Once the NFS file system is mounted read/write by a remote host, the only protection each shared file has is its permissions. If two users that share the same user ID value mount the same NFS file system, they can modify each others files. Additionally, anyone logged in as root on the client system can use the su -
command to access any files via the NFS share.
By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. Red Hat recommends that you keep this feature enabled.
By default, NFS uses
root squashing when exporting a file system. This sets the user ID of anyone accessing the NFS share as the root user on their local machine to
nobody
. Root squashing is controlled by the default option
root_squash
; for more information about this option, refer to
Section 10.6.1, “
The /etc/exports
Configuration File”. If possible, never disable root squashing.
When exporting an NFS share as read-only, consider using the all_squash
option. This option makes every user accessing the exported file system take the user ID of the nfsnobody
user.