NFS Exports contents.gifindex.gif

NFS Exports

The exact format for specifying which hosts can mount an exported directory varies between Unix implementations. Generally, the information is contained within the file /etc/exports. This file contains an access list of directories with a series of specific "hosts" or "netgroups" showing which directories are NFS-mountable. The "hosts" are individual machines, and "netgroups" are combinations of hosts and usernames specified in /etc/netgroup. This listing flexibility is intended as a means to fine-tune access.

The exports file also contains information about whether the directory is to be exported as read-only or read-write, and whether super-user access is to be allowed from clients that mount the directory. If the access list for a particular directory in /etc/exports contains:

Nothing: Your directory can be mounted by anyone, anywhere.

A specific hostname: Your directory can be mounted by anyone permitted to

run the mount command at hostname. This might not be a trustworthy person.

A netgroup name: If the netgroup is empty, anyone can mount your directory,

from anywhere.

Contains "(,,)": Anyone can mount your directory, from

anywhere.

Contains the name of an empty netgroup or contains "(,,)": Anyone

can mount your directory, from anywhere.

Contains "(hostname,,)": Anyone on

the named host who has permission to mount files can mount your directory.

Contains "(,username,)": The named user can mount your directory, from

anywhere.

Contains the server's own hostname: Anyone can use a

vulnerability in the portmapper program so that the server thinks that a

remote call to mount is from the localhost. This allows anyone to mount your

directory. Intranet Scanner will report if it is able to mount via the

portmapper.

A long list of specific hostnames: Your directories can be mounted by anyone

if the list of hostnames is longer than 256 bytes and you are running an old

mount program. Your Unix vendor can provide a fix for this.

A word that is neither a hostname nor a netgroup: If you meant to export the

directory to the host hosta, but misspell it as, for example, "hotsa," the

word "hotsa" is taken as a netgroup name. This can then be found to be an

empty netgroup, and the directory can be mounted by anyone from anywhere.

To safely create an "empty" netgroup entry:

ngname (-,-,-)

This is a netgroup that matches no one on no host on no NIS domain.

Consult the system manual for more information on exports, NFS, or netgroups.