2.12 Network File Systems

There are several protocols available for allowing computers to mount filesystems that are physically attached to other computers. This is highly desirable, because it lets people use remote files without the overhead of transferring them back and forth and trying to keep multiple versions in sync. It's also extremely dangerous, because it means that you're allowing people to read your data without separately authenticating themselves to the machine that the data is on. The Network File System (NFS) and the Andrew File System (AFS) are the two most frequently used network file systems in UNIX. NFS was designed for use in local area networks, and assumes fast response, high reliability, time synchronization, and a high degree of trust between machines. AFS was designed for use across larger networks, and better tolerates poor performance and lower degrees of trust.

There are some serious security problems with NFS. If you haven't properly configured NFS (which can be tricky), an attacker may be able to simply NFS-mount your filesystems. The way NFS works, client machines are allowed to read and change files stored on the server without having to log in to the server or enter a password. Because NFS doesn't log transactions, you might not even know that someone else has full access to your files.

NFS does provide a way for you to control which machines can access your files. A file called /etc/exports lets you specify which filesystems can be mounted, and which machines can mount them. If you leave a filesystem out of /etc/exports, no machine can mount it. If you put it in /etc/exports, but don't specify what machines can mount it, you're allowing any machine to mount it.

A number of subtler attacks on NFS are also possible. For example, NFS has very weak client authentication, and an attacker may be able to convince the NFS server that a request is coming from a client that's permitted in the exports file. There are also situations where an attacker can hijack an existing NFS mount.

These problems are mostly due to the fact that NFS uses host authentication, which is easily spoofed. Because NFS doesn't actually work well across the Internet in any case (it assumes a much faster connection between hosts), there isn't much point in allowing it between your site and the Internet. It creates a security problem without adding functionality.

AFS uses Kerberos for authentication, and optionally encryption, and is designed to work across wide area networks, including the Internet. NFS is shipped as part of the operating system with most versions of UNIX, while AFS is a third-party product. Because of this, and because AFS and Kerberos require significant technical expertise to set up and maintain, AFS is not widely used outside of a small number of large sites. If you have a need to do secure, wide area network filesystems, it may be worth investigating AFS, but it is not covered here.