/etc/exports
and /etc/exports.d/
, lists the directories that are made available over the network (exported). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:
/directory/to/share machine1(option1,option2,...) machine2(...) ...
fsid=0
or fsid=root
.
*.falcot.com
or an IP address range such as 192.168.0.0/255.255.255.0
or 192.168.0.0/24
.
ro
option). The rw
option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the insecure
option (the secure
option is implicit, but it can be made explicit if needed for clarity).
sync
option); this can be disabled with the async
option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
nobody
user. This behavior corresponds to the root_squash
option, and is enabled by default. The no_root_squash
option, which disables this behavior, is risky and should only be used in controlled environments. If all users should be mapped to the user nobody
, use all_squash
. The anonuid=uid
and anongid=gid
options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user nobody
and group nogroup
).
sec
option to indicate the security level that you want: sec=sys
is the default with no special security features, sec=krb5
enables authentication only, sec=krb5i
adds integrity protection, and sec=krb5p
is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
mount
command and the /etc/fstab
file.
Example 11.20. NFS entry in the /etc/fstab
file
arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
/shared/
from the arrakis
server into the local /srv/shared/
directory. Read-write access is requested (hence the rw
parameter). The nosuid
option is a protection measure that wipes any setuid
or setgid
bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is noexec
, which prevents executing programs stored on the share. Note that on the server, the shared
directory is below the NFSv4 root export (for example /export/shared
), it is not a top-level directory.