2.2.4.2.2. Review the NFS Client
Use the
nosuid
option to disallow the use of a setuid program. The nosuid
option disables the set-user-identifier
or set-group-identifier
bits. This prevents remote users from gaining higher privileges by running a setuid program. Use this option on the client and the server side.
The
noexec
option disables all executable files on the client. Use this to prevent users from inadvertently executing files placed in the file system being shared. The nosuid
and noexec
options are standard options for most, if not all, file systems.
Use the
nodev
option to prevent “device-files” from being processed as a hardware device by the client.
The
resvport
option is a client-side mount option and secure
is the corresponding server-side export option (see explanation above). It restricts communication to a "reserved port". The reserved or "well known" ports are reserved for privileged users and processes such as the root user. Setting this option causes the client to use a reserved source port to communicate with the server.
All versions of NFS now support mounting with Kerberos authentication. The mount option to enable this is:
sec=krb5
.
NFSv4 supports mounting with Kerberos using
krb5i
for integrity and krb5p
for privacy protection. These are used when mounting with sec=krb5
, but need to be configured on the NFS server. Refer to the man page on exports (man 5 exports
) for more information.
The NFS man page (
man 5 nfs
) has a “SECURITY CONSIDERATIONS” section which explains the security enhancements in NFSv4 and contains all the NFS specific mount options.