Unrestricted NFS export
Summary
File systems exported via NFS to arbitrary hosts.
Impact
Unauthorized remote access to system and/or user files.
The problem
When a file system is exported without restriction, an intruder can
remotely compromise user or system files, and then take over the
machine. Examples:
- An intruder can remotely replace a system program or configuration
file.
UNIX-specific examples:
- An intruder can remotely install a .rhosts file to
obtain interactive access.
- An intruder can remotely install a .forward file to
obtain non-interactive access.
Fix
- Make sure all file exports specify an explicit list of clients or
netgroups.
- Export file systems read-only where possible.
Other tips
- Some versions of the NFS mount daemon cannot expand large
netgroups and will export to the world anyway; see also
Cert advisory CA-94:02. Check your vendor patch list.
- In NIS netgroup members, empty host fields are treated as
wildcards and cause the mount daemon to grant access to any host.
- Consider blocking ports 2049 (nfs) and 111 (portmap) on your
routers.
- See the
Admin
Guide to Cracking for an example of why this is a problem.