NFS has its shortcomings, of course, primarily in terms of performance and security. As a distributed, network-based file system, NFS is sensitive to network congestion. Heavy network traffic slows down NFS performance. Similarly, heavy disk activity on the NFS server adversely affects NFS's performance. In both cases, NFS clients seem to be running slowly because disk reads and writes take longer. If an exported file system is not available when a client attempts to mount it, the client system hangs, although this can be mitigated using a specific mount. An exported file system also represents a single point of failure. If the disk or system exporting vital data or application becomes unavailable for any reason (say, due to a disk crash or server failure), no one can access that resource.
NFS has security problems because its design assumes a trusted network, not a hostile environment in which systems are constantly being probed and attacked. The primary weakness is that the NFS protocol is based on RPC, remote procedure calls, which are one of the most common targets of exploit attempts. As a result, sensitive information should never be exported from or mounted on systems exposed to the Internet, that is, one that is on or outside a firewall. Indeed, security experts generally recommend that NFS not be used across the Internet under any circumstances.
Even inside a firewall, providing all users access to all files might pose greater risks than user convenience and administrative simplicity justify. Care must be taken when exporting directories or file systems to limit access to the appropriate users and also to limit what those users are permitted to do with the data. NFS also has quirks that pose potential security risks. For example, when the root user on a client system mounts an NFS export, you do not want root on the client to have root privileges on the exported file system. By default, NFS prevents this, a procedure called root squashing, but a careless administrator might override it.
As you proceed through this chapter, especially in the next section, you learn ways to address some of NFS's shortcomings, or at least how to avoid hitting the potholes that you cannot fix. The final section, "NFS Security," discusses key NFS security weaknesses and the measures you can take to minimize the security risks associated with NFS.
Continue reading here: Configuring an NFS Server
Was this article helpful?