24(subtree_check)

Is that sufficiently secure or am I missing something?


Jaglover wrote:
NFSv4 was designed to work securely on the internet.

Are the changes it brings over NFSv3 unnecessary if it's only permitted to operate over a LAN?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1764

PostPosted: Wed Aug 13, 2014 8:49 pm    Post subject: Reply with quote

As long as you trust your network No File Security v3 is absolutely fine. You don't want to expose it to general publick though, as there is no authentication, and authorisation is based on UID and GID numbers, which can be faked or even accidentaly missused. If your UID on 2 different computers doesn't match, you might access files that belong to another user - this deppends on configuration, as workarounds for this exist.
IP can be assigned manualy or spoofed. Taknig those things together, neither IP nor UID/GID restrictions provide any security.

Jaglover, thanks for link about NFS4, i'll have a look at it ;)

as a side note, funny thing is nobody cares about FTP sending username and password in clear text.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 993

PostPosted: Wed Aug 13, 2014 8:54 pm    Post subject: Reply with quote

If something were to go wrong with my firewall, would my /etc/exports config above be sufficient to prevent access to the share from the internet or could that be spoofed somehow?
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3400

PostPosted: Thu Aug 14, 2014 1:44 am    Post subject: Reply with quote

szatox wrote:
as a side note, funny thing is nobody cares about FTP sending username and password in clear text.


Then there are those of us who don't use ftp, using scp or sftp instead. Though usually when going over the internet it's non-login through http, or I guess login through https.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Thu Aug 14, 2014 1:59 pm    Post subject: Reply with quote

Yeah, I wouldn't say that nobody cares..
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum