Mastering NFS Shares: Setup, Root Squash, and Nmap Enumeration Demystified
Network File System (NFS) is a popular and influential network-based file-sharing protocol used in Linux/Unix systems. Setting up an NFS share allows multiple users on different machines to access files as if they were on their systems. This article will guide you through setting up an NFS share on a Linux system.
Prerequisites
- A Linux system to act as the NFS server.
- One or more client machines to access the NFS share, which can also be Linux/Unix systems.
- Root or sudo privileges on the server.
Step 1: Installing NFS Kernel Server
On the server, you need to install the NFS Kernel Server. Depending on your Linux distribution, you can use one of the following commands:
sudo apt update
sudo apt install nfs-kernel-serverStep 2: Creating and Configuring the Export Directory
Create a Directory:
- This directory will be shared with client systems. You can create it anywhere, but creating it in a location meant for sharing is a good practice. For example:
sudo mkdir /var/nfs_shareSet Permissions:
- Set the appropriate permissions. Remember, the permissions you set here affect how users access the files. For example:
Set Permissions:
- Set the appropriate permissions. Remember, the permissions you set here affect how users access the files. For example:
sudo chown nobody:nogroup /var/nfs_share
sudo chmod 777 /var/nfs_shareStep 3: Configuring the NFS Exports
Edit /etc/exports File:
- The
/etc/exportsfile controls which directories are shared. Open it with a text editor, such asnano:
sudo nano /etc/exportsAdd Export Configuration:
- Add a line to the end of the file for your new directory, specifying the options and the client(s) that can access it. For example:
/var/nfs_share clientIP(rw,sync,no_subtree_check)Replace clientIP with the IP address of the client machine or a subnet. The options rw, sync, and no_subtree_check are common choices.
Step 4: Exporting the Shared Directory
- After configuring
/etc/exports, export the shared directory:
sudo exportfs -aStep 5: Starting and Enabling the NFS Server
- Start the NFS service and enable it to start on boot:
sudo systemctl start nfs-kernel-server
sudo systemctl enable nfs-kernel-serverStep 6: Adjusting Firewall Settings (If Applicable)
- If you have a firewall enabled, you need to allow NFS traffic:
sudo ufw allow from clientIP to any port nfsStep 7: Mounting the NFS Share on the Client
Install NFS Client Utilities (on the client):
sudo apt-get install nfs-commonCreate a Mount Point (on the client):
sudo mkdir /mnt/nfs_shareMount the NFS Share:
sudo mount server_ip:/var/nfs_share /mnt/nfs_shareStep 8: Testing the NFS Share
- Test the NFS share by creating files in the
/mnt/nfs_sharedirectory on the client and verifying that they appear in the/var/nfs_sharedirectory on the server.
Root Squash Security Consideration
Root squash is a security feature in NFS that mitigates the risk of unauthorized root-level access to the NFS server by client machines. Here’s why it’s important:
- Preventing Superuser Privileges: When root squash is enabled (which is the default setting in most NFS configurations), any access request from the root user (UID 0) on an NFS client is mapped to a non-privileged user (often
nobodyornfsnobody) on the NFS server. This prevents the root user on a client machine from having superuser privileges on the NFS server, limiting their ability to modify or interact with shared files and directories. - Reducing Risk of Unauthorized Access: If a client machine is compromised, especially if the root account is compromised, root squash helps prevent the attacker from leveraging NFS to gain root-level access to the shared directories on the NFS server.
- Maintaining File Security: By squashing root privileges, NFS maintains the security and integrity of the file permissions and ownership on the server. This ensures that the NFS shares adhere to the principle of least privilege, allowing access and modification rights only as the server’s administrator intended.
Potential Exploitation if Root Squash is Disabled
Disabling root squash (using the no_root_squash option in /etc/exports) can lead to significant security vulnerabilities. Here's how attackers might exploit this:
- Gaining Root-Level Access: If an attacker gains root access on an NFS client, and
no_root_squashis enabled, they can access and modify files on the NFS server as root. This could lead to altering critical files, deleting data, or planting malicious software. - Elevating Privileges: An attacker with non-root access on a client machine could exploit local vulnerabilities to gain root access, and then leverage the NFS mount with
no_root_squashto escalate privileges on the server. - Bypassing Server Security: The attacker could bypass security measures and permissions set on the server, as the server would trust the root user from the client, assuming it’s a legitimate superuser operation.
Using NMAP to enumerate NFS share
Enumerating NFS shares using nmap can help identify NFS exports on a target system or within a network. This is particularly useful for network administrators, security professionals, or anyone tasked with network security assessments. Here's how you can use nmap to enumerate NFS shares:
Scanning for NFS Shares
- Basic NFS Scan
The simplest way to scan for NFS shares is by checking for the default NFS port (2049). The following command scans for open NFS ports:
nmap -p 2049 <target_ip_or_hostname>- Using the Nmap Scripting Engine (NSE)
nmap has a scripting engine that can run scripts for more detailed discovery and enumeration. For NFS, use the nfs-showmount script:
nmap -p 111 --script=nfs-showmount <target_ip_or_hostname>This script queries the rpcbind service (port 111) to list mounts exported by an NFS server.
- Scanning a Range of IPs
If you need to scan a range of IP addresses or an entire subnet, you can do so by specifying the range:
nmap -p 111 --script=nfs-showmount 192.168.1.0/24Interpreting the Results
- Open ports on
2049/tcptypically indicate an NFS service running. - The
nfs-showmountscript output will list the shared directories if the server is configured to allow such enumeration.
Ethical and Legal Considerations
- Always ensure you have proper authorization before scanning networks, especially those that are not under your direct control. Unauthorized scanning can be considered intrusive and may be illegal.
