🖊️ Author: Nairuz Abulhul
🌐 Blog: R3dbuck3t
**NFS purpose is to access file systems over a network as if they were local.
It is used between Linux and Unix systems.
The NFS protocol has no mechanism for authentication or authorization.
The authentication is completely shifted to the RPC protocol's options. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.**
Version | Features |
---|---|
NFSv2 |
It is older but is supported by many systems and was initially operated entirely over UDP. |
NFSv3 |
It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. |
NFSv4 |
It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. |
Common Ports
The /etc/exports
file contains a table of physical filesystems on an NFS server accessible by the clients.
zink0x001@htb[/htb]$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
Option | Description |
---|---|
rw |
Read and write permissions. |
ro |
Read only permissions. |
sync |
Synchronous data transfer. (A bit slower) |
async |
Asynchronous data transfer. (A bit faster) |
secure |
Ports above 1024 will not be used. |
insecure |
Ports above 1024 will be used. |
no_subtree_check |
This option disables the checking of subdirectory trees. |
root_squash |
Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents root from accessing files on an NFS mount. |
Create a directory in the mount directory (mnt
) which you want to expose internally on the network. In the example below, it is nfs
share with the security options above in the table.
Then add the path to the directory to the export configuration file
root@nfs:~# echo '/mnt/nfs 10.129.14.0/24(sync,no_subtree_check)' >> /etc/exports
Restart the NFS server