NFS

Network File System

Basic Commands

  • Mount shares in to your local system:

sudo mount 10.10.10.34:/var/nfsshare /mnt
LogoGitHub - NetDirect/nfsshell: Userspace NFS client shellGitHub

Enumeration

  • Use nmap scripts:

nmap -sV --script=nfs-ls 10.10.10.34

  • And the showmount command to list all the shares:

showmount -e 10.10.10.34

  • To look the configuration on the server side:

cat /etc/exports

Configuration Options

Access Options

  • rw: Allows clients to read from and write to the shared directory.

  • ro: Allows clients to only read from the shared directory.

Sync and Async Options

  • sync: Ensures all changes are written to disk before the NFS server responds to the client. This is safer but slower.

  • async: Allows the server to respond before data is written to disk. This improves performance but can lead to data loss if the server crashes.

User Mapping Options

  • root_squash: Maps root user requests from clients to the nfsnobody user (or equivalent) on the server, restricting root access.

  • no_root_squash: Grants root user on the client the same privileges as root on the server. Use with caution, as it can lead to security risks.

  • all_squash: Maps all client users (including root) to the nfsnobody user (or equivalent) on the server.

  • no_all_squash: Retains the original UID and GID of non-root users from the client on the server. This is the default.

  • anonuid=<UID>: Sets the UID of the anonymous user for all_squash or root_squash. Default is 65534 (nfsnobody).

  • anongid=<GID>: Sets the GID of the anonymous user. Default is 65534.

Security and Access Control

  • secure: Requires clients to use a privileged port (below 1024) for communication. This is the default.

  • insecure: Allows clients to connect from any port, including unprivileged ports (above 1024). Necessary for some client configurations.

  • no_subtree_check: Disables subtree checking. Recommended for shared directories where the export does not match the actual filesystem hierarchy, as it improves performance.

  • subtree_check: Enables subtree checking. Verifies that the requested file is within the exported tree. This is the default.

Performance Options

  • no_wdelay: Prevents the NFS server from delaying writes. Useful when multiple clients write to the same file simultaneously.

  • wdelay: Causes the server to delay writes slightly to optimize performance when multiple write requests arrive. This is the default.

Client Specification

  • <IP>: Specifies a single client IP (e.g., 10.10.10.1).

  • <subnet>: Specifies a subnet (e.g., 10.10.10.0/24).

  • *: Allows all clients to connect. Use cautiously as this is less secure.

  • <hostname>: Specifies a hostname for allowed clients.

PreviousSMTPNextIPP

Last updated