Unprivileged NFS access
NFS server executes requests from unprivileged user programs.
A malicious user can execute NFS file access requests on behalf of any user.
When an NFS client host wants to access a remote file or directory, its
operating system sends a request to the NFS server. The request
specifies, among others, a file identifier, the operation (read, write,
change permission, etc.), and the identity of the user on whose behalf
the operation is to be done.
By default, the user identity is specified with the UNIX numeric user
and group ids. With this scheme, also called AUTH_UNIX, the server
simply believes anything that the client sends it.
An NFS request is nothing but a network message. Any user can run a
program that generates arbitrary NFS requests. Such programs have been
available for several years, and writing them does not require unusual
When an NFS server accepts requests with AUTH_UNIX authentication from
unprivileged user programs, a malicious user can execute file access
requests on behalf of any user. Reason: with AUTH_UNIX authentication,
the user identity is nothing but a few user and group ID numbers in a
The fix is to avoid AUTH_UNIX authentication and to use something that
involves cryptography. For example, secure NFS with DES or Kerberos
credentials. Unfortunately, many NFS implementations support AUTH_UNIX
authentication only. Consult your system documentation.
A partial, but more common, solution is to configure the NFS server,
and where possible, the mount daemon, to accept requests only from
privileged system programs (such as UNIX kernels), and to reject NFS
requests that are sent by unprivileged user programs.
- SunOS 4 administrators modify /etc/rc.local
- rpc.mountd (no -n option)
- echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem
- SunOS 5 administrators modify /etc/system
- set nfssrv:nfs_portmon = 1
On other systems, the mountd command-line options differ, and the
kernel variable may be called nfsportmon or something
Note: rejecting NFS requests from unprivileged user programs
does not protect your servers against malicious superusers or against
malicious PC programs.
- Where practical, export file systems read-only.
- Consider blocking ports 2049 (nfs) and 111 (portmap) on your