NFS: is /export necessary?

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

I followed the Gentoo wiki to set up NFS:

http://wiki.gentoo.org/wiki/NFSv4

I skipped the /export stuff and just added the actual paths I want to share to /etc/exports. Is that OK? Why use /export?

massimo · Veteran Joined: 22 Jun 2003 Posts: 1226

I think for compatibility reasons [1].

[1] http://doc.opensuse.org/products/draft/SLES/SLES-admin_sd_draft/cha.nfs.html#sec.nfs.export.coexisting
_________________
Hello 911? How are you?

krinn · Watchman Joined: 02 May 2003 Posts: 7470

You don't have to use /export but any directory you wish.
But if you add the actual paths and not bind them to a directory that you will fsid=0 you are just doing a nfsv3 config file and not an nfsv4 config file.
It mean everything will appears ok as long as all your clients use nfsv3 implementation. But if any use nfsv4 you'll be in trouble as the results will just be unexpected.

So it's not for compatibility reason, you must attach your directories to one that will be the root of your server because it's nfsv4 implementation.

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

Thanks krinn. Am I OK to run an nfsv3 implementation or should I use nfsv4 for some reason?

szatox · Advocate Joined: 27 Aug 2013 Posts: 3493

You can run whatever you are comfortable with.
NFS2, NFS3, and NFS4 are all NFS (that stands for No File Security).
They are well integrated, easy to use and completly insecure. I'm happy with NFS3.

Jaglover · Posted: Tue Aug 12, 2014 9:40 pm Post subject:

NFSv4 was designed to work securely on the internet.

Read more: http://www.sans.org/reading-room/whitepapers/linux/nfs-security-trusted-untrusted-environments-1956
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

szatox · Advocate Joined: 27 Aug 2013 Posts: 3493

As long as you trust your network No File Security v3 is absolutely fine. You don't want to expose it to general publick though, as there is no authentication, and authorisation is based on UID and GID numbers, which can be faked or even accidentaly missused. If your UID on 2 different computers doesn't match, you might access files that belong to another user - this deppends on configuration, as workarounds for this exist.
IP can be assigned manualy or spoofed. Taknig those things together, neither IP nor UID/GID restrictions provide any security.

Jaglover, thanks for link about NFS4, i'll have a look at it

as a side note, funny thing is nobody cares about FTP sending username and password in clear text.

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

If something were to go wrong with my firewall, would my /etc/exports config above be sufficient to prevent access to the share from the internet or could that be spoofed somehow?

depontius · Advocate Joined: 05 May 2004 Posts: 3526

steveL · Posted: Thu Aug 14, 2014 1:59 pm Post subject:

Yeah, I wouldn't say that nobody cares..