Product SiteDocumentation Site

11.4. Server di file NFS

NFS (Network File System) è un protocollo che consente l'accesso remoto ad un filesystem attraverso la rete. Tutti i sistemi Unix possono utilizzare questo protocollo: quando i sistemi Windows sono coinvolti dev'essere utilizzato Samba al suo posto.
NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a sniffer can intercept it) and access rights are granted based on the client's IP address (which can be spoofed).

11.4.1. Mettere in sicurezza NFS

If you don't use the Kerberos-based security features, it is vital to ensure that only the machines allowed to use NFS can connect to the various required RPC servers, because the basic protocol trusts the data received from the network. The firewall must also block IP spoofing so as to prevent an outside machine from acting as an inside one, and access to the appropriate ports must be restricted to the machines meant to access the NFS shares.
Older versions of the protocol required other RPC services which used dynamically assigned ports. Fortunately, with NFS version 4, only port 2049 (for NFS) and 111 (for the portmapper) are needed and they are thus easy to firewall.

11.4.2. Server NFS

Il server NFS è parte del kernel Linux: nei kernel forniti da Debian è compilato come modulo. Se il server NFS è eseguito automaticamente all'avvio il pacchetto nfs-kernel-server dev'essere installato poiché contiene gli script di avvio necessari.
Il file di configurazione del server NFS, /etc/exports, elenca le directory che vengono rese disponibili attraverso la rete (esportate). Per ogni condivisione NFS l'accesso è garantito solo alla lista di macchine fornita. Un controllo degli accessi più accurato può essere ottenuto con qualche opzione. La sintassi di questo file è piuttosto semplice:
/directory/da/condividere macchina1(opzione1,opzione2,...) macchina2(...) ...
Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option fsid=0 or fsid=root.
Ogni macchina può essere identificata sia dal suo nome DNS che dal suo IP. È anche possibile specificare un intero insieme di macchine utilizzando una sintassi come *.falcot.com o un intervallo di indirizzi IP come 192.168.0.0/255.255.255.0 o 192.168.0.0/24.
Le directory sono rese disponibili in sola lettura in via predefinita (o con l'opzione ro). L'opzione rw permette l'accesso in lettura e scrittura. I client NFS si connettono tipicamente da una porta riservata a root (in altre parole inferiore a 1024): questa restrizione può essere sospesa con l'opzione insecure (l'opzione secure è implicita ma può essere resa esplicita, se necessario, per rendere le cose più chiare).
By default, the server only answers an NFS query when the current disk operation is complete (sync option); this can be disabled with the async option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the nobody user. This behavior corresponds to the root_squash option, and is enabled by default. The no_root_squash option, which disables this behavior, is risky and should only be used in controlled environments. The anonuid=uid and anongid=gid options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user nobody and group nogroup).
With NFSv4, you can add a sec option to indicate the security level that you want: sec=sys is the default with no special security features, sec=krb5 enables authentication only, sec=krb5i adds integrity protection, and sec=krb5p is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
Sono disponibili altre opzioni: sono documentate nella pagina di manuale exports(5).

11.4.3. Client NFS

Così come avviene con altri filesystem, integrare una condivisione NFS nella gerarchia del sistema richiede il mount. Poiché questo filesystem ha le sue peculiarità sono necessari alcuni aggiustamenti al file /etc/fstab e alla sintassi del comando mount.

Esempio 11.22. Montare manualmente con il comando mount

          # mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared

Esempio 11.23. Condivisione NFS nel file /etc/fstab

arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
The entry described above mounts, at system startup, the /shared/ NFS directory from the arrakis server into the local /srv/shared/ directory. Read-write access is requested (hence the rw parameter). The nosuid option is a protection measure that wipes any setuid or setgid bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is noexec, which prevents executing programs stored on the share. Note that on the server, the shared directory is below the NFSv4 root export (for example /export/shared), it is not a top-level directory.
La pagina di manuale nfs(5) descrive tutte le opzioni dettagliatamente.