14.8. Dangerous Network File System

Previous page
Table of content
Next page

14.8. Dangerous Network File System

The Network File System (NFS) was developed by Sun Microsystems in 1989. The idea behind it was great. Any user can mount a server's directories in his or her file system and use them as if they were located on the user's machine. This is a handy feature for networks. User catalogs can be located on the server and can be connected to the client machine as required. In this way, all files are stored in one central location but can be used as if they were located on a local machine.

But, as I have already said, convenience and security are two incompatible things, and NFS is just too convenient . NFS includes the showmount utility to show, which directories are mounted by which users. This is important information for administrators. Executing the showmount -a localhost command produces information similar to the following: 

 All mount points on localhost: robert:/home/robert econom:/home/john buh:/home/andrew roberet:/usr/local/etc econom:/usr/games

The entries consist of two fields separated by a colon . The first field contains the name of the computer, on which the partition is mounted; the second field shows the path to the mounted resource on the server.

Although it is handy to have an option for displaying such detailed information, it is also dangerous because the command can be executed remotely. Thus, any hacker can execute it and obtain the following information:

  • In the preceding example, various directories from the /home partition are mounted. Most often, directory names coincide with user names. This makes it easy to determine the actual user names on a given system without consulting the /etc/passwd file. Knowing user names makes it much easier to pick passwords for them.

  • The list shows the names of the network's computers. If you have gone to great lengths to secure your DNS server, you nullify all of your efforts by running NFS on one of the servers. One command will show the names of the network's computers. Even though not all computers will be shown, but only those working with NFS, this information may be enough for the hacker. This makes probing the network with ping requests unnecessary, because the computers in the network are already shown.

  • In Linux, program directories can be named as the program name and its version, for example ./jail 1.0. If any of such directories is mounted, the hacker can find out what programs users work with and, most important, the program versions.

Depending on which directories are mounted, much more information can be gathered. Thus, NFS utilities disclose too much information, which should not be allowed.

If you decide to use NFS, take care that it is not available from the Internet. For this, you will have to configure the firewall to prohibit outside connections to the UDP and TCP port 2049. But the firewall will only protect the system from outside connections. If hackers have already broken into one of the network's computers and can execute commands within the network, the firewall will be of little use.

The /etc/exports file contains a list of directories that may be shared with NFS clients, the clients that can share these directories, and the clients ' access rights. Never allow complete access to the entire system. For this, make sure that the file does not contain the following entry: 

 /     rw

The paths to the directories allowed to be mounted by a user should be explicitly specified. If users are allowed to mount home directories, the /home rw permission is dangerous and should not be used.

Why is it dangerous? Not all user home directories should be allowed to be mounted remotely. For example, if you are an administrator but work under a user account, there may be a program used to administer the system in your user home directory. This directory should not be accessible to unauthorized people, even for viewing. Allow only specific users that actually mount their file systems remotely to connect, as in the following example: 

 /home/Robert         rw /home/FlenovM        rw /home/Aubrey         rw

Most security specialists share the opinion that NFS should not be used. If you decided to use it only because software on the workstations was centrally installed, you should overcome your laziness and install software on each computer individually.

If the documentation has to be publicly available so that users could share one directory, you can consider using the Samba network service. This service is not as talkative and may offer a solution to your needs to share server directories.


Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
SQL Hacks
Cisco IOS Cookbook (Cookbooks (OReilly))
The Java Tutorial: A Short Course on the Basics, 4th Edition
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy