Start

The Security Model of NFS

As noted in the introduction, folders shared via NFS act as if they had been made available to other computers via an external hard drive. For this reason similar concepts are used for access permissions as well:

• Access to files and folders is only controlled by the permission settings of these objects. To refer to users and groups, UNIX user identification numbers (UIDs) and group identification numbers (GIDs) are stored on disk.
• To connect to an NFS server, no login operation is necessary.
• Respecting access permissions is only possible if both computers which transfer data across an NFS connection use exactly the same user short names, user identifications (UIDs), group short names, and group identifications (GIDs)!

To guarantee secure operation, it is a necessary prerequisite to synchronize the user and group accounts between all computers which are part of the network that is sharing data via NFS.

In very small networks, synchronizing the account data could be done manually if no better solution is possible. The typical solution however is to establish a network-wide directory service for this purpose. A directory service is a common database shared in the network to store all account information. With the exception of accounts used for maintenance purposes, local accounts stored on each computer should no longer be used. All computers should only use accounts from the single central directory, so they are synchronized automatically.

In the base configuration, OS X is supporting the directory services

• Apple Open Directory
• Microsoft® Active Directory
• NIS (Network Information Service)
• LDAPv3 servers with a Unix directory schema according to RFC 2307.

Note: General LDAP servers using RFC 2307 are no longer supported as of OS X system version 10.7 or later.

Binding a OS X computer to a running directory service is done with the application Directory Utility available in the folder /System/Library/CoreServices. Setting up a directory service is beyond the scope of this manual. For this reason it is not described further.

Directory Services and NFS version 4

When using NFS version 4, a feature known as ID mapping can be used to map user and group identifications between client and server. This also requires utilization of a directory service. In addition, an NFSv4 Domain Name has to be set. With OS X version 10.7 or later, this domain name can be configured in the operating system by entering the following command in Terminal:

sudo dscl . -create Config/NFSv4Domain RealName EXAMPLE.COM

The part EXAMPLE.COM has to be replaced by the actual name of the NFSv4 domain.

OS X is known not to support this feature very reliably. Please see the Release Notes of NFS Manager and technical support documents of Apple (if available) for further information.

Limiting access to certain computers

Perhaps not all computers in your network are capable of using a common directory service. To avoid security risks, all computers which are not explicitly legitimated to connect to a server should not be granted access. For this reason NFS is supporting the following restrictions which can be configured for each share separately:

• unlimited access: any computer physically connected to the network is allowed to access the NFS share. This is the most insecure setting. Its usage is not recommended.
• restricting access to a list of computers: only computers contained in a certain list can acccess the NFS share.
• restricting access to an IPv4 subnet: only computers using the IPv4 addresses of a certain subnet can access the NFS share.

Mutual identification of computers and data encryption

The aforementioned methods to deny access to an NFS share are not very safe: If the network is open, e.g. accessible via an unprotected WLAN, or if there are Ethernet sockets which are not locked or monitored otherwise, an attacker could connect to the network with his own computer. He could then take over the IP address of a legitimate computer, hereby circumventing the access restrictions.

To close such security holes, OS X can protect an NFS share using Kerberos technology. Kerberos is a complex authentication method for the mutual safe identification of services, devices and users, based on encryption technology. The security level reached by Kerberos is usually higher than that of using protection with classic passwords. Passwords are replaced by tap-proof, tamper-proof, and self-expiring key sequences which are called Kerberos tickets.

Because Kerberos tickets can be sent automatically through the network without risks, a Single Sign-On is possible: A user logs in only once at a central service in the network. After the user has been identified, all services on all computers this user has access to are unlocked automatically without any further login procedure being necessary. The access permissions will be revoked when either the ticket has expired (typically 10 hours after initial login) or when the user deactivates the ticket explicitly.

The Kerberos technique is not limited to users only but also allows devices and services to identify each other safely. OS X can associate one or more of the following security requirements with an NFS share:

• only users with valid Kerberos tickets can mount the share
• the NFS services of both affected computers have to identify each other using Kerberos
• all data transferred in the network via NFS has to be encrypted using Kerberos.

To use Kerberos, it has to be configured in the network first. The following prerequisites are necessary:

• The participating computers must be members of a common Kerberos realm.
• The participating computers must have been setup to access a shared Kerberos Key Distribution Center in that realm.
• Users accessing protected NFS shares must have a valid Kerberos ticket.
• Client and server of an NFS connection have to be configured as being Kerberos principals with the service name nfs in the affected realm.

Configuring Kerberos is beyond the scope of this manual and is not described further.

Additional measures to maintain security

If your network has connections to other networks, for example the Internet, accessing NFS servers from the foreign network can be blocked using a packet filter firewall. After the packet filter has been configured not to pass NFS network traffic, access is no longer possible from the network beyond the filter.

Each share can also be setup for read-only mode and for user account mapping:

• You can setup a share using the mode “only for reading”. In that case, computers accessing the share will handle it as being a read-only disk, like a CD for example.
• Because each UNIX system has the omnipotent user account called root which has permission to circumvent any restrictions, you can configure an NFS share to handle an accessing root user like a different user, mapping the root account to an account with less rights. If necessary, other user accounts can be mapped as well.

Using Access Control Lists (ACLs)

In addition to classic POSIX permissions, OS X also allows to define permissions using Access Control Lists (ACLs), compatible with Microsoft® Windows and the POSIX.1e draft. However, ACLs can only be used with NFS version 4. When using NFSv2 or NFSv3, consider the following:

• ACLs are respected on the server side. The system behaves as if the mapped user which accesses files via NFS is working locally on the server.
• ACLs are invisible on the side of the accessing computer. The ACLs can neither be displayed, nor be changed. The client behaves as if it would access a file system which doesn't support ACLs.